cpuidle: preventive check in cpuidle_select against crash

Message ID 20171226072626.GA4153@gaurav.jindal
State New
Headers show
Series
  • cpuidle: preventive check in cpuidle_select against crash
Related show

Commit Message

gaurav jindal Dec. 26, 2017, 7:26 a.m.
When selecting the idle state using cpuidle_select, there is no
check on cpuidle_curr_governor. In cpuidle_switch_governor,
cpuidle_currr_governor can be set to NULL to specify "disabled".

Since cpuidle_select cannot return negative value, it has to return 0
in case of error. Printing logs and returning can help in debugging and
preventing possible kernel crash scenarios.

Signed-off-by: Gaurav Jindal<gauravjindal1104@gmail.com>


---

Comments

Rafael J. Wysocki Dec. 27, 2017, 12:42 a.m. | #1
On Tue, Dec 26, 2017 at 8:26 AM, gaurav jindal
<gauravjindal1104@gmail.com> wrote:
> When selecting the idle state using cpuidle_select, there is no

> check on cpuidle_curr_governor. In cpuidle_switch_governor,

> cpuidle_currr_governor can be set to NULL to specify "disabled".


How exactly?
gaurav jindal Dec. 27, 2017, 1:57 a.m. | #2
On Wed, Dec 27, 2017 at 01:42:58AM +0100, Rafael J. Wysocki wrote:
> On Tue, Dec 26, 2017 at 8:26 AM, gaurav jindal

> <gauravjindal1104@gmail.com> wrote:

> > When selecting the idle state using cpuidle_select, there is no

> > check on cpuidle_curr_governor. In cpuidle_switch_governor,

> > cpuidle_currr_governor can be set to NULL to specify "disabled".

> 

> How exactly?


In cpuidle_switch_governor:
 
/**
 * cpuidle_switch_governor - changes the governor
 * @gov: the new target governor
 *
 * NOTE: "gov" can be NULL to specify disabled
 * Must be called with cpuidle_lock acquired.
 */
int cpuidle_switch_governor(struct cpuidle_governor *gov)
{
	struct cpuidle_device *dev;

	if (gov == cpuidle_curr_governor)
		return 0;

	cpuidle_uninstall_idle_handler();

	if (cpuidle_curr_governor) {
		list_for_each_entry(dev, &cpuidle_detected_devices, device_list)
			cpuidle_disable_device(dev);
	}

	cpuidle_curr_governor = gov;

This allows to set the cpuidle_switch_governor as NULL. Although there is no
current code flow leading here, but it has a potential for bug in future. So
may be better to have prevention.
Rafael J. Wysocki Dec. 27, 2017, 2:30 a.m. | #3
On Wed, Dec 27, 2017 at 2:57 AM, gaurav jindal
<gauravjindal1104@gmail.com> wrote:
> On Wed, Dec 27, 2017 at 01:42:58AM +0100, Rafael J. Wysocki wrote:

>> On Tue, Dec 26, 2017 at 8:26 AM, gaurav jindal

>> <gauravjindal1104@gmail.com> wrote:

>> > When selecting the idle state using cpuidle_select, there is no

>> > check on cpuidle_curr_governor. In cpuidle_switch_governor,

>> > cpuidle_currr_governor can be set to NULL to specify "disabled".

>>

>> How exactly?

>

> In cpuidle_switch_governor:

>

> /**

>  * cpuidle_switch_governor - changes the governor

>  * @gov: the new target governor

>  *

>  * NOTE: "gov" can be NULL to specify disabled

>  * Must be called with cpuidle_lock acquired.

>  */

> int cpuidle_switch_governor(struct cpuidle_governor *gov)

> {

>         struct cpuidle_device *dev;

>

>         if (gov == cpuidle_curr_governor)

>                 return 0;

>

>         cpuidle_uninstall_idle_handler();

>

>         if (cpuidle_curr_governor) {

>                 list_for_each_entry(dev, &cpuidle_detected_devices, device_list)

>                         cpuidle_disable_device(dev);

>         }

>

>         cpuidle_curr_governor = gov;

>

> This allows to set the cpuidle_switch_governor as NULL. Although there is no

> current code flow leading here, but it has a potential for bug in future. So

> may be better to have prevention.


