[PATCH] driver core: fix shutdown races with probe/remove(v2)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Firstly, .shutdown callback may touch a uninitialized hardware
if dev->driver is set and .probe is not completed.

Secondly, device_shutdown() may dereference a null pointer to cause
oops when dev->driver is cleared after it is checked in
device_shutdown().

So just try to hold device lock and its parent lock(if it has) to
fix the races.

Cc: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxxxxx>
---
v2:
	- take Alan's suggestion to use device_trylock to avoid
	hanging during shutdown by buggy device or driver
	- hold parent reference counter

 drivers/base/core.c |   32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/drivers/base/core.c b/drivers/base/core.c
index 346be8b..f2fc989 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -1796,6 +1796,16 @@ out:
 }
 EXPORT_SYMBOL_GPL(device_move);
 
+static int __try_lock(struct device *dev)
+{
+	int i = 0;
+
+	while (!device_trylock(dev) && i++ < 100)
+		msleep(10);
+
+	return i < 100;
+}
+
 /**
  * device_shutdown - call ->shutdown() on each device to shutdown.
  */
@@ -1810,8 +1820,11 @@ void device_shutdown(void)
 	 * devices offline, even as the system is shutting down.
 	 */
 	while (!list_empty(&devices_kset->list)) {
+		int nonlocked;
+
 		dev = list_entry(devices_kset->list.prev, struct device,
 				kobj.entry);
+		get_device(dev->parent);
 		get_device(dev);
 		/*
 		 * Make sure the device is off the kset list, in the
@@ -1820,6 +1833,18 @@ void device_shutdown(void)
 		list_del_init(&dev->kobj.entry);
 		spin_unlock(&devices_kset->list_lock);
 
+		/* hold lock to avoid race with .probe/.release */
+		if (dev->parent && !__try_lock(dev->parent))
+			nonlocked = 2;
+		else if (!__try_lock(dev))
+			nonlocked = 1;
+		else
+			nonlocked = 0;
+
+		if (nonlocked)
+			dev_err(dev, "can't hold %slock for shutdown\n",
+					nonlocked == 1 ? "" : "parent ");
+
 		/* Don't allow any more runtime suspends */
 		pm_runtime_get_noresume(dev);
 		pm_runtime_barrier(dev);
@@ -1831,7 +1856,14 @@ void device_shutdown(void)
 			dev_dbg(dev, "shutdown\n");
 			dev->driver->shutdown(dev);
 		}
+
+		if (!nonlocked)
+			device_unlock(dev);
+		if (dev->parent && nonlocked != 2)
+			device_unlock(dev->parent);
+
 		put_device(dev);
+		put_device(dev->parent);
 
 		spin_lock(&devices_kset->list_lock);
 	}
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux