driver core: fix race between creating/querying glue dir and its cleanup

commit cebf8fd16900fdfd58c0028617944f808f97fe50 upstream.

The global mutex of 'gdp_mutex' is used to serialize creating/querying
glue dir and its cleanup. Turns out it isn't a perfect way because
part(kobj_kset_leave()) of the actual cleanup action() is done inside
the release handler of the glue dir kobject. That means gdp_mutex has
to be held before releasing the last reference count of the glue dir
kobject.

This patch moves glue dir's cleanup after kobject_del() in device_del()
for avoiding the race.

Cc: Yijing Wang <wangyijing@huawei.com>
Reported-by: Chandra Sekhar Lingutla <clingutla@codeaurora.org>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>

diff --git a/drivers/base/core.c b/drivers/base/core.c
index 90458b1719a89edbaee1a28d6a506de3e961fb0b..449f7096974ddf4e6bdc428bd0dcc1d0d26216b8 100644 (file)
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -874,11 +874,29 @@ static struct kobject *get_device_parent(struct device *dev,
        return NULL;
 }
 
+static inline bool live_in_glue_dir(struct kobject *kobj,
+                                   struct device *dev)
+{
+       if (!kobj || !dev->class ||
+           kobj->kset != &dev->class->p->glue_dirs)
+               return false;
+       return true;
+}
+
+static inline struct kobject *get_glue_dir(struct device *dev)
+{
+       return dev->kobj.parent;
+}
+
+/*
+ * make sure cleaning up dir as the last step, we need to make
+ * sure .release handler of kobject is run with holding the
+ * global lock
+ */
 static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
 {
        /* see if we live in a "glue" directory */
-       if (!glue_dir || !dev->class ||
-           glue_dir->kset != &dev->class->p->glue_dirs)
+       if (!live_in_glue_dir(glue_dir, dev))
                return;
 
        mutex_lock(&gdp_mutex);
@@ -886,11 +904,6 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
        mutex_unlock(&gdp_mutex);
 }
 
-static void cleanup_device_parent(struct device *dev)
-{
-       cleanup_glue_dir(dev, dev->kobj.parent);
-}
-
 static int device_add_class_symlinks(struct device *dev)
 {
        int error;
@@ -1054,6 +1067,7 @@ int device_add(struct device *dev)
        struct kobject *kobj;
        struct class_interface *class_intf;
        int error = -EINVAL;
+       struct kobject *glue_dir = NULL;
 
        dev = get_device(dev);
        if (!dev)
@@ -1098,8 +1112,10 @@ int device_add(struct device *dev)
        /* first, register with generic layer. */
        /* we require the name to be set before, and pass NULL */
        error = kobject_add(&dev->kobj, dev->kobj.parent, NULL);
-       if (error)
+       if (error) {
+               glue_dir = get_glue_dir(dev);
                goto Error;
+       }
 
        /* notify platform of device entry */
        if (platform_notify)
@@ -1182,9 +1198,10 @@ done:
        device_remove_file(dev, &dev_attr_uevent);
  attrError:
        kobject_uevent(&dev->kobj, KOBJ_REMOVE);
+       glue_dir = get_glue_dir(dev);
        kobject_del(&dev->kobj);
  Error:
-       cleanup_device_parent(dev);
+       cleanup_glue_dir(dev, glue_dir);
        put_device(parent);
 name_error:
        kfree(dev->p);
@@ -1260,6 +1277,7 @@ EXPORT_SYMBOL_GPL(put_device);
 void device_del(struct device *dev)
 {
        struct device *parent = dev->parent;
+       struct kobject *glue_dir = NULL;
        struct class_interface *class_intf;
 
        /* Notify clients of device removal.  This call must come
@@ -1301,8 +1319,9 @@ void device_del(struct device *dev)
        if (platform_notify_remove)
                platform_notify_remove(dev);
        kobject_uevent(&dev->kobj, KOBJ_REMOVE);
-       cleanup_device_parent(dev);
+       glue_dir = get_glue_dir(dev);
        kobject_del(&dev->kobj);
+       cleanup_glue_dir(dev, glue_dir);
        put_device(parent);
 }
 EXPORT_SYMBOL_GPL(device_del);