Or maybe not.

Why don't you make cpuidle_switch_governor() check the argument
against NULL instead?
gaurav jindal Dec. 29, 2017, 6:45 p.m. | #4
On Wed, Dec 27, 2017 at 03:30:02AM +0100, Rafael J. Wysocki wrote:
> On Wed, Dec 27, 2017 at 2:57 AM, gaurav jindal

> <gauravjindal1104@gmail.com> wrote:

> > On Wed, Dec 27, 2017 at 01:42:58AM +0100, Rafael J. Wysocki wrote:

> >> On Tue, Dec 26, 2017 at 8:26 AM, gaurav jindal

> >> <gauravjindal1104@gmail.com> wrote:

> >> > When selecting the idle state using cpuidle_select, there is no

> >> > check on cpuidle_curr_governor. In cpuidle_switch_governor,

> >> > cpuidle_currr_governor can be set to NULL to specify "disabled".

> >>

> >> How exactly?

> >

> > In cpuidle_switch_governor:

> >

> > /**

> >  * cpuidle_switch_governor - changes the governor

> >  * @gov: the new target governor

> >  *

> >  * NOTE: "gov" can be NULL to specify disabled

> >  * Must be called with cpuidle_lock acquired.

> >  */

> > int cpuidle_switch_governor(struct cpuidle_governor *gov)

> > {

> >         struct cpuidle_device *dev;

> >

> >         if (gov == cpuidle_curr_governor)

> >                 return 0;

> >

> >         cpuidle_uninstall_idle_handler();

> >

> >         if (cpuidle_curr_governor) {

> >                 list_for_each_entry(dev, &cpuidle_detected_devices, device_list)

> >                         cpuidle_disable_device(dev);

> >         }

> >

> >         cpuidle_curr_governor = gov;

> >

> > This allows to set the cpuidle_switch_governor as NULL. Although there is no

> > current code flow leading here, but it has a potential for bug in future. So

> > may be better to have prevention.

> 

> Or maybe not.

> 

> Why don't you make cpuidle_switch_governor() check the argument

> against NULL instead?


If we check gov (argument passed in  cpuidle_switch_governor())against
NULL in cpuidle_switch_governor, can be a problem in a case where it 
is called as
cpuidle_switch_governor(NULL);

If cpuidle_curr_governor is not NULL, first the device is disabled.

if (cpuidle_curr_governor) {
	list_for_each_entry(dev, &cpuidle_detected_devices, device_list)
	cpuidle_disable_device(dev);
}

after this cpuidle_curr_governor is set to gov, which is NULL in this case.

cpuidle_curr_governor = gov;
/* if is not updated by inserting a check, it will have an oudated value*/

Now, if gov is not NULL (which it is in this case), cpuidle device is enabled

if (gov) {
	list_for_each_entry(dev, &cpuidle_detected_devices, device_list)
	cpuidle_enable_device(dev);
	cpuidle_install_idle_handler();
	printk(KERN_INFO "cpuidle: using governor %s\n", gov->name);
}
If we check for gov against NULL in this function, it will produce
dangling pointers and resource leaks.
Rafael J. Wysocki Jan. 3, 2018, 11:16 a.m. | #5
On Friday, December 29, 2017 7:45:22 PM CET gaurav jindal wrote:
> On Wed, Dec 27, 2017 at 03:30:02AM +0100, Rafael J. Wysocki wrote:

> > On Wed, Dec 27, 2017 at 2:57 AM, gaurav jindal

> > <gauravjindal1104@gmail.com> wrote:

> > > On Wed, Dec 27, 2017 at 01:42:58AM +0100, Rafael J. Wysocki wrote:

> > >> On Tue, Dec 26, 2017 at 8:26 AM, gaurav jindal

> > >> <gauravjindal1104@gmail.com> wrote:

> > >> > When selecting the idle state using cpuidle_select, there is no

> > >> > check on cpuidle_curr_governor. In cpuidle_switch_governor,

> > >> > cpuidle_currr_governor can be set to NULL to specify "disabled".

