From: Alexey Khoroshilov <khoroshilov@ispras.ru>
To: David Fries <David@Fries.net>
Cc: Evgeniy Polyakov <zbr@ioremap.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org
Subject: Re: [PATCH] w1: do not unlock unheld list_mutex in __w1_remove_master_device()
Date: Wed, 07 May 2014 01:42:12 +0400 [thread overview]
Message-ID: <53695734.9040302@ispras.ru> (raw)
In-Reply-To: <20140501034759.GG5096@spacedout.fries.net>
On 01.05.2014 07:48, David Fries wrote:
> On Thu, May 01, 2014 at 12:37:58AM +0400, Alexey Khoroshilov wrote:
>> w1_process_callbacks() expects to be called with dev->list_mutex held,
>> but it is the fact only in w1_process(). __w1_remove_master_device()
>> calls w1_process_callbacks() after it releases list_mutex.
>>
>> The patch fixes __w1_remove_master_device() to acquire list_mutex
>> for w1_process_callbacks(). It is implemented by moving
>> w1_process_callbacks() functionality to __w1_process_callbacks()
>> and adding a wrapper with the old name.
> Good catch. I guess as it was in the shutdown path it failed the
> unlock silently.
>
> I would prefer a different fix. If w1_process_callbacks was more of a
> public facing API called from multiple locations where the caller
> doesn't have access to the locks, something like this would probably
> be the way to go. This is called from two areas of the code, and not
> likely to be called from any new areas in the future.
>
> Adding a documentation comment is good. I would be tempted in
> __w1_remove_master_device to move the dev->list_mutex down after the
> while loop, but I can't be sure that whatever has a refcnt wouldn't
> need list_mutex. The last w1_process_callbacks after the while loop
> shouldn't be needed I wouldn't think, I was just being defensive.
I do not understand all the details, but I am not sure.
refcnt can became 0, but that does not mean all callbacks have been
processed because they can be added before refcnt decrement but after
previous w1_process_callbacks invocation.
> By
> the time it completes the while loop the reference count is 0 so there
> shouldn't be anything left for it to process and if there is, it's a
> race condition and game over anyway. So just sandwich
> w1_process_callbacks with the lock/unlock in
> __w1_remove_master_device please.
Done.
Another suspicious question for me is how safe is it to call
wake_up_process(dev->thread);
after
kthread_stop(dev->thread);
?
>> Found by Linux Driver Verification project (linuxtesting.org).
> Was this found with code inspection or hardware testing with lock
> debugging enabled?
It was found by static verification tools developed within Linux Driver
Verification project.
Best regards,
Alexey
next prev parent reply other threads:[~2014-05-06 21:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-30 20:37 [PATCH] w1: do not unlock unheld list_mutex in __w1_remove_master_device() Alexey Khoroshilov
2014-04-30 20:45 ` Alexey Khoroshilov
2014-05-01 3:48 ` David Fries
2014-05-06 21:26 ` [PATCH v2] " Alexey Khoroshilov
2014-05-06 23:49 ` David Fries
2014-05-06 23:51 ` zbr
2014-05-06 21:42 ` Alexey Khoroshilov [this message]
2014-05-06 23:49 ` [PATCH] " David Fries
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53695734.9040302@ispras.ru \
--to=khoroshilov@ispras.ru \
--cc=David@Fries.net \
--cc=gregkh@linuxfoundation.org \
--cc=ldv-project@linuxtesting.org \
--cc=linux-kernel@vger.kernel.org \
--cc=zbr@ioremap.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox