mirror of
https://github.com/torvalds/linux.git
synced 2024-12-25 20:32:22 +00:00
6ffae8c06f
In __cpufreq_remove_dev_finish(), per-cpu 'cpufreq_cpu_data' needs to be cleared before calling kobject_put(&policy->kobj) and under cpufreq_driver_lock. Otherwise, if someone else calls cpufreq_cpu_get() in parallel with it, they can obtain a non-NULL policy from that after kobject_put(&policy->kobj) was executed. Consider this case: Thread A Thread B cpufreq_cpu_get() acquire cpufreq_driver_lock read-per-cpu cpufreq_cpu_data kobject_put(&policy->kobj); kobject_get(&policy->kobj); ... per_cpu(&cpufreq_cpu_data, cpu) = NULL And this will result in a warning like this one: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 4 at include/linux/kref.h:47 kobject_get+0x41/0x50() Modules linked in: acpi_cpufreq(+) nfsd auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c sd_mod ixgbe igb mdio ahci hwmon ... Call Trace: [<ffffffff81661b14>] dump_stack+0x46/0x58 [<ffffffff81072b61>] warn_slowpath_common+0x81/0xa0 [<ffffffff81072c7a>] warn_slowpath_null+0x1a/0x20 [<ffffffff812e16d1>] kobject_get+0x41/0x50 [<ffffffff815262a5>] cpufreq_cpu_get+0x75/0xc0 [<ffffffff81527c3e>] cpufreq_update_policy+0x2e/0x1f0 [<ffffffff810b8cb2>] ? up+0x32/0x50 [<ffffffff81381aa9>] ? acpi_ns_get_node+0xcb/0xf2 [<ffffffff81381efd>] ? acpi_evaluate_object+0x22c/0x252 [<ffffffff813824f6>] ? acpi_get_handle+0x95/0xc0 [<ffffffff81360967>] ? acpi_has_method+0x25/0x40 [<ffffffff81391e08>] acpi_processor_ppc_has_changed+0x77/0x82 [<ffffffff81089566>] ? move_linked_works+0x66/0x90 [<ffffffff8138e8ed>] acpi_processor_notify+0x58/0xe7 [<ffffffff8137410c>] acpi_ev_notify_dispatch+0x44/0x5c [<ffffffff8135f293>] acpi_os_execute_deferred+0x15/0x22 [<ffffffff8108c910>] process_one_work+0x160/0x410 [<ffffffff8108d05b>] worker_thread+0x11b/0x520 [<ffffffff8108cf40>] ? rescuer_thread+0x380/0x380 [<ffffffff81092421>] kthread+0xe1/0x100 [<ffffffff81092340>] ? kthread_create_on_node+0x1b0/0x1b0 [<ffffffff81669ebc>] ret_from_fork+0x7c/0xb0 [<ffffffff81092340>] ? kthread_create_on_node+0x1b0/0x1b0 ---[ end trace 89e66eb9795efdf7 ]--- The actual code flow is as follows: Thread A: Workqueue: kacpi_notify acpi_processor_notify() acpi_processor_ppc_has_changed() cpufreq_update_policy() cpufreq_cpu_get() kobject_get() Thread B: xenbus_thread() xenbus_thread() msg->u.watch.handle->callback() handle_vcpu_hotplug_event() vcpu_hotplug() cpu_down() __cpu_notify(CPU_POST_DEAD..) cpufreq_cpu_callback() __cpufreq_remove_dev_finish() cpufreq_policy_put_kobj() kobject_put() cpufreq_cpu_get() gets the policy from per-cpu variable cpufreq_cpu_data under cpufreq_driver_lock, and once it gets a valid policy it expects it to not be freed until cpufreq_cpu_put() is called. But the race happens when another thread puts the kobject first and updates cpufreq_cpu_data before or later. And so the first thread gets a valid policy structure and before it does kobject_get() on it, the second one has already done kobject_put(). Fix this by setting cpufreq_cpu_data to NULL before putting the kobject and that too under locks. Reported-by: Ethan Zhao <ethan.zhao@oracle.com> Reported-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Cc: 3.12+ <stable@vger.kernel.org> # 3.12+ Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> |
||
---|---|---|
.. | ||
acpi-cpufreq.c | ||
amd_freq_sensitivity.c | ||
arm_big_little_dt.c | ||
arm_big_little.c | ||
arm_big_little.h | ||
at32ap-cpufreq.c | ||
blackfin-cpufreq.c | ||
cpufreq_conservative.c | ||
cpufreq_governor.c | ||
cpufreq_governor.h | ||
cpufreq_ondemand.c | ||
cpufreq_opp.c | ||
cpufreq_performance.c | ||
cpufreq_powersave.c | ||
cpufreq_stats.c | ||
cpufreq_userspace.c | ||
cpufreq-dt.c | ||
cpufreq-nforce2.c | ||
cpufreq.c | ||
cris-artpec3-cpufreq.c | ||
cris-etraxfs-cpufreq.c | ||
davinci-cpufreq.c | ||
dbx500-cpufreq.c | ||
e_powersaver.c | ||
elanfreq.c | ||
exynos4x12-cpufreq.c | ||
exynos4210-cpufreq.c | ||
exynos5250-cpufreq.c | ||
exynos5440-cpufreq.c | ||
exynos-cpufreq.c | ||
exynos-cpufreq.h | ||
freq_table.c | ||
gx-suspmod.c | ||
highbank-cpufreq.c | ||
ia64-acpi-cpufreq.c | ||
imx6q-cpufreq.c | ||
integrator-cpufreq.c | ||
intel_pstate.c | ||
Kconfig | ||
Kconfig.arm | ||
Kconfig.powerpc | ||
Kconfig.x86 | ||
kirkwood-cpufreq.c | ||
longhaul.c | ||
longhaul.h | ||
longrun.c | ||
loongson2_cpufreq.c | ||
ls1x-cpufreq.c | ||
Makefile | ||
maple-cpufreq.c | ||
omap-cpufreq.c | ||
p4-clockmod.c | ||
pasemi-cpufreq.c | ||
pcc-cpufreq.c | ||
pmac32-cpufreq.c | ||
pmac64-cpufreq.c | ||
powernow-k6.c | ||
powernow-k7.c | ||
powernow-k7.h | ||
powernow-k8.c | ||
powernow-k8.h | ||
powernv-cpufreq.c | ||
ppc_cbe_cpufreq_pervasive.c | ||
ppc_cbe_cpufreq_pmi.c | ||
ppc_cbe_cpufreq.c | ||
ppc_cbe_cpufreq.h | ||
ppc-corenet-cpufreq.c | ||
pxa2xx-cpufreq.c | ||
pxa3xx-cpufreq.c | ||
s3c24xx-cpufreq-debugfs.c | ||
s3c24xx-cpufreq.c | ||
s3c64xx-cpufreq.c | ||
s3c2410-cpufreq.c | ||
s3c2412-cpufreq.c | ||
s3c2416-cpufreq.c | ||
s3c2440-cpufreq.c | ||
s5pv210-cpufreq.c | ||
sa1100-cpufreq.c | ||
sa1110-cpufreq.c | ||
sc520_freq.c | ||
sh-cpufreq.c | ||
sparc-us2e-cpufreq.c | ||
sparc-us3-cpufreq.c | ||
spear-cpufreq.c | ||
speedstep-centrino.c | ||
speedstep-ich.c | ||
speedstep-lib.c | ||
speedstep-lib.h | ||
speedstep-smi.c | ||
tegra-cpufreq.c | ||
unicore2-cpufreq.c | ||
vexpress-spc-cpufreq.c |