Re: [PATCH] PM / devfreq: stopping the governor before device_unregister()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chanwoo Choi <cw00.choi@samsung.com>
To: vincent.donnefort@arm.com, myungjoo.ham@samsung.com,
	kyungmin.park@samsung.com, linux-pm@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: john.reitan@arm.com, beata.michalska@arm.com
Subject: Re: [PATCH] PM / devfreq: stopping the governor before device_unregister()
Date: Fri, 31 Aug 2018 17:52:39 +0900	[thread overview]
Message-ID: <5B8901D7.5040301@samsung.com> (raw)
In-Reply-To: <1535623320-28281-1-git-send-email-vincent.donnefort@arm.com>

Hi,

On 2018년 08월 30일 19:02, vincent.donnefort@arm.com wrote:
> From: Vincent Donnefort <vincent.donnefort@arm.com>
> 
> device_release() is freeing the resources before calling the device
> specific release callback which is, in the case of devfreq, stopping
> the governor.
> 
> It is a problem as some governors are using the device resources. e.g.
> simpleondemand which is using the devfreq deferrable monitoring work. If it
> is not stopped before the resources are freed, it might lead to a use after
> free.
> 
> Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
> Reviewed-by: John Einar Reitan <john.reitan@arm.com>
> 
> diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
> index 4c49bb1..4e43830 100644
> --- a/drivers/devfreq/devfreq.c
> +++ b/drivers/devfreq/devfreq.c
> @@ -534,10 +534,6 @@ static void devfreq_dev_release(struct device *dev)
>  	list_del(&devfreq->node);
>  	mutex_unlock(&devfreq_list_lock);
>  
> -	if (devfreq->governor)
> -		devfreq->governor->event_handler(devfreq,
> -						 DEVFREQ_GOV_STOP, NULL);
> -
>  	if (devfreq->profile->exit)
>  		devfreq->profile->exit(devfreq->dev.parent);
>  
> @@ -672,7 +668,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
>  	list_del(&devfreq->node);
>  	mutex_unlock(&devfreq_list_lock);
>  
> -	device_unregister(&devfreq->dev);
> +	devfreq_remove_device(devfreq);
>  	devfreq = NULL;
>  err_dev:
>  	if (devfreq)
> @@ -693,6 +689,9 @@ int devfreq_remove_device(struct devfreq *devfreq)
>  	if (!devfreq)
>  		return -EINVAL;
>  
> +	if (devfreq->governor)
> +		devfreq->governor->event_handler(devfreq,
> +						 DEVFREQ_GOV_STOP, NULL);
>  	device_unregister(&devfreq->dev);
>  
>  	return 0;
> 

As description of this patch, if devfreq_wq is executed and then execute
the 'devfreq->governor->get_target_freq' between step1 and step2
after already freed the 'dev' related resource, it might happen the problem
because the registered callback of get_target_freq requires the 'dev' resource.

device_unregister(dev)
	step 1. device_del(dev)
		<- if devfreq_wq is executed
	step 2. put_device(dev)
		device_release()
			devfreq_dev_release()
				stop the governor for specific devfreq instance

It looks good to me. Stop the governor before calling device_unregister().
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>				

-- 
Best Regards,
Chanwoo Choi
Samsung Electronics

next prev parent reply	other threads:[~2018-08-31  8:52 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CGME20180830100409epcas3p266dc05fdd02cd2c086a4355e9a481007@epcas3p2.samsung.com>
2018-08-30 10:02 ` [PATCH] PM / devfreq: stopping the governor before device_unregister() vincent.donnefort
2018-08-31  8:52   ` Chanwoo Choi [this message]
2018-09-21 15:40     ` [PATCH v2] PM / devfreq: Stop " vincent.donnefort
2018-09-27  5:20       ` MyungJoo Ham

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5B8901D7.5040301@samsung.com \
    --to=cw00.choi@samsung.com \
    --cc=beata.michalska@arm.com \
    --cc=john.reitan@arm.com \
    --cc=kyungmin.park@samsung.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pm@vger.kernel.org \
    --cc=myungjoo.ham@samsung.com \
    --cc=vincent.donnefort@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.