lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aOfB9bdEzlxPFzhg@kuha.fi.intel.com>
Date: Thu, 9 Oct 2025 17:08:53 +0300
From: Heikki Krogerus <heikki.krogerus@...ux.intel.com>
To: "Chia-Lin Kao (AceLan)" <acelan.kao@...onical.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Dmitry Baryshkov <dmitry.baryshkov@....qualcomm.com>,
	Andrei Kuchynski <akuchynski@...omium.org>,
	Ɓukasz Bartosik <ukaszb@...omium.org>,
	Venkat Jayaraman <venkat.jayaraman@...el.com>,
	linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: typec: ucsi: Fix workqueue destruction race during
 connector cleanup

On Thu, Oct 09, 2025 at 09:58:22AM +0800, Chia-Lin Kao (AceLan) wrote:
> On Wed, Oct 08, 2025 at 01:34:35PM +0300, Heikki Krogerus wrote:
> > On Thu, Oct 02, 2025 at 09:30:26AM +0800, Chia-Lin Kao (AceLan) wrote:
> > > During UCSI initialization and operation, there is a race condition where
> > > delayed work items can be scheduled but attempt to queue work after the
> > > workqueue has been destroyed. This occurs in multiple code paths.
> > > 
> > > The race occurs when:
> > > 1. ucsi_partner_task() or ucsi_poll_worker() schedule delayed work
> > > 2. Connector cleanup paths call destroy_workqueue()
> > > 3. Previously scheduled delayed work timers fire after destruction
> > > 4. This triggers warnings and crashes in __queue_work()
> > 
> > What warnings?
> Here is what I got.
> 
> Sep 24 13:24:22 ubuntu kernel: sysfs: cannot create duplicate filename '/devices/platform/USBC000:00/typec/port0/port0.0/partner'
> Sep 24 13:24:22 ubuntu kernel: CPU: 1 UID: 0 PID: 132 Comm: kworker/u64:1 Tainted: G           O       6.14.0-1012-oem #12-Ubuntu
> Sep 24 13:24:22 ubuntu kernel: Tainted: [O]=OOT_MODULE
> Sep 24 13:24:22 ubuntu kernel: Hardware name: Dell Inc. Dell /, BIOS XXXX XX/XX/2025
> Sep 24 13:24:22 ubuntu kernel: Workqueue: USBC000:00-con1 ucsi_poll_worker [typec_ucsi]
> Sep 24 13:24:22 ubuntu kernel: Call Trace:
> Sep 24 13:24:22 ubuntu kernel:  <TASK>
> Sep 24 13:24:22 ubuntu kernel:  dump_stack_lvl+0x76/0xa0
> Sep 24 13:24:22 ubuntu kernel:  dump_stack+0x10/0x20
> Sep 24 13:24:22 ubuntu kernel:  sysfs_warn_dup+0x8a/0xb0
> Sep 24 13:24:22 ubuntu kernel:  sysfs_do_create_link_sd+0xf1/0x100
> Sep 24 13:24:22 ubuntu kernel:  sysfs_create_link+0x21/0x50
> Sep 24 13:24:22 ubuntu kernel:  typec_probe+0x7e/0x100 [typec]
> Sep 24 13:24:22 ubuntu kernel:  ? driver_sysfs_add+0x66/0xd0
> Sep 24 13:24:22 ubuntu kernel:  really_probe+0xee/0x3c0
> Sep 24 13:24:22 ubuntu kernel:  __driver_probe_device+0x8c/0x180
> Sep 24 13:24:22 ubuntu kernel:  driver_probe_device+0x24/0xd0
> Sep 24 13:24:22 ubuntu kernel:  __device_attach_driver+0xcd/0x170
> Sep 24 13:24:22 ubuntu kernel:  ? _pfx__device_attach_driver+0x10/0x10
> Sep 24 13:24:22 ubuntu kernel:  bus_for_each_drv+0x94/0xf0
> Sep 24 13:24:22 ubuntu kernel:  __device_attach+0xb6/0x1d0
> Sep 24 13:24:22 ubuntu kernel:  device_initial_probe+0x13/0x20
> Sep 24 13:24:22 ubuntu kernel:  bus_probe_device+0x9f/0xb0
> Sep 24 13:24:22 ubuntu kernel:  device_add+0x513/0x710
> Sep 24 13:24:22 ubuntu kernel:  device_register+0x1a/0x30
> Sep 24 13:24:22 ubuntu kernel:  typec_register_altmode+0x253/0x3a0 [typec]
> Sep 24 13:24:22 ubuntu kernel:  typec_partner_register_altmode+0xe/0x20 [typec]
> Sep 24 13:24:22 ubuntu kernel:  ucsi_register_altmode.constprop.0+0x30e/0x390 [typec_ucsi]
> Sep 24 13:24:22 ubuntu kernel:  ucsi_register_altmodes+0x162/0x250 [typec_ucsi]
> Sep 24 13:24:22 ubuntu kernel:  ucsi_check_altmodes+0x19/0xb0 [typec_ucsi]
> Sep 24 13:24:22 ubuntu kernel:  ucsi_poll_worker+0x3d/0xf0 [typec_ucsi]
> Sep 24 13:24:22 ubuntu kernel:  process_one_work+0x178/0x3d0
> Sep 24 13:24:22 ubuntu kernel:  worker_thread+0x2de/0x410
> Sep 24 13:24:22 ubuntu kernel:  ? __pfx_worker_thread+0x10/0x10
> Sep 24 13:24:22 ubuntu kernel:  kthread+0xfb/0x230
> Sep 24 13:24:22 ubuntu kernel:  ? __pfx_kthread+0x10/0x10
> Sep 24 13:24:22 ubuntu kernel:  ret_from_fork+0x44/0x70
> Sep 24 13:24:22 ubuntu kernel:  ? __pfx_kthread+0x10/0x10
> Sep 24 13:24:22 ubuntu kernel:  ret_from_fork_asm+0x1a/0x30
> Sep 24 13:24:22 ubuntu kernel:  </TASK>
> Sep 24 13:24:22 ubuntu kernel: typec-thunderbolt port0-partner.1: failed to create symlinks
> Sep 24 13:24:22 ubuntu kernel: typec-thunderbolt port0-partner.1: probe with driver typec-thunderbolt failed with error -17

That does not look like anything you described in the commit message?

You have there an attempt to register the same alternate mode twice,
but the workqueue seems to be very much alive when that happens.

Based on the above this looks like either a race where the driver
really ends up registering the alternate modes multiple times or, and
more likely, the firmware is reporting the same alternate mode
multiple times.

Or am I missing something?

thanks,

-- 
heikki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