On Tue, Jun 16, 2020 at 07:05:44PM +0200, Rafael J. Wysocki wrote: > On Tue, Jun 16, 2020 at 5:50 PM Greg Kroah-Hartman > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > > > From: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx> > > > > [ Upstream commit 4ef12f7198023c09ad6d25b652bd8748c965c7fa ] > > > > In the function kobject_cleanup(), kobject_del(kobj) is > > called before the kobj->release(). That makes it possible to > > release the parent of the kobject before the kobject itself. > > > > To fix that, adding function __kboject_del() that does > > everything that kobject_del() does except release the parent > > reference. kobject_cleanup() then calls __kobject_del() > > instead of kobject_del(), and separately decrements the > > reference count of the parent kobject after kobj->release() > > has been called. > > > > Reported-by: Naresh Kamboju <naresh.kamboju@xxxxxxxxxx> > > Reported-by: kernel test robot <rong.a.chen@xxxxxxxxx> > > Fixes: 7589238a8cf3 ("Revert "software node: Simplify software_node_release() function"") > > Suggested-by: "Rafael J. Wysocki" <rafael@xxxxxxxxxx> > > Signed-off-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx> > > Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx> > > Reviewed-by: Brendan Higgins <brendanhiggins@xxxxxxxxxx> > > Tested-by: Brendan Higgins <brendanhiggins@xxxxxxxxxx> > > Acked-by: Randy Dunlap <rdunlap@xxxxxxxxxxxxx> > > Link: https://lore.kernel.org/r/20200513151840.36400-1-heikki.krogerus@xxxxxxxxxxxxxxx > > Cc: stable <stable@xxxxxxxxxxxxxxx> > > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> > > --- > > lib/kobject.c | 30 ++++++++++++++++++++---------- > > 1 file changed, 20 insertions(+), 10 deletions(-) > > > > diff --git a/lib/kobject.c b/lib/kobject.c > > index 83198cb37d8d..2bd631460e18 100644 > > --- a/lib/kobject.c > > +++ b/lib/kobject.c > > @@ -599,14 +599,7 @@ int kobject_move(struct kobject *kobj, struct kobject *new_parent) > > } > > EXPORT_SYMBOL_GPL(kobject_move); > > > > -/** > > - * kobject_del() - Unlink kobject from hierarchy. > > - * @kobj: object. > > - * > > - * This is the function that should be called to delete an object > > - * successfully added via kobject_add(). > > - */ > > -void kobject_del(struct kobject *kobj) > > +static void __kobject_del(struct kobject *kobj) > > { > > struct kernfs_node *sd; > > const struct kobj_type *ktype; > > @@ -625,9 +618,23 @@ void kobject_del(struct kobject *kobj) > > > > kobj->state_in_sysfs = 0; > > kobj_kset_leave(kobj); > > - kobject_put(kobj->parent); > > kobj->parent = NULL; > > } > > + > > +/** > > + * kobject_del() - Unlink kobject from hierarchy. > > + * @kobj: object. > > + * > > + * This is the function that should be called to delete an object > > + * successfully added via kobject_add(). > > + */ > > +void kobject_del(struct kobject *kobj) > > +{ > > + struct kobject *parent = kobj->parent; > > + > > + __kobject_del(kobj); > > + kobject_put(parent); > > +} > > EXPORT_SYMBOL(kobject_del); > > > > /** > > @@ -663,6 +670,7 @@ EXPORT_SYMBOL(kobject_get_unless_zero); > > */ > > static void kobject_cleanup(struct kobject *kobj) > > { > > + struct kobject *parent = kobj->parent; > > struct kobj_type *t = get_ktype(kobj); > > const char *name = kobj->name; > > > > @@ -684,7 +692,7 @@ static void kobject_cleanup(struct kobject *kobj) > > if (kobj->state_in_sysfs) { > > pr_debug("kobject: '%s' (%p): auto cleanup kobject_del\n", > > kobject_name(kobj), kobj); > > - kobject_del(kobj); > > + __kobject_del(kobj); > > } > > > > if (t && t->release) { > > @@ -698,6 +706,8 @@ static void kobject_cleanup(struct kobject *kobj) > > pr_debug("kobject: '%s': free name\n", name); > > kfree_const(name); > > } > > + > > + kobject_put(parent); > > This is known incorrect, because that should only be done if the > __kobject_del() above has run. > > Also this commit has been reverted from the mainline. Argh, I should have caught this, my fault, sorry, I'll go drop it. > I have posted a fixed replacement for it with no response whatever so far: > > https://lore.kernel.org/lkml/1908555.IiAGLGrh1Z@kreacher/ It's been the merge window, I couldn't do anything until Monday :) It's in my queue, give me a chance to catch up... thanks, greg k-h