From patchwork Mon Jan 25 17:03:46 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Viresh Kumar X-Patchwork-Id: 60378 Delivered-To: patch@linaro.org Received: by 10.112.130.2 with SMTP id oa2csp1476468lbb; Mon, 25 Jan 2016 09:03:58 -0800 (PST) X-Received: by 10.98.93.84 with SMTP id r81mr27594276pfb.64.1453741438065; Mon, 25 Jan 2016 09:03:58 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y22si34765900pfi.57.2016.01.25.09.03.57; Mon, 25 Jan 2016 09:03:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-pm-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-pm-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-pm-owner@vger.kernel.org; dkim=neutral (body hash did not verify) header.i=@linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757095AbcAYRD4 (ORCPT + 11 others); Mon, 25 Jan 2016 12:03:56 -0500 Received: from mail-pa0-f49.google.com ([209.85.220.49]:35962 "EHLO mail-pa0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753348AbcAYRDy (ORCPT ); Mon, 25 Jan 2016 12:03:54 -0500 Received: by mail-pa0-f49.google.com with SMTP id yy13so83288030pab.3 for ; Mon, 25 Jan 2016 09:03:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=b2MJ2bLZx4qyBbLYgSfEJoWxv51XmQH7bqLLZ4kOUGQ=; b=QI28+QcMKydbpUz6jFUish1w2t0oe3mRAT9DdqPojMlrXuFladx2sIjgZS2vE7ziFZ F6yZbmRZaoWBJPARjDsiwSi97vlqmrv5bv7KTDNG6+LwgbKhhpuuE6IAsCn0kkXnAt2n HMS1mdcqKX1pwLCidonC6EFf5fjodyOoJhkvI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=b2MJ2bLZx4qyBbLYgSfEJoWxv51XmQH7bqLLZ4kOUGQ=; b=VUQ19awdzH9dqjTvxMV9avZHahvpyqx1NAm9hNXKR6F5xmQTU4wW4pusmPRB47uhlS DAGKhazlVF5ORemrUF/Nsmg/rCAqcCBCuf08p0KQ/tJGs/59vXbmhSxDvf/frB5ESnYG nFhGSytUW8CTv3ESl4Na+KkzFyj4tQeZJuD2rnLvZ0j1Um65igGOl5WDgm/wZNZ90ZRo SD2oqoHo9NjtWd4/VCS1w4NE18+oicHOfflRLqLDThiy1fq4GFhaF4jFSrUf/uNfjrNg BgclTObHPWz06ZPtI45BVn14mj9sFLNHvdKB4sJIhgistXf3fy57+ftdBOUo2wzmwWAj MzOw== X-Gm-Message-State: AG10YOQ05gW3H9BE/tQUCV1hMDv/YcpQbqXWksI13RBVDe54Qw9xbPZbM3NVAWKUxMPiT1eP X-Received: by 10.66.147.136 with SMTP id tk8mr27565643pab.157.1453741433880; Mon, 25 Jan 2016 09:03:53 -0800 (PST) Received: from localhost ([122.171.76.171]) by smtp.gmail.com with ESMTPSA id yh5sm29948232pab.13.2016.01.25.09.03.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Jan 2016 09:03:53 -0800 (PST) From: Viresh Kumar To: Rafael Wysocki Cc: linaro-kernel@lists.linaro.org, linux-pm@vger.kernel.org, Viresh Kumar , "# v4 . 2+" , Juri Lelli , linux-kernel@vger.kernel.org (open list) Subject: [PATCH] cpufreq: Fix NULL reference crash while accessing policy->governor_data Date: Mon, 25 Jan 2016 22:33:46 +0530 Message-Id: <1297c8fc8135f8b5359f9c49d220a939c0ee640e.1453741314.git.viresh.kumar@linaro.org> X-Mailer: git-send-email 2.7.0.79.gdc08a19 Sender: linux-pm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pm@vger.kernel.org There is a little race discovered by Juri, where we are able to: - create and read a sysfs file before policy->governor_data is being set to a non NULL value. OR - set policy->governor_data to NULL, and reading a file before being destroyed. And so such a crash is reported: Unable to handle kernel NULL pointer dereference at virtual address 0000000c pgd = edfc8000 [0000000c] *pgd=bfc8c835 Internal error: Oops: 17 [#1] SMP ARM Modules linked in: CPU: 4 PID: 1730 Comm: cat Not tainted 4.5.0-rc1+ #463 Hardware name: ARM-Versatile Express task: ee8e8480 ti: ee930000 task.ti: ee930000 PC is at show_ignore_nice_load_gov_pol+0x24/0x34 LR is at show+0x4c/0x60 pc : [] lr : [] psr: a0070013 sp : ee931dd0 ip : ee931de0 fp : ee931ddc r10: ee4bc290 r9 : 00001000 r8 : ef2cb000 r7 : ee4bc200 r6 : ef2cb000 r5 : c0af57b0 r4 : ee4bc2e0 r3 : 00000000 r2 : 00000000 r1 : c0928df4 r0 : ef2cb000 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: adfc806a DAC: 00000051 Process cat (pid: 1730, stack limit = 0xee930210) Stack: (0xee931dd0 to 0xee932000) 1dc0: ee931dfc ee931de0 c058ae88 c058f1a4 1de0: edce3bc0 c07bfca4 edce3ac0 00001000 ee931e24 ee931e00 c01fcb90 c058ae48 1e00: 00000001 edce3bc0 00000000 00000001 ee931e50 ee8ff480 ee931e34 ee931e28 1e20: c01fb33c c01fcb0c ee931e8c ee931e38 c01a5210 c01fb314 ee931e9c ee931e48 1e40: 00000000 edce3bf0 befe4a00 ee931f78 00000000 00000000 000001e4 00000000 1e60: c00545a8 edce3ac0 00001000 00001000 befe4a00 ee931f78 00000000 00001000 1e80: ee931ed4 ee931e90 c01fbed8 c01a5038 ed085a58 00020000 00000000 00000000 1ea0: c0ad72e4 ee931f78 ee8ff488 ee8ff480 c077f3fc 00001000 befe4a00 ee931f78 1ec0: 00000000 00001000 ee931f44 ee931ed8 c017c328 c01fbdc4 00001000 00000000 1ee0: ee8ff480 00001000 ee931f44 ee931ef8 c017c65c c03deb10 ee931fac ee931f08 1f00: c0009270 c001f290 c0a8d968 ef2cb000 ef2cb000 ee8ff480 00000020 ee8ff480 1f20: ee8ff480 befe4a00 00001000 ee931f78 00000000 00000000 ee931f74 ee931f48 1f40: c017d1ec c017c2f8 c019c724 c019c684 ee8ff480 ee8ff480 00001000 befe4a00 1f60: 00000000 00000000 ee931fa4 ee931f78 c017d2a8 c017d160 00000000 00000000 1f80: 000a9f20 00001000 befe4a00 00000003 c000ffe4 ee930000 00000000 ee931fa8 1fa0: c000fe40 c017d264 000a9f20 00001000 00000003 befe4a00 00001000 00000000 Unable to handle kernel NULL pointer dereference at virtual address 0000000c 1fc0: 000a9f20 00001000 befe4a00 00000003 00000000 00000000 00000003 00000001 pgd = edfc4000 [0000000c] *pgd=bfcac835 1fe0: 00000000 befe49dc 000197f8 b6e35dfc 60070010 00000003 3065b49d 134ac2c9 [] (show_ignore_nice_load_gov_pol) from [] (show+0x4c/0x60) [] (show) from [] (sysfs_kf_seq_show+0x90/0xfc) [] (sysfs_kf_seq_show) from [] (kernfs_seq_show+0x34/0x38) [] (kernfs_seq_show) from [] (seq_read+0x1e4/0x4e4) [] (seq_read) from [] (kernfs_fop_read+0x120/0x1a0) [] (kernfs_fop_read) from [] (__vfs_read+0x3c/0xe0) [] (__vfs_read) from [] (vfs_read+0x98/0x104) [] (vfs_read) from [] (SyS_read+0x50/0x90) [] (SyS_read) from [] (ret_fast_syscall+0x0/0x1c) Code: e5903044 e1a00001 e3081df4 e34c1092 (e593300c) ---[ end trace 5994b9a5111f35ee ]--- Fix that by making sure, policy->governor_data is updated at the right places only. Cc: # v4.2+ Reported-by: Juri Lelli Signed-off-by: Viresh Kumar --- drivers/cpufreq/cpufreq_governor.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) -- 2.7.0.79.gdc08a19 -- To unsubscribe from this list: send the line "unsubscribe linux-pm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Tested-by: Juri Lelli diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c index bab3a514ec12..e0d111024d48 100644 --- a/drivers/cpufreq/cpufreq_governor.c +++ b/drivers/cpufreq/cpufreq_governor.c @@ -387,16 +387,18 @@ static int cpufreq_governor_init(struct cpufreq_policy *policy, if (!have_governor_per_policy()) cdata->gdbs_data = dbs_data; + policy->governor_data = dbs_data; + ret = sysfs_create_group(get_governor_parent_kobj(policy), get_sysfs_attr(dbs_data)); if (ret) goto reset_gdbs_data; - policy->governor_data = dbs_data; - return 0; reset_gdbs_data: + policy->governor_data = NULL; + if (!have_governor_per_policy()) cdata->gdbs_data = NULL; cdata->exit(dbs_data, !policy->governor->initialized); @@ -417,16 +419,19 @@ static int cpufreq_governor_exit(struct cpufreq_policy *policy, if (!cdbs->shared || cdbs->shared->policy) return -EBUSY; - policy->governor_data = NULL; if (!--dbs_data->usage_count) { sysfs_remove_group(get_governor_parent_kobj(policy), get_sysfs_attr(dbs_data)); + policy->governor_data = NULL; + if (!have_governor_per_policy()) cdata->gdbs_data = NULL; cdata->exit(dbs_data, policy->governor->initialized == 1); kfree(dbs_data); + } else { + policy->governor_data = NULL; } free_common_dbs_info(policy, cdata);