From patchwork Sun Mar  1 22:39:37 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jiri Slaby <jslaby@suse.cz>
X-Patchwork-Id: 45276
Return-Path: <patchwork-forward+bncBDPILVOKSELBBMVKZ2TQKGQEJQEFXYQ@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-wg0-f70.google.com (mail-wg0-f70.google.com [74.125.82.70])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 94A42214A2
 for <linaro@patches.linaro.org>; Sun,  1 Mar 2015 22:39:47 +0000 (UTC)
Received: by wghl18 with SMTP id l18sf20816279wgh.3
 for <linaro@patches.linaro.org>; Sun, 01 Mar 2015 14:39:46 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:sender:precedence:list-id:x-original-sender
 :x-original-authentication-results:mailing-list:list-post:list-help
 :list-archive:list-unsubscribe;
 bh=ezGmYFLNzktSHvQevg5hzP2JLJ8LUdeCV5onk85ue04=;
 b=X1ExAIkNlIFHErPXjQGhc7V/jQqeS065UuYKs+rUSz5rCO4U3zxO5Avo+GgP0LJMhA
 m6nyOWYGMIPoKpdDSfpYZ0M3efDOIA3nI7GEDaSa7BoPHMo0Ov7jEhOcpiYTAXI/iAD6
 fJgDXnM4MKHuiCzJRvVDqG93l5Khv0l2YhwWA6k8xNQ6UpvIK11qF4ZjqPvQKAQKbzOc
 wEPAW2C+rLKrk9O+ag1QnB2N0T3QoFlgnybrbCqM7k/ohmPJ1CV63J//qnmkn9kAzAYd
 DVVQ9koHVyAshdocaZZAZZdz/8GiN/gRBNLeZEyR214EK4BDK2x9wRJOf0AFooYPf7Y4
 rFxw==
X-Gm-Message-State: ALoCoQm8F8LvSB+z1qyXZq61703qnyC2POnRYq1nCABFdb5SXzAw3BrKntWC1FwYP2gQvtskYY3b
X-Received: by 10.112.199.69 with SMTP id ji5mr3338211lbc.0.1425249586729;
 Sun, 01 Mar 2015 14:39:46 -0800 (PST)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.26.165 with SMTP id m5ls381025lag.31.gmail; Sun, 01 Mar
 2015 14:39:46 -0800 (PST)
X-Received: by 10.152.9.230 with SMTP id d6mr21419749lab.16.1425249586519;
 Sun, 01 Mar 2015 14:39:46 -0800 (PST)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com.
 [209.85.217.182])
 by mx.google.com with ESMTPS id o3si7606741lbh.93.2015.03.01.14.39.45
 for <patchwork-forward@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 01 Mar 2015 14:39:45 -0800 (PST)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.182 as permitted sender) client-ip=209.85.217.182; 
Received: by lbdu14 with SMTP id u14so5518201lbd.0
 for <patchwork-forward@linaro.org>;
 Sun, 01 Mar 2015 14:39:45 -0800 (PST)
X-Received: by 10.112.211.200 with SMTP id ne8mr21431343lbc.73.1425249585680; 
 Sun, 01 Mar 2015 14:39:45 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.35.133 with SMTP id h5csp5184601lbj;
 Sun, 1 Mar 2015 14:39:44 -0800 (PST)
X-Received: by 10.70.4.226 with SMTP id n2mr42097316pdn.11.1425249583551;
 Sun, 01 Mar 2015 14:39:43 -0800 (PST)
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 cb7si13987546pdb.213.2015.03.01.14.39.42; 
 Sun, 01 Mar 2015 14:39:43 -0800 (PST)
Received-SPF: none (google.com: stable-owner@vger.kernel.org does not
 designate permitted sender hosts) client-ip=209.132.180.67; 
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1751781AbbCAWjl (ORCPT <rfc822;patch@linaro.org> + 1 other);
 Sun, 1 Mar 2015 17:39:41 -0500
Received: from ip4-83-240-67-251.cust.nbox.cz ([83.240.67.251]:60665 "EHLO
 ip4-83-240-18-248.cust.nbox.cz" rhost-flags-OK-OK-OK-FAIL)
 by vger.kernel.org with ESMTP id S1751366AbbCAWjl (ORCPT
 <rfc822;stable@vger.kernel.org>); Sun, 1 Mar 2015 17:39:41 -0500
Received: from ku by ip4-83-240-18-248.cust.nbox.cz with local (Exim 4.85)
 (envelope-from <jslaby@suse.cz>)
 id 1YSCWP-0003Oy-7C; Sun, 01 Mar 2015 23:39:37 +0100
From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: jslaby@suse.cz, Viresh Kumar <viresh.kumar@linaro.org>,
 "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Subject: [patch NOT added to the 3.12 stable tree] cpufreq: Set
 cpufreq_cpu_data to NULL before putting kobject
Date: Sun,  1 Mar 2015 23:39:37 +0100
Message-Id: <1425249577-13041-1-git-send-email-jslaby@suse.cz>
X-Mailer: git-send-email 2.3.0
Sender: stable-owner@vger.kernel.org
Precedence: list
List-ID: <patchwork-forward.linaro.org>
X-Mailing-List: stable@vger.kernel.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: patch@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.182 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>

From: Viresh Kumar <viresh.kumar@linaro.org>

This patch does NOT apply to the 3.12 stable tree. If you still want
it applied, please provide a backport.

