1. 14 Nov, 2022 3 commits
    • Guenter Roeck's avatar
      thermal/core: Ensure that thermal device is registered in thermal_zone_get_temp · 1c6b3006
      Guenter Roeck authored
      Calls to thermal_zone_get_temp() are not protected against thermal zone
      device removal. As result, it is possible that the thermal zone operations
      callbacks are no longer valid when thermal_zone_get_temp() is called.
      This may result in crashes such as
      
      BUG: unable to handle page fault for address: ffffffffc04ef420
       #PF: supervisor read access in kernel mode
       #PF: error_code(0x0000) - not-present page
      PGD 5d60e067 P4D 5d60e067 PUD 5d610067 PMD 110197067 PTE 0
      Oops: 0000 [#1] PREEMPT SMP NOPTI
      CPU: 1 PID: 3209 Comm: cat Tainted: G        W         5.10.136-19389-g615abc6eb807 #1 02df41ac0b12f3a64f4b34245188d8875bb3bce1
      Hardware name: Google Coral/Coral, BIOS Google_Coral.10068.92.0 11/27/2018
      RIP: 0010:thermal_zone_get_temp+0x26/0x73
      Code: 89 c3 eb d3 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 85 ff 74 50 48 89 fb 48 81 ff 00 f0 ff ff 77 44 48 8b 83 98 03 00 00 <48> 83 78 10 00 74 36 49 89 f6 4c 8d bb d8 03 00 00 4c 89 ff e8 9f
      RSP: 0018:ffffb3758138fd38 EFLAGS: 00010287
      RAX: ffffffffc04ef410 RBX: ffff98f14d7fb000 RCX: 0000000000000000
      RDX: ffff98f17cf90000 RSI: ffffb3758138fd64 RDI: ffff98f14d7fb000
      RBP: ffffb3758138fd50 R08: 0000000000001000 R09: ffff98f17cf90000
      R10: 0000000000000000 R11: ffffffff8dacad28 R12: 0000000000001000
      R13: ffff98f1793a7d80 R14: ffff98f143231708 R15: ffff98f14d7fb018
      FS:  00007ec166097800(0000) GS:ffff98f1bbd00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffc04ef420 CR3: 000000010ee9a000 CR4: 00000000003506e0
      Call Trace:
       temp_show+0x31/0x68
       dev_attr_show+0x1d/0x4f
       sysfs_kf_seq_show+0x92/0x107
       seq_read_iter+0xf5/0x3f2
       vfs_read+0x205/0x379
       __x64_sys_read+0x7c/0xe2
       do_syscall_64+0x43/0x55
       entry_SYSCALL_64_after_hwframe+0x61/0xc6
      
      if a thermal device is removed while accesses to its device attributes
      are ongoing.
      
      The problem is exposed by code in iwl_op_mode_mvm_start(), which registers
      a thermal zone device only to unregister it shortly afterwards if an
      unrelated failure is encountered while accessing the hardware.
      
      Check if the thermal zone device is registered after acquiring the
      thermal zone device mutex to ensure this does not happen.
      
      The code was tested by triggering the failure in iwl_op_mode_mvm_start()
      on purpose. Without this patch, the kernel crashes reliably. The crash
      is no longer observed after applying this and the preceding patches.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      1c6b3006
    • Guenter Roeck's avatar
      thermal/core: Delete device under thermal device zone lock · 30b2ae07
      Guenter Roeck authored
      Thermal device attributes may still be opened after unregistering
      the thermal zone and deleting the thermal device.
      
      Currently there is no protection against accessing thermal device
      operations after unregistering a thermal zone. To enable adding
      such protection, protect the device delete operation with the
      thermal zone device mutex. This requires splitting the call to
      device_unregister() into its components, device_del() and put_device().
      Only the first call can be executed under mutex protection, since
      put_device() may result in releasing the thermal zone device memory.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      30b2ae07
    • Guenter Roeck's avatar
      thermal/core: Destroy thermal zone device mutex in release function · d35f29ed
      Guenter Roeck authored
      Accesses to thermal zones, and with it the thermal zone device mutex,
      are still possible after the thermal zone device has been unregistered.
      For example, thermal_zone_get_temp() can be called from temp_show()
      in thermal_sysfs.c if the sysfs attribute was opened before the thermal
      device was unregistered.
      
      Move the call to mutex_destroy from thermal_zone_device_unregister()
      to thermal_release() to ensure that it is only destroyed after it is
      guaranteed to be no longer accessed.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      d35f29ed
  2. 28 Oct, 2022 1 commit
  3. 25 Oct, 2022 2 commits
  4. 23 Oct, 2022 9 commits
  5. 22 Oct, 2022 21 commits
  6. 21 Oct, 2022 4 commits