lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 31 Aug 2018 17:52:39 +0900
From:   Chanwoo Choi <cw00.choi@...sung.com>
To:     vincent.donnefort@....com, myungjoo.ham@...sung.com,
        kyungmin.park@...sung.com, linux-pm@...r.kernel.org,
        linux-kernel@...r.kernel.org
Cc:     john.reitan@....com, beata.michalska@....com
Subject: Re: [PATCH] PM / devfreq: stopping the governor before
 device_unregister()

Hi,

On 2018년 08월 30일 19:02, vincent.donnefort@....com wrote:
> From: Vincent Donnefort <vincent.donnefort@....com>
> 
> device_release() is freeing the resources before calling the device
> specific release callback which is, in the case of devfreq, stopping
> the governor.
> 
> It is a problem as some governors are using the device resources. e.g.
> simpleondemand which is using the devfreq deferrable monitoring work. If it
> is not stopped before the resources are freed, it might lead to a use after
> free.
> 
> Signed-off-by: Vincent Donnefort <vincent.donnefort@....com>
> Reviewed-by: John Einar Reitan <john.reitan@....com>
> 
> diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
> index 4c49bb1..4e43830 100644
> --- a/drivers/devfreq/devfreq.c
> +++ b/drivers/devfreq/devfreq.c
> @@ -534,10 +534,6 @@ static void devfreq_dev_release(struct device *dev)
>  	list_del(&devfreq->node);
>  	mutex_unlock(&devfreq_list_lock);
>  
> -	if (devfreq->governor)
> -		devfreq->governor->event_handler(devfreq,
> -						 DEVFREQ_GOV_STOP, NULL);
> -
>  	if (devfreq->profile->exit)
>  		devfreq->profile->exit(devfreq->dev.parent);
>  
> @@ -672,7 +668,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
>  	list_del(&devfreq->node);
>  	mutex_unlock(&devfreq_list_lock);
>  
> -	device_unregister(&devfreq->dev);
> +	devfreq_remove_device(devfreq);
>  	devfreq = NULL;
>  err_dev:
>  	if (devfreq)
> @@ -693,6 +689,9 @@ int devfreq_remove_device(struct devfreq *devfreq)
>  	if (!devfreq)
>  		return -EINVAL;
>  
> +	if (devfreq->governor)
> +		devfreq->governor->event_handler(devfreq,
> +						 DEVFREQ_GOV_STOP, NULL);
>  	device_unregister(&devfreq->dev);
>  
>  	return 0;
> 

As description of this patch, if devfreq_wq is executed and then execute
the 'devfreq->governor->get_target_freq' between step1 and step2
after already freed the 'dev' related resource, it might happen the problem
because the registered callback of get_target_freq requires the 'dev' resource.

device_unregister(dev)
	step 1. device_del(dev)
		<- if devfreq_wq is executed
	step 2. put_device(dev)
		device_release()
			devfreq_dev_release()
				stop the governor for specific devfreq instance

It looks good to me. Stop the governor before calling device_unregister().
Reviewed-by: Chanwoo Choi <cw00.choi@...sung.com>				

-- 
Best Regards,
Chanwoo Choi
Samsung Electronics

Powered by blists - more mailing lists