driver core: fix race between creating/querying glue dir and its cleanup

The global mutex of 'gdp_mutex' is used to serialize creating/querying glue dir and its cleanup. Turns out it isn't a perfect way because part(kobj_kset_leave()) of the actual cleanup action() is done inside the release handler of the glue dir kobject. That means gdp_mutex has to be held before releasing the last reference count of the glue dir kobject. This patch moves glue dir's cleanup after kobject_del() in device_del() for avoiding the race. Change-Id: I92b10e62be8129ead5859a285bf964ab0a3ae2fd To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Yijing Wang <wangyijing@huawei.com> Reported-by: Chandra Sekhar Lingutla <clingutla@codeaurora.org> Signed-off-by: Ming Lei <ming.lei@canonical.com> Patch-mainline: linux-arm-kernel @ 2016/4/26 22:57:28 https://lkml.org/lkml/2016/4/26/647 Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org>
2016-04-26 10:05:44 +05:30 · 2016-04-26 10:05:44 +05:30 · 760aaa7e3f
parent b52f838665
commit 760aaa7e3f
1 changed files with 29 additions and 10 deletions
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@ -826,12 +826,30 @@ static struct kobject *get_device_parent(struct device *dev,
 		return &parent->kobj;
 	return NULL;
 }
+static inline bool live_in_glue_dir(struct kobject *kobj,
+					struct device *dev)
+{
+	if (!kobj || !dev->class ||
+	    kobj->kset != &dev->class->p->glue_dirs)
+		return false;
+	return true;
+}

+static inline struct kobject *get_glue_dir(struct device *dev)
+{
+	if (live_in_glue_dir(&dev->kobj, dev))
+		return dev->kobj.parent;
+	return NULL;
+}
+/*
+* make sure cleaning up dir as the last step, we need to make
+* sure .release handler of kobject is run with holding the
+* global lock
+*/
 static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
 {
 	/* see if we live in a "glue" directory */
-	if (!glue_dir || !dev->class ||
-	    glue_dir->kset != &dev->class->p->glue_dirs)
+	if (!live_in_glue_dir(glue_dir, dev))
 		return;

 	mutex_lock(&gdp_mutex);
@ -839,11 +857,6 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
 	mutex_unlock(&gdp_mutex);
 }

-static void cleanup_device_parent(struct device *dev)
-{
-	cleanup_glue_dir(dev, dev->kobj.parent);
-}
-
 static int device_add_class_symlinks(struct device *dev)
 {
 	int error;
@ -1006,6 +1019,7 @@ int device_add(struct device *dev)
 	struct device *parent = NULL;
 	struct kobject *kobj;
 	struct class_interface *class_intf;
+	struct kobject *glue_dir = NULL;
 	int error = -EINVAL;

 	dev = get_device(dev);
@ -1051,8 +1065,10 @@ int device_add(struct device *dev)
 	/* first, register with generic layer. */
 	/* we require the name to be set before, and pass NULL */
 	error = kobject_add(&dev->kobj, dev->kobj.parent, NULL);
-	if (error)
+	if (error) {
+		glue_dir = get_glue_dir(dev);
 		goto Error;
+	}

 	/* notify platform of device entry */
 	if (platform_notify)
@ -1141,9 +1157,10 @@ done:
 	device_remove_file(dev, &uevent_attr);
 attrError:
 	kobject_uevent(&dev->kobj, KOBJ_REMOVE);
+	glue_dir = get_glue_dir(dev);
 	kobject_del(&dev->kobj);
 Error:
-	cleanup_device_parent(dev);
+	cleanup_glue_dir(dev, glue_dir);
 	if (parent)
 		put_device(parent);
 name_error:
@ -1216,6 +1233,7 @@ void put_device(struct device *dev)
 void device_del(struct device *dev)
 {
 	struct device *parent = dev->parent;
+	struct kobject *glue_dir = NULL;
 	struct class_interface *class_intf;

 	/* Notify clients of device removal.  This call must come
@ -1257,8 +1275,9 @@ void device_del(struct device *dev)
 	if (platform_notify_remove)
 		platform_notify_remove(dev);
 	kobject_uevent(&dev->kobj, KOBJ_REMOVE);
-	cleanup_device_parent(dev);
+	glue_dir = get_glue_dir(dev);
 	kobject_del(&dev->kobj);
+	cleanup_glue_dir(dev, glue_dir);
 	put_device(parent);
 }