releases/4.8.16/driver-core-fix-race-between-creating-querying-glue-dir-and-its-cleanup.patch

   1 From cebf8fd16900fdfd58c0028617944f808f97fe50 Mon Sep 17 00:00:00 2001
   2 From: Ming Lei <ming.lei@canonical.com>
   3 Date: Sun, 10 Jul 2016 19:27:36 +0800
   4 Subject: driver core: fix race between creating/querying glue dir and its cleanup
   5
   6 From: Ming Lei <ming.lei@canonical.com>
   7
   8 commit cebf8fd16900fdfd58c0028617944f808f97fe50 upstream.
   9
  10 The global mutex of 'gdp_mutex' is used to serialize creating/querying
  11 glue dir and its cleanup. Turns out it isn't a perfect way because
  12 part(kobj_kset_leave()) of the actual cleanup action() is done inside
  13 the release handler of the glue dir kobject. That means gdp_mutex has
  14 to be held before releasing the last reference count of the glue dir
  15 kobject.
  16
  17 This patch moves glue dir's cleanup after kobject_del() in device_del()
  18 for avoiding the race.
  19
  20 Cc: Yijing Wang <wangyijing@huawei.com>
  21 Reported-by: Chandra Sekhar Lingutla <clingutla@codeaurora.org>
  22 Signed-off-by: Ming Lei <ming.lei@canonical.com>
  23 Cc: Jiri Slaby <jslaby@suse.cz>
  24 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25
  26 ---
  27  drivers/base/core.c |   39 +++++++++++++++++++++++++++++----------
  28  1 file changed, 29 insertions(+), 10 deletions(-)
  29
  30 --- a/drivers/base/core.c
  31 +++ b/drivers/base/core.c
  32 @@ -836,11 +836,29 @@ static struct kobject *get_device_parent
  33         return NULL;
  34  }
  35
  36 +static inline bool live_in_glue_dir(struct kobject *kobj,
  37 +                                   struct device *dev)
  38 +{
  39 +       if (!kobj || !dev->class ||
  40 +           kobj->kset != &dev->class->p->glue_dirs)
  41 +               return false;
  42 +       return true;
  43 +}
  44 +
  45 +static inline struct kobject *get_glue_dir(struct device *dev)
  46 +{
  47 +       return dev->kobj.parent;
  48 +}
  49 +
  50 +/*
  51 + * make sure cleaning up dir as the last step, we need to make
  52 + * sure .release handler of kobject is run with holding the
  53 + * global lock
  54 + */
  55  static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
  56  {
  57         /* see if we live in a "glue" directory */
  58 -       if (!glue_dir || !dev->class ||
  59 -           glue_dir->kset != &dev->class->p->glue_dirs)
  60 +       if (!live_in_glue_dir(glue_dir, dev))
  61                 return;
  62
  63         mutex_lock(&gdp_mutex);
  64 @@ -848,11 +866,6 @@ static void cleanup_glue_dir(struct devi
  65         mutex_unlock(&gdp_mutex);
  66  }
  67
  68 -static void cleanup_device_parent(struct device *dev)
  69 -{
  70 -       cleanup_glue_dir(dev, dev->kobj.parent);
  71 -}
  72 -
  73  static int device_add_class_symlinks(struct device *dev)
  74  {
  75         struct device_node *of_node = dev_of_node(dev);
  76 @@ -1028,6 +1041,7 @@ int device_add(struct device *dev)
  77         struct kobject *kobj;
  78         struct class_interface *class_intf;
  79         int error = -EINVAL;
  80 +       struct kobject *glue_dir = NULL;
  81
  82         dev = get_device(dev);
  83         if (!dev)
  84 @@ -1072,8 +1086,10 @@ int device_add(struct device *dev)
  85         /* first, register with generic layer. */
  86         /* we require the name to be set before, and pass NULL */
  87         error = kobject_add(&dev->kobj, dev->kobj.parent, NULL);
  88 -       if (error)
  89 +       if (error) {
  90 +               glue_dir = get_glue_dir(dev);
  91                 goto Error;
  92 +       }
  93
  94         /* notify platform of device entry */
  95         if (platform_notify)
  96 @@ -1154,9 +1170,10 @@ done:
  97         device_remove_file(dev, &dev_attr_uevent);
  98   attrError:
  99         kobject_uevent(&dev->kobj, KOBJ_REMOVE);
 100 +       glue_dir = get_glue_dir(dev);
 101         kobject_del(&dev->kobj);
 102   Error:
 103 -       cleanup_device_parent(dev);
 104 +       cleanup_glue_dir(dev, glue_dir);
 105         put_device(parent);
 106  name_error:
 107         kfree(dev->p);
 108 @@ -1232,6 +1249,7 @@ EXPORT_SYMBOL_GPL(put_device);
 109  void device_del(struct device *dev)
 110  {
 111         struct device *parent = dev->parent;
 112 +       struct kobject *glue_dir = NULL;
 113         struct class_interface *class_intf;
 114
 115         /* Notify clients of device removal.  This call must come
 116 @@ -1276,8 +1294,9 @@ void device_del(struct device *dev)
 117                 blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
 118                                              BUS_NOTIFY_REMOVED_DEVICE, dev);
 119         kobject_uevent(&dev->kobj, KOBJ_REMOVE);
 120 -       cleanup_device_parent(dev);
 121 +       glue_dir = get_glue_dir(dev);
 122         kobject_del(&dev->kobj);
 123 +       cleanup_glue_dir(dev, glue_dir);
 124         put_device(parent);
 125  }
 126  EXPORT_SYMBOL_GPL(device_del);