> > >>

> > >> How exactly?

> > >

> > > In cpuidle_switch_governor:

> > >

> > > /**

> > >  * cpuidle_switch_governor - changes the governor

> > >  * @gov: the new target governor

> > >  *

> > >  * NOTE: "gov" can be NULL to specify disabled

> > >  * Must be called with cpuidle_lock acquired.

> > >  */

> > > int cpuidle_switch_governor(struct cpuidle_governor *gov)

> > > {

> > >         struct cpuidle_device *dev;

> > >

> > >         if (gov == cpuidle_curr_governor)

> > >                 return 0;

> > >

> > >         cpuidle_uninstall_idle_handler();

> > >

> > >         if (cpuidle_curr_governor) {

> > >                 list_for_each_entry(dev, &cpuidle_detected_devices, device_list)

> > >                         cpuidle_disable_device(dev);

> > >         }

> > >

> > >         cpuidle_curr_governor = gov;

> > >

> > > This allows to set the cpuidle_switch_governor as NULL. Although there is no

> > > current code flow leading here, but it has a potential for bug in future. So

> > > may be better to have prevention.

> > 

> > Or maybe not.

> > 

> > Why don't you make cpuidle_switch_governor() check the argument

> > against NULL instead?

> 

> If we check gov (argument passed in  cpuidle_switch_governor())against

> NULL in cpuidle_switch_governor, can be a problem in a case where it 

> is called as

> cpuidle_switch_governor(NULL);

> 

> If cpuidle_curr_governor is not NULL, first the device is disabled.

> 

> if (cpuidle_curr_governor) {

> 	list_for_each_entry(dev, &cpuidle_detected_devices, device_list)

> 	cpuidle_disable_device(dev);

> }

> 

> after this cpuidle_curr_governor is set to gov, which is NULL in this case.

> 

> cpuidle_curr_governor = gov;

> /* if is not updated by inserting a check, it will have an oudated value*/

> 

> Now, if gov is not NULL (which it is in this case), cpuidle device is enabled

> 

> if (gov) {

> 	list_for_each_entry(dev, &cpuidle_detected_devices, device_list)

> 	cpuidle_enable_device(dev);

> 	cpuidle_install_idle_handler();

> 	printk(KERN_INFO "cpuidle: using governor %s\n", gov->name);

> }

> If we check for gov against NULL in this function, it will produce

> dangling pointers and resource leaks.


I didn't recommend you to introduce bugs.

Just return -EINVAL if gov is NULL before checking if gov is equal to
cpuidle_curr_governor.

Thanks,
Rafael
gaurav jindal Jan. 4, 2018, 6:09 p.m. | #6
On Wed, Jan 03, 2018 at 12:16:26PM +0100, Rafael J. Wysocki wrote:
> On Friday, December 29, 2017 7:45:22 PM CET gaurav jindal wrote:

> > On Wed, Dec 27, 2017 at 03:30:02AM +0100, Rafael J. Wysocki wrote:

> > > On Wed, Dec 27, 2017 at 2:57 AM, gaurav jindal

> > > <gauravjindal1104@gmail.com> wrote:

> > > > On Wed, Dec 27, 2017 at 01:42:58AM +0100, Rafael J. Wysocki wrote:

> > > >> On Tue, Dec 26, 2017 at 8:26 AM, gaurav jindal

> > > >> <gauravjindal1104@gmail.com> wrote:

> > > >> > When selecting the idle state using cpuidle_select, there is no

> > > >> > check on cpuidle_curr_governor. In cpuidle_switch_governor,

> > > >> > cpuidle_currr_governor can be set to NULL to specify "disabled".

> > > >>

> > > >> How exactly?

> > > >

> > > > In cpuidle_switch_governor:

> > > >

> > > > /**

> > > >  * cpuidle_switch_governor - changes the governor

> > > >  * @gov: the new target governor

> > > >  *

> > > >  * NOTE: "gov" can be NULL to specify disabled

> > > >  * Must be called with cpuidle_lock acquired.

> > > >  */

> > > > int cpuidle_switch_governor(struct cpuidle_governor *gov)

> > > > {

> > > >         struct cpuidle_device *dev;

> > > >

> > > >         if (gov == cpuidle_curr_governor)

> > > >                 return 0;

> > > >

> > > >         cpuidle_uninstall_idle_handler();

> > > >

> > > >         if (cpuidle_curr_governor) {

> > > >                 list_for_each_entry(dev, &cpuidle_detected_devices, device_list)

> > > >                         cpuidle_disable_device(dev);

> > > >         }

> > > >

> > > >         cpuidle_curr_governor = gov;

> > > >

> > > > This allows to set the cpuidle_switch_governor as NULL. Although there is no

> > > > current code flow leading here, but it has a potential for bug in future. So

> > > > may be better to have prevention.

> > > 

> > > Or maybe not.

> > > 

> > > Why don't you make cpuidle_switch_governor() check the argument

> > > against NULL instead?

> > 

> > If we check gov (argument passed in  cpuidle_switch_governor())against

> > NULL in cpuidle_switch_governor, can be a problem in a case where it 

> > is called as

> > cpuidle_switch_governor(NULL);

> > 

> > If cpuidle_curr_governor is not NULL, first the device is disabled.

> > 

> > if (cpuidle_curr_governor) {

> > 	list_for_each_entry(dev, &cpuidle_detected_devices, device_list)

> > 	cpuidle_disable_device(dev);

> > }

> > 

> > after this cpuidle_curr_governor is set to gov, which is NULL in this case.

> > 

> > cpuidle_curr_governor = gov;

> > /* if is not updated by inserting a check, it will have an oudated value*/

> > 

> > Now, if gov is not NULL (which it is in this case), cpuidle device is enabled

> > 

> > if (gov) {

> > 	list_for_each_entry(dev, &cpuidle_detected_devices, device_list)

> > 	cpuidle_enable_device(dev);

> > 	cpuidle_install_idle_handler();

> > 	printk(KERN_INFO "cpuidle: using governor %s\n", gov->name);

> > }

> > If we check for gov against NULL in this function, it will produce

> > dangling pointers and resource leaks.

> 

> I didn't recommend you to introduce bugs.

> 

I did not intend to do so. I am really sorry it got expressed in that way :(.
> Just return -EINVAL if gov is NULL before checking if gov is equal to

> cpuidle_curr_governor.

> 

Okay 
> Thanks,

> Rafael

> 


this patch checks if the new governor is NULL before updating the
cupidle_curr_governor.

Signed-off-by: gaurav jindal<gauravjindal1104@gmail.com>


---

diff --git a/drivers/cpuidle/governor.c b/drivers/cpuidle/governor.c
index 4e78263..5d359af 100644
--- a/drivers/cpuidle/governor.c
+++ b/drivers/cpuidle/governor.c
@@ -36,14 +36,15 @@ static struct cpuidle_governor * __cpuidle_find_governor(const char *str)
 /**
  * cpuidle_switch_governor - changes the governor
  * @gov: the new target governor
- *
- * NOTE: "gov" can be NULL to specify disabled
  * Must be called with cpuidle_lock acquired.
  */
 int cpuidle_switch_governor(struct cpuidle_governor *gov)
 {
 	struct cpuidle_device *dev;
 
+	if (!gov)
+		return -EINVAL;
+
 	if (gov == cpuidle_curr_governor)
 		return 0;

Patch

diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c
index 68a1682..bf08e3a 100644
--- a/drivers/cpuidle/cpuidle.c
+++ b/drivers/cpuidle/cpuidle.c
@@ -268,6 +268,19 @@  int cpuidle_enter_state(struct cpuidle_device *dev, struct cpuidle_driver *drv,
  */
 int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev)
 {
+
+	/* Since negative return is not allowed
+	 * we have to return 0 even if the
+	 * framework cannot select the idle state
+	 */
+	if (!cpuidle_curr_governor) {
+		pr_err("idle governor is disabled\n");
+		return 0;
+	}
+	if (!cpuidle_curr_governor->select) {
+		pr_err("idle governor select is NULL\n");
+		return 0;
+	}
 	return cpuidle_curr_governor->select(drv, dev);
 }