===============

commit 6ffae8c06fab058d6c3f8ecb7f921327721034e7 upstream.

In __cpufreq_remove_dev_finish(), per-cpu 'cpufreq_cpu_data' needs
to be cleared before calling kobject_put(&policy->kobj) and under
cpufreq_driver_lock. Otherwise, if someone else calls cpufreq_cpu_get()
in parallel with it, they can obtain a non-NULL policy from that after
kobject_put(&policy->kobj) was executed.

Consider this case:

Thread A				Thread B
cpufreq_cpu_get()
  acquire cpufreq_driver_lock
  read-per-cpu cpufreq_cpu_data
					kobject_put(&policy->kobj);
  kobject_get(&policy->kobj);
					...
					per_cpu(&cpufreq_cpu_data, cpu) = NULL

And this will result in a warning like this one:

 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 4 at include/linux/kref.h:47
 kobject_get+0x41/0x50()
 Modules linked in: acpi_cpufreq(+) nfsd auth_rpcgss nfs_acl
 lockd grace sunrpc xfs libcrc32c sd_mod ixgbe igb mdio ahci hwmon
 ...
 Call Trace:
  [<ffffffff81661b14>] dump_stack+0x46/0x58
  [<ffffffff81072b61>] warn_slowpath_common+0x81/0xa0
  [<ffffffff81072c7a>] warn_slowpath_null+0x1a/0x20
  [<ffffffff812e16d1>] kobject_get+0x41/0x50
  [<ffffffff815262a5>] cpufreq_cpu_get+0x75/0xc0
  [<ffffffff81527c3e>] cpufreq_update_policy+0x2e/0x1f0
  [<ffffffff810b8cb2>] ? up+0x32/0x50
  [<ffffffff81381aa9>] ? acpi_ns_get_node+0xcb/0xf2
  [<ffffffff81381efd>] ? acpi_evaluate_object+0x22c/0x252
  [<ffffffff813824f6>] ? acpi_get_handle+0x95/0xc0
  [<ffffffff81360967>] ? acpi_has_method+0x25/0x40
  [<ffffffff81391e08>] acpi_processor_ppc_has_changed+0x77/0x82
  [<ffffffff81089566>] ? move_linked_works+0x66/0x90
  [<ffffffff8138e8ed>] acpi_processor_notify+0x58/0xe7
  [<ffffffff8137410c>] acpi_ev_notify_dispatch+0x44/0x5c
  [<ffffffff8135f293>] acpi_os_execute_deferred+0x15/0x22
  [<ffffffff8108c910>] process_one_work+0x160/0x410
  [<ffffffff8108d05b>] worker_thread+0x11b/0x520
  [<ffffffff8108cf40>] ? rescuer_thread+0x380/0x380
  [<ffffffff81092421>] kthread+0xe1/0x100
  [<ffffffff81092340>] ? kthread_create_on_node+0x1b0/0x1b0
  [<ffffffff81669ebc>] ret_from_fork+0x7c/0xb0
  [<ffffffff81092340>] ? kthread_create_on_node+0x1b0/0x1b0
 ---[ end trace 89e66eb9795efdf7 ]---

The actual code flow is as follows:

 Thread A: Workqueue: kacpi_notify

 acpi_processor_notify()
   acpi_processor_ppc_has_changed()
         cpufreq_update_policy()
           cpufreq_cpu_get()
             kobject_get()

 Thread B: xenbus_thread()

 xenbus_thread()
   msg->u.watch.handle->callback()
     handle_vcpu_hotplug_event()
       vcpu_hotplug()
         cpu_down()
           __cpu_notify(CPU_POST_DEAD..)
             cpufreq_cpu_callback()
               __cpufreq_remove_dev_finish()
                 cpufreq_policy_put_kobj()
                   kobject_put()

cpufreq_cpu_get() gets the policy from per-cpu variable cpufreq_cpu_data
under cpufreq_driver_lock, and once it gets a valid policy it expects it
to not be freed until cpufreq_cpu_put() is called.

But the race happens when another thread puts the kobject first and updates
cpufreq_cpu_data before or later. And so the first thread gets a valid policy
structure and before it does kobject_get() on it, the second one has already
done kobject_put().

Fix this by setting cpufreq_cpu_data to NULL before putting the kobject and that
too under locks.

Reported-by: Ethan Zhao <ethan.zhao@oracle.com>
Reported-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Cc: 3.12+ <stable@vger.kernel.org> # 3.12+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/cpufreq/cpufreq.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index ca69f42b8e1e..2b181f75da15 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -1392,9 +1392,10 @@ static int __cpufreq_remove_dev_finish(struct device *dev,
 	unsigned long flags;
 	struct cpufreq_policy *policy;
 
-	read_lock_irqsave(&cpufreq_driver_lock, flags);
+	write_lock_irqsave(&cpufreq_driver_lock, flags);
 	policy = per_cpu(cpufreq_cpu_data, cpu);
-	read_unlock_irqrestore(&cpufreq_driver_lock, flags);
+	per_cpu(cpufreq_cpu_data, cpu) = NULL;
+	write_unlock_irqrestore(&cpufreq_driver_lock, flags);
 
 	if (!policy) {
 		pr_debug("%s: No cpu_data found\n", __func__);
@@ -1449,7 +1450,6 @@ static int __cpufreq_remove_dev_finish(struct device *dev,
 		}
 	}
 
-	per_cpu(cpufreq_cpu_data, cpu) = NULL;
 	return 0;
 }