Commit 37de955c authored by Ming Lei's avatar Ming Lei Committed by Greg Kroah-Hartman

driver core: fix race between creating/querying glue dir and its cleanup

commit cebf8fd1 upstream.

The global mutex of 'gdp_mutex' is used to serialize creating/querying
glue dir and its cleanup. Turns out it isn't a perfect way because
part(kobj_kset_leave()) of the actual cleanup action() is done inside
the release handler of the glue dir kobject. That means gdp_mutex has
to be held before releasing the last reference count of the glue dir
kobject.

This patch moves glue dir's cleanup after kobject_del() in device_del()
for avoiding the race.

Cc: Yijing Wang <wangyijing@huawei.com>
Reported-by: default avatarChandra Sekhar Lingutla <clingutla@codeaurora.org>
Signed-off-by: default avatarMing Lei <ming.lei@canonical.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent f85a337b
...@@ -836,11 +836,29 @@ static struct kobject *get_device_parent(struct device *dev, ...@@ -836,11 +836,29 @@ static struct kobject *get_device_parent(struct device *dev,
return NULL; return NULL;
} }
static inline bool live_in_glue_dir(struct kobject *kobj,
struct device *dev)
{
if (!kobj || !dev->class ||
kobj->kset != &dev->class->p->glue_dirs)
return false;
return true;
}
static inline struct kobject *get_glue_dir(struct device *dev)
{
return dev->kobj.parent;
}
/*
* make sure cleaning up dir as the last step, we need to make
* sure .release handler of kobject is run with holding the
* global lock
*/
static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir) static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
{ {
/* see if we live in a "glue" directory */ /* see if we live in a "glue" directory */
if (!glue_dir || !dev->class || if (!live_in_glue_dir(glue_dir, dev))
glue_dir->kset != &dev->class->p->glue_dirs)
return; return;
mutex_lock(&gdp_mutex); mutex_lock(&gdp_mutex);
...@@ -848,11 +866,6 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir) ...@@ -848,11 +866,6 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
mutex_unlock(&gdp_mutex); mutex_unlock(&gdp_mutex);
} }
static void cleanup_device_parent(struct device *dev)
{
cleanup_glue_dir(dev, dev->kobj.parent);
}
static int device_add_class_symlinks(struct device *dev) static int device_add_class_symlinks(struct device *dev)
{ {
struct device_node *of_node = dev_of_node(dev); struct device_node *of_node = dev_of_node(dev);
...@@ -1028,6 +1041,7 @@ int device_add(struct device *dev) ...@@ -1028,6 +1041,7 @@ int device_add(struct device *dev)
struct kobject *kobj; struct kobject *kobj;
struct class_interface *class_intf; struct class_interface *class_intf;
int error = -EINVAL; int error = -EINVAL;
struct kobject *glue_dir = NULL;
dev = get_device(dev); dev = get_device(dev);
if (!dev) if (!dev)
...@@ -1072,8 +1086,10 @@ int device_add(struct device *dev) ...@@ -1072,8 +1086,10 @@ int device_add(struct device *dev)
/* first, register with generic layer. */ /* first, register with generic layer. */
/* we require the name to be set before, and pass NULL */ /* we require the name to be set before, and pass NULL */
error = kobject_add(&dev->kobj, dev->kobj.parent, NULL); error = kobject_add(&dev->kobj, dev->kobj.parent, NULL);
if (error) if (error) {
glue_dir = get_glue_dir(dev);
goto Error; goto Error;
}
/* notify platform of device entry */ /* notify platform of device entry */
if (platform_notify) if (platform_notify)
...@@ -1154,9 +1170,10 @@ int device_add(struct device *dev) ...@@ -1154,9 +1170,10 @@ int device_add(struct device *dev)
device_remove_file(dev, &dev_attr_uevent); device_remove_file(dev, &dev_attr_uevent);
attrError: attrError:
kobject_uevent(&dev->kobj, KOBJ_REMOVE); kobject_uevent(&dev->kobj, KOBJ_REMOVE);
glue_dir = get_glue_dir(dev);
kobject_del(&dev->kobj); kobject_del(&dev->kobj);
Error: Error:
cleanup_device_parent(dev); cleanup_glue_dir(dev, glue_dir);
put_device(parent); put_device(parent);
name_error: name_error:
kfree(dev->p); kfree(dev->p);
...@@ -1232,6 +1249,7 @@ EXPORT_SYMBOL_GPL(put_device); ...@@ -1232,6 +1249,7 @@ EXPORT_SYMBOL_GPL(put_device);
void device_del(struct device *dev) void device_del(struct device *dev)
{ {
struct device *parent = dev->parent; struct device *parent = dev->parent;
struct kobject *glue_dir = NULL;
struct class_interface *class_intf; struct class_interface *class_intf;
/* Notify clients of device removal. This call must come /* Notify clients of device removal. This call must come
...@@ -1276,8 +1294,9 @@ void device_del(struct device *dev) ...@@ -1276,8 +1294,9 @@ void device_del(struct device *dev)
blocking_notifier_call_chain(&dev->bus->p->bus_notifier, blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
BUS_NOTIFY_REMOVED_DEVICE, dev); BUS_NOTIFY_REMOVED_DEVICE, dev);
kobject_uevent(&dev->kobj, KOBJ_REMOVE); kobject_uevent(&dev->kobj, KOBJ_REMOVE);
cleanup_device_parent(dev); glue_dir = get_glue_dir(dev);
kobject_del(&dev->kobj); kobject_del(&dev->kobj);
cleanup_glue_dir(dev, glue_dir);
put_device(parent); put_device(parent);
} }
EXPORT_SYMBOL_GPL(device_del); EXPORT_SYMBOL_GPL(device_del);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment