From: Matthias Kaehlcke <mka@chromium.org>
To: Stephen Boyd <swboyd@chromium.org>
Cc: Andy Gross <agross@kernel.org>, Ohad Ben-Cohen <ohad@wizery.com>,
Sibi Sankar <sibis@codeaurora.org>,
Sujit Kautkar <sujitka@chromium.org>,
Bjorn Andersson <bjorn.andersson@linaro.org>,
linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org,
Mathieu Poirier <mathieu.poirier@linaro.org>
Subject: Re: [PATCH v4] rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev
Date: Wed, 8 Dec 2021 17:15:19 -0800 [thread overview]
Message-ID: <YbFYp71DhBNW7trt@google.com> (raw)
In-Reply-To: <CAE-0n53JAzTAPsWS6c5wmYoWgAwxQgzTqEP65JnFT6AeMu0rbQ@mail.gmail.com>
On Wed, Dec 08, 2021 at 05:05:29PM -0800, Stephen Boyd wrote:
> Quoting Matthias Kaehlcke (2021-12-08 12:52:28)
> > From: Sujit Kautkar <sujitka@chromium.org>
> >
> > From: Sujit Kautkar <sujitka@chromium.org>
>
> This is here twice. Remove one?
Ah, forgot that tools add that automatically and added a manual entry.
Ohad/Bjorn/Mathieu: assuming there are no other comments, do you want me
to resend this patch or can you remove the extra tag when applying it?
> > struct rpmsg_ctrldev contains a struct cdev. The current code frees
> > the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the
> > cdev is a managed object, therefore its release is not predictable
> > and the rpmsg_ctrldev could be freed before the cdev is entirely
> > released, as in the backtrace below.
> >
> > [ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c
> > [ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0
> > [ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v
> > [ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26
> > [ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)
> > [ 93.730055] Workqueue: events kobject_delayed_cleanup
> > [ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)
> > [ 93.740216] pc : debug_print_object+0x13c/0x1b0
> > [ 93.744890] lr : debug_print_object+0x13c/0x1b0
> > [ 93.749555] sp : ffffffacf5bc7940
> > [ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000
> > [ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000
> > [ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000
> > [ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0
> > [ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0
> > [ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0
> > [ 93.785814] x17: 0000000000000000 x16: dfffffd000000000
> > [ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c
> > [ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000
> > [ 93.802244] x11: 0000000000000001 x10: 0000000000000000
> > [ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900
> > [ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000
> > [ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000
> > [ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001
> > [ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061
> > [ 93.835104] Call trace:
> > [ 93.837644] debug_print_object+0x13c/0x1b0
> > [ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0
> > [ 93.846987] debug_check_no_obj_freed+0x18/0x20
> > [ 93.851669] slab_free_freelist_hook+0xbc/0x1e4
> > [ 93.856346] kfree+0xfc/0x2f4
> > [ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8
> > [ 93.864445] device_release+0x84/0x168
> > [ 93.868310] kobject_cleanup+0x12c/0x298
> > [ 93.872356] kobject_delayed_cleanup+0x10/0x18
> > [ 93.876948] process_one_work+0x578/0x92c
> > [ 93.881086] worker_thread+0x804/0xcf8
> > [ 93.884963] kthread+0x2a8/0x314
> > [ 93.888303] ret_from_fork+0x10/0x18
> >
> > The cdev_device_add/del() API was created to address this issue
> > (see commit 233ed09d7fda), use it instead of cdev add/del().
> >
> > Signed-off-by: Sujit Kautkar <sujitka@chromium.org>
> > Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
> > ---
>
> Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Thanks!
next prev parent reply other threads:[~2021-12-09 1:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-08 20:52 [PATCH v4] rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev Matthias Kaehlcke
2021-12-09 1:05 ` Stephen Boyd
2021-12-09 1:15 ` Matthias Kaehlcke [this message]
2021-12-13 17:32 ` Mathieu Poirier
2022-01-07 19:44 ` Matthias Kaehlcke
2022-01-07 23:57 ` Bjorn Andersson
2022-01-08 1:19 ` Matthias Kaehlcke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YbFYp71DhBNW7trt@google.com \
--to=mka@chromium.org \
--cc=agross@kernel.org \
--cc=bjorn.andersson@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-remoteproc@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
--cc=ohad@wizery.com \
--cc=sibis@codeaurora.org \
--cc=sujitka@chromium.org \
--cc=swboyd@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.