From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sujit Kautkar <sujitka@chromium.org>,
Matthias Kaehlcke <mka@chromium.org>,
Mathieu Poirier <mathieu.poirier@linaro.org>,
Bjorn Andersson <bjorn.andersson@linaro.org>,
Stephen Boyd <swboyd@chromium.org>
Subject: [PATCH 4.19 24/86] rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev
Date: Mon, 7 Feb 2022 12:05:47 +0100 [thread overview]
Message-ID: <20220207103758.336261060@linuxfoundation.org> (raw)
In-Reply-To: <20220207103757.550973048@linuxfoundation.org>
From: Sujit Kautkar <sujitka@chromium.org>
commit b7fb2dad571d1e21173c06cef0bced77b323990a upstream.
struct rpmsg_ctrldev contains a struct cdev. The current code frees
the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the
cdev is a managed object, therefore its release is not predictable
and the rpmsg_ctrldev could be freed before the cdev is entirely
released, as in the backtrace below.
[ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c
[ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0
[ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v
[ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26
[ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)
[ 93.730055] Workqueue: events kobject_delayed_cleanup
[ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)
[ 93.740216] pc : debug_print_object+0x13c/0x1b0
[ 93.744890] lr : debug_print_object+0x13c/0x1b0
[ 93.749555] sp : ffffffacf5bc7940
[ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000
[ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000
[ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000
[ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0
[ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0
[ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0
[ 93.785814] x17: 0000000000000000 x16: dfffffd000000000
[ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c
[ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000
[ 93.802244] x11: 0000000000000001 x10: 0000000000000000
[ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900
[ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000
[ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000
[ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001
[ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061
[ 93.835104] Call trace:
[ 93.837644] debug_print_object+0x13c/0x1b0
[ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0
[ 93.846987] debug_check_no_obj_freed+0x18/0x20
[ 93.851669] slab_free_freelist_hook+0xbc/0x1e4
[ 93.856346] kfree+0xfc/0x2f4
[ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8
[ 93.864445] device_release+0x84/0x168
[ 93.868310] kobject_cleanup+0x12c/0x298
[ 93.872356] kobject_delayed_cleanup+0x10/0x18
[ 93.876948] process_one_work+0x578/0x92c
[ 93.881086] worker_thread+0x804/0xcf8
[ 93.884963] kthread+0x2a8/0x314
[ 93.888303] ret_from_fork+0x10/0x18
The cdev_device_add/del() API was created to address this issue (see
commit '233ed09d7fda ("chardev: add helper function to register char
devs with a struct device")'), use it instead of cdev add/del().
Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
Signed-off-by: Sujit Kautkar <sujitka@chromium.org>
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20220110104706.v6.1.Iaac908f3e3149a89190ce006ba166e2d3fd247a3@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rpmsg/rpmsg_char.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -455,7 +455,6 @@ static void rpmsg_ctrldev_release_device
ida_simple_remove(&rpmsg_ctrl_ida, dev->id);
ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt));
- cdev_del(&ctrldev->cdev);
kfree(ctrldev);
}
@@ -490,19 +489,13 @@ static int rpmsg_chrdev_probe(struct rpm
dev->id = ret;
dev_set_name(&ctrldev->dev, "rpmsg_ctrl%d", ret);
- ret = cdev_add(&ctrldev->cdev, dev->devt, 1);
+ ret = cdev_device_add(&ctrldev->cdev, &ctrldev->dev);
if (ret)
goto free_ctrl_ida;
/* We can now rely on the release function for cleanup */
dev->release = rpmsg_ctrldev_release_device;
- ret = device_add(dev);
- if (ret) {
- dev_err(&rpdev->dev, "device_add failed: %d\n", ret);
- put_device(dev);
- }
-
dev_set_drvdata(&rpdev->dev, ctrldev);
return ret;
@@ -528,7 +521,7 @@ static void rpmsg_chrdev_remove(struct r
if (ret)
dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret);
- device_del(&ctrldev->dev);
+ cdev_device_del(&ctrldev->cdev, &ctrldev->dev);
put_device(&ctrldev->dev);
}
next prev parent reply other threads:[~2022-02-07 11:28 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-07 11:05 [PATCH 4.19 00/86] 4.19.228-rc1 review Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 01/86] Bluetooth: refactor malicious adv data check Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 02/86] s390/hypfs: include z/VM guests with access control group set Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 03/86] scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 04/86] udf: Restore i_lenAlloc when inode expansion fails Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 05/86] udf: Fix NULL ptr deref when converting from inline format Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 06/86] PM: wakeup: simplify the output logic of pm_show_wakelocks() Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 07/86] drm/etnaviv: relax submit size limits Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 08/86] netfilter: nft_payload: do not update layer 4 checksum when mangling fragments Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 09/86] serial: 8250: of: Fix mapped region size when using reg-offset property Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 10/86] serial: stm32: fix software flow control transfer Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 11/86] tty: n_gsm: fix SW flow control encoding/handling Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 12/86] tty: Add support for Brainboxes UC cards Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 13/86] usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 14/86] usb: common: ulpi: Fix crash in ulpi_match() Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 15/86] usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 16/86] USB: core: Fix hang in usb_kill_urb by adding memory barriers Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 17/86] usb: typec: tcpm: Do not disconnect while receiving VBUS off Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 18/86] net: sfp: ignore disabled SFP node Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 19/86] powerpc/32: Fix boot failure with GCC latent entropy plugin Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 20/86] i40e: Increase delay to 1 s after global EMP reset Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 21/86] i40e: Fix issue when maximum queues is exceeded Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 22/86] i40e: Fix queues reservation for XDP Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 23/86] i40e: fix unsigned stat widths Greg Kroah-Hartman
2022-02-07 11:05 ` Greg Kroah-Hartman [this message]
2022-02-07 11:05 ` [PATCH 4.19 25/86] rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 26/86] scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 27/86] ipv6_tunnel: Rate limit warning messages Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 28/86] net: fix information leakage in /proc/net/ptype Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 29/86] ping: fix the sk_bound_dev_if match in ping_lookup Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 30/86] ipv4: avoid using shared IP generator for connected sockets Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 31/86] hwmon: (lm90) Reduce maximum conversion rate for G781 Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 32/86] NFSv4: Handle case where the lookup of a directory fails Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 33/86] NFSv4: nfs_atomic_open() can race when looking up a non-regular file Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 34/86] net-procfs: show net devices bound packet types Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 35/86] drm/msm: Fix wrong size calculation Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 4.19 36/86] drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 37/86] ipv6: annotate accesses to fn->fn_sernum Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 38/86] NFS: Ensure the server has an up to date ctime before hardlinking Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 39/86] NFS: Ensure the server has an up to date ctime before renaming Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 40/86] phylib: fix potential use-after-free Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 41/86] ibmvnic: init ->running_cap_crqs early Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 42/86] ibmvnic: dont spin in tasklet Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 43/86] yam: fix a memory leak in yam_siocdevprivate() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 44/86] ipv4: raw: lock the socket in raw_bind() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 45/86] ipv4: tcp: send zero IPID in SYNACK messages Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 46/86] netfilter: nat: remove l4 protocol port rovers Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 47/86] netfilter: nat: limit port clash resolution attempts Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 48/86] tcp: fix possible socket leaks in internal pacing mode Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 49/86] ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 50/86] net: amd-xgbe: ensure to reset the tx_timer_active flag Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 51/86] net: amd-xgbe: Fix skb data length underflow Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 52/86] rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 53/86] af_packet: fix data-race in packet_setsockopt / packet_setsockopt Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 54/86] audit: improve audit queue handling when "audit=1" on cmdline Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 55/86] ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 56/86] ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 57/86] ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 58/86] ALSA: hda/realtek: Add missing fixup-model entry for Gigabyte X570 ALC1220 quirks Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 59/86] ALSA: hda/realtek: Fix silent output on Gigabyte X570S Aorus Master (newer chipset) Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 60/86] ALSA: hda/realtek: Fix silent output on Gigabyte X570 Aorus Xtreme after reboot from Windows Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 61/86] drm/nouveau: fix off by one in BIOS boundary checking Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 62/86] block: bio-integrity: Advance seed correctly for larger interval sizes Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 63/86] Revert "ASoC: mediatek: Check for error clk pointer" Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 64/86] RDMA/mlx4: Dont continue event handler after memory allocation failure Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 65/86] iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 66/86] iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 67/86] spi: bcm-qspi: check for valid cs before applying chip select Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 68/86] spi: mediatek: Avoid NULL pointer crash in interrupt Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 69/86] spi: meson-spicc: add IRQ check in meson_spicc_probe Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 70/86] net: ieee802154: hwsim: Ensure proper channel selection at probe time Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 71/86] net: ieee802154: mcr20a: Fix lifs/sifs periods Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 72/86] net: ieee802154: ca8210: Stop leaking skbs Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 73/86] net: ieee802154: Return meaningful error codes from the netlink helpers Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 74/86] net: macsec: Verify that send_sci is on when setting Tx sci explicitly Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 75/86] net: stmmac: ensure PTP time register reads are consistent Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 76/86] drm/i915/overlay: Prevent divide by zero bugs in scaling Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 77/86] ASoC: fsl: Add missing error handling in pcm030_fabric_probe Greg Kroah-Hartman
2022-02-09 19:07 ` Pavel Machek
2022-02-07 11:06 ` [PATCH 4.19 78/86] ASoC: cpcap: Check for NULL pointer after calling of_get_child_by_name Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 79/86] ASoC: max9759: fix underflow in speaker_gain_control_put() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 80/86] scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 81/86] nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 82/86] selftests: futex: Use variable MAKE instead of make Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 83/86] rtc: cmos: Evaluate century appropriate Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 84/86] EDAC/altera: Fix deferred probing Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 85/86] EDAC/xgene: " Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 4.19 86/86] ext4: fix error handling in ext4_restore_inline_data() Greg Kroah-Hartman
2022-02-07 17:02 ` [PATCH 4.19 00/86] 4.19.228-rc1 review Pavel Machek
2022-02-07 21:26 ` Shuah Khan
2022-02-07 22:20 ` Guenter Roeck
2022-02-08 8:30 ` Jon Hunter
2022-02-08 8:37 ` Naresh Kamboju
2022-02-08 14:02 ` Sudip Mukherjee
2022-02-09 2:47 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220207103758.336261060@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bjorn.andersson@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
--cc=mka@chromium.org \
--cc=stable@vger.kernel.org \
--cc=sujitka@chromium.org \
--cc=swboyd@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).