From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E08CC433EF for ; Thu, 14 Apr 2022 10:38:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231670AbiDNKkm (ORCPT ); Thu, 14 Apr 2022 06:40:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45768 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229876AbiDNKkk (ORCPT ); Thu, 14 Apr 2022 06:40:40 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92FAB76E07 for ; Thu, 14 Apr 2022 03:38:16 -0700 (PDT) From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1649932693; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=X7e5ZzPkHK9QOZm4nJmcXHhBGDf8hlvT6sPGCcVRYlE=; b=LhH123nqtQFrvb7Bc6vNeG+oLVx3w52cQrHKqBZV+VKbg8VsH6x6Hw2//Ifwu0z2tD2fOo OW4uEOsViDfEu7m9K0k/zO2mp8wa/J2wY/kHZwRO6IJH9WvW0pmL21TJ7O4l44m5hRIE9V lEme73zQaQuHdPdfogvfjj0QthfMnHHVRNxIwwZoSJlnYoXJ5BR13FbJNAC7ddsg7fHo2C pf98tGh81+HZCo1D1Gfpr4mj3CEb1Nvoqa073Z+ykmPUtHiIX4vSoAHcVnK7ahktZGvaaE 2NUv1qJAyXzRP5B9z9hNu7KT08pm4ctw8jkFKS0DpQTDmjH1e8Uxmyhqa8hoEQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1649932693; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=X7e5ZzPkHK9QOZm4nJmcXHhBGDf8hlvT6sPGCcVRYlE=; b=xqrcZ+HuKzc3eBQspe8fQxWo6vAsy1o+iHyrYAaxx7MAA/2TsGpz6d34aNZj2kbeJvhvpK Rn3Lu3vMo58pLABA== To: Greg KH , Mukesh Ojha Cc: linux-kernel@vger.kernel.org, sboyd@kernel.org, johannes@sipsolutions.net, rafael@kernel.org Subject: Re: Possible race in dev_coredumpm()-del_timer() path In-Reply-To: References: <2e1f81e2-428c-f11f-ce92-eb11048cb271@quicinc.com> <20220413101639.GA24349@hu-mojha-hyd.qualcomm.com> Date: Thu, 14 Apr 2022 12:38:13 +0200 Message-ID: <87pmlkdk6i.ffs@tglx> MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 13 2022 at 12:58, Greg KH wrote: > On Wed, Apr 13, 2022 at 03:46:39PM +0530, Mukesh Ojha wrote: >> p1 p2(X) >> >> dev_coredump() uevent sent to userspace >> device_add() =========================> userspace process X reads the uevents >> writes to devcd fd which >> results into writes to >> >> devcd_data_write() >> mod_delayed_work() >> try_to_grab_pending() >> del_timer() >> debug_assert_init() >> INIT_DELAYED_WORK >> schedule_delayed_work >> debug_object_fixup() > > Why do you have object debugging enabled? That's going to take a LONG > time, and will find bugs in your code. Perhaps like this one? It's not finding bugs in his code. It finds bug in the upstream dev_coredump code. > And if you turn object debugging off, what happens? The debugobject splat goes away, but the problem persists. device_add() -> uevent Preemption or concurrency: devcd_data_write() mod_delayed_work(..., w, 0); <- Uninitialized. The dev_coredump code exposes the device before it is fully initialized and a write ending up in devcd_data_write() touches uninitialized work. It does not help to move the initialization before device_add() as that creates another problem: INIT_DELAYED_WORK(w) ... device_add() -> uevent Preemption or concurrency: devcd_data_write() mod_delayed_work(..., w, 0); <- Schedules work immediately work_queue_runs() devcd_del(w) device_del() put_device() <- Drops the last reference initialization continues... So, yes this needs serialization of some sort. Same problem vs. disabled_store(). Thanks, tglx