From patchwork Fri Jan 30 01:13:12 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Viresh Kumar X-Patchwork-Id: 43997 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-lb0-f197.google.com (mail-lb0-f197.google.com [209.85.217.197]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 0D1D024128 for ; Fri, 30 Jan 2015 01:13:26 +0000 (UTC) Received: by mail-lb0-f197.google.com with SMTP id b6sf25726068lbj.0 for ; Thu, 29 Jan 2015 17:13:25 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject :date:message-id:sender:precedence:list-id:x-original-sender :x-original-authentication-results:mailing-list:list-post:list-help :list-archive:list-unsubscribe; bh=wf5p0+MuO4MsbyxB6ZkNFpuFXqKiSPFnlZeEcZQsdNI=; b=V0udsh/p73+vZDuHHVvVapuevxsmRkP5KJnC8VtV1DEGtfINAI61Tw8OHzPWDP/Yde vKP6bcd43CKplil++Qc9HPNIVVMRPFkKIdne0MMmgfwmXJdP4VU9GGvj5jPaGXuTOv10 31zmqy+ri5tG3uNX6Y7yFNerIzQemzJbOiHO6+kuTvCFuLhkDD23G2U7ehSuyGZXdNsx bkYapPg4nR0PPTOR26uMPNQhXctdA+JucFCH59m6W2xkj/p1hyY8RQIO9fAWgBmgSvfR 5XSgAvy64/n1ilbJ0TUEaaM92/OUf76gYz6NT2n6IN1ulh8OmTtqQPy2f7/HgZtMCGeW FKUQ== X-Gm-Message-State: ALoCoQmbVmTmhNPkpBbwmbAV6Nhbn1cx6yMBs7c4jfYZdwOWLMMkLI4Su03cp0EoXVLqYiTbGtJU X-Received: by 10.112.148.198 with SMTP id tu6mr460709lbb.3.1422580404829; Thu, 29 Jan 2015 17:13:24 -0800 (PST) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.7.42 with SMTP id g10ls372580laa.51.gmail; Thu, 29 Jan 2015 17:13:24 -0800 (PST) X-Received: by 10.152.37.165 with SMTP id z5mr3985610laj.88.1422580404584; Thu, 29 Jan 2015 17:13:24 -0800 (PST) Received: from mail-la0-f43.google.com (mail-la0-f43.google.com. [209.85.215.43]) by mx.google.com with ESMTPS id js7si8981020lbc.58.2015.01.29.17.13.24 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 29 Jan 2015 17:13:24 -0800 (PST) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.43 as permitted sender) client-ip=209.85.215.43; Received: by mail-la0-f43.google.com with SMTP id q1so21255968lam.2 for ; Thu, 29 Jan 2015 17:13:24 -0800 (PST) X-Received: by 10.112.41.234 with SMTP id i10mr4063983lbl.25.1422580404128; Thu, 29 Jan 2015 17:13:24 -0800 (PST) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.35.133 with SMTP id h5csp122820lbj; Thu, 29 Jan 2015 17:13:23 -0800 (PST) X-Received: by 10.70.100.73 with SMTP id ew9mr4827339pdb.95.1422580401837; Thu, 29 Jan 2015 17:13:21 -0800 (PST) Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id zn6si11907230pac.126.2015.01.29.17.13.21; Thu, 29 Jan 2015 17:13:21 -0800 (PST) Received-SPF: none (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67; Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753153AbbA3BNU (ORCPT + 1 other); Thu, 29 Jan 2015 20:13:20 -0500 Received: from mail-pa0-f48.google.com ([209.85.220.48]:64427 "EHLO mail-pa0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751505AbbA3BNS (ORCPT ); Thu, 29 Jan 2015 20:13:18 -0500 Received: by mail-pa0-f48.google.com with SMTP id ey11so45526125pad.7 for ; Thu, 29 Jan 2015 17:13:18 -0800 (PST) X-Received: by 10.68.178.226 with SMTP id db2mr4854584pbc.37.1422580398477; Thu, 29 Jan 2015 17:13:18 -0800 (PST) Received: from localhost ([122.167.221.35]) by mx.google.com with ESMTPSA id ms4sm8893054pbc.92.2015.01.29.17.13.17 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Thu, 29 Jan 2015 17:13:17 -0800 (PST) From: Viresh Kumar To: Rafael Wysocki , santosh.shilimkar@oracle.com, ethan.zhao@oracle.com Cc: linaro-kernel@lists.linaro.org, linux-pm@vger.kernel.org, Viresh Kumar , Subject: [PATCH] cpufreq: Set cpufreq_cpu_data to NULL before putting kobject Date: Fri, 30 Jan 2015 06:43:12 +0530 Message-Id: X-Mailer: git-send-email 2.3.0.rc0.44.ga94655d Sender: stable-owner@vger.kernel.org Precedence: list List-ID: X-Mailing-List: stable@vger.kernel.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: viresh.kumar@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.43 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , cpufreq_cpu_data is protected by cpufreq_driver_lock and one of the instances has missed this. And as a result we get this: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 4 at include/linux/kref.h:47 kobject_get+0x41/0x50() Modules linked in: acpi_cpufreq(+) nfsd auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c sd_mod ixgbe igb mdio ahci hwmon ... Call Trace: [] dump_stack+0x46/0x58 [] warn_slowpath_common+0x81/0xa0 [] warn_slowpath_null+0x1a/0x20 [] kobject_get+0x41/0x50 [] cpufreq_cpu_get+0x75/0xc0 [] cpufreq_update_policy+0x2e/0x1f0 [] ? up+0x32/0x50 [] ? acpi_ns_get_node+0xcb/0xf2 [] ? acpi_evaluate_object+0x22c/0x252 [] ? acpi_get_handle+0x95/0xc0 [] ? acpi_has_method+0x25/0x40 [] acpi_processor_ppc_has_changed+0x77/0x82 [] ? move_linked_works+0x66/0x90 [] acpi_processor_notify+0x58/0xe7 [] acpi_ev_notify_dispatch+0x44/0x5c [] acpi_os_execute_deferred+0x15/0x22 [] process_one_work+0x160/0x410 [] worker_thread+0x11b/0x520 [] ? rescuer_thread+0x380/0x380 [] kthread+0xe1/0x100 [] ? kthread_create_on_node+0x1b0/0x1b0 [] ret_from_fork+0x7c/0xb0 [] ? kthread_create_on_node+0x1b0/0x1b0 ---[ end trace 89e66eb9795efdf7 ]--- And here is the race: Thread A: Workqueue: kacpi_notify acpi_processor_notify() acpi_processor_ppc_has_changed() cpufreq_update_policy() cpufreq_cpu_get() kobject_get() Thread B: xenbus_thread() xenbus_thread() msg->u.watch.handle->callback() handle_vcpu_hotplug_event() vcpu_hotplug() cpu_down() __cpu_notify(CPU_POST_DEAD..) cpufreq_cpu_callback() __cpufreq_remove_dev_finish() cpufreq_policy_put_kobj() kobject_put() cpufreq_cpu_get() gets the policy from per-cpu variable cpufreq_cpu_data under cpufreq_driver_lock, and once it gets a valid policy it expects it to not be freed until cpufreq_cpu_put() is called. But the race happens when another thread puts the kobject first and updates cpufreq_cpu_data later and that too without these locks. And so the first thread gets a valid policy structure and before it does kobject_get() on it, the second one does kobject_put(). And so this WARN(). Fix this by setting cpufreq_cpu_data to NULL before putting the kobject and that too under locks. Cc: # 3.12+ Reported-by: Ethan Zhao Reported-and-tested-by: Santosh Shilimkar Signed-off-by: Viresh Kumar --- @Santosh: I have changed read locks to write locks here and so you need to test again. drivers/cpufreq/cpufreq.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c index 4473eba1d6b0..e3bf702b5588 100644 --- a/drivers/cpufreq/cpufreq.c +++ b/drivers/cpufreq/cpufreq.c @@ -1409,9 +1409,10 @@ static int __cpufreq_remove_dev_finish(struct device *dev, unsigned long flags; struct cpufreq_policy *policy; - read_lock_irqsave(&cpufreq_driver_lock, flags); + write_lock_irqsave(&cpufreq_driver_lock, flags); policy = per_cpu(cpufreq_cpu_data, cpu); - read_unlock_irqrestore(&cpufreq_driver_lock, flags); + per_cpu(cpufreq_cpu_data, cpu) = NULL; + write_unlock_irqrestore(&cpufreq_driver_lock, flags); if (!policy) { pr_debug("%s: No cpu_data found\n", __func__); @@ -1466,7 +1467,6 @@ static int __cpufreq_remove_dev_finish(struct device *dev, } } - per_cpu(cpufreq_cpu_data, cpu) = NULL; return 0; }