driver core: fix race between creating/querying glue dir and its cleanup
The global mutex of 'gdp_mutex' is used to serialize creating/querying glue dir and its cleanup. Turns out it isn't a perfect way because part(kobj_kset_leave()) of the actual cleanup action() is done inside the release handler of the glue dir kobject. That means gdp_mutex has to be held before releasing the last reference count of the glue dir kobject. This patch moves glue dir's cleanup after kobject_del() in device_del() for avoiding the race. Cc: Yijing Wang <wangyijing@huawei.com> Reported-by: Chandra Sekhar Lingutla <clingutla@codeaurora.org> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
24ef5f360f
commit
cebf8fd169
1 changed files with 29 additions and 10 deletions
|
@ -836,11 +836,29 @@ static struct kobject *get_device_parent(struct device *dev,
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline bool live_in_glue_dir(struct kobject *kobj,
|
||||||
|
struct device *dev)
|
||||||
|
{
|
||||||
|
if (!kobj || !dev->class ||
|
||||||
|
kobj->kset != &dev->class->p->glue_dirs)
|
||||||
|
return false;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline struct kobject *get_glue_dir(struct device *dev)
|
||||||
|
{
|
||||||
|
return dev->kobj.parent;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* make sure cleaning up dir as the last step, we need to make
|
||||||
|
* sure .release handler of kobject is run with holding the
|
||||||
|
* global lock
|
||||||
|
*/
|
||||||
static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
|
static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
|
||||||
{
|
{
|
||||||
/* see if we live in a "glue" directory */
|
/* see if we live in a "glue" directory */
|
||||||
if (!glue_dir || !dev->class ||
|
if (!live_in_glue_dir(glue_dir, dev))
|
||||||
glue_dir->kset != &dev->class->p->glue_dirs)
|
|
||||||
return;
|
return;
|
||||||
|
|
||||||
mutex_lock(&gdp_mutex);
|
mutex_lock(&gdp_mutex);
|
||||||
|
@ -848,11 +866,6 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
|
||||||
mutex_unlock(&gdp_mutex);
|
mutex_unlock(&gdp_mutex);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void cleanup_device_parent(struct device *dev)
|
|
||||||
{
|
|
||||||
cleanup_glue_dir(dev, dev->kobj.parent);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int device_add_class_symlinks(struct device *dev)
|
static int device_add_class_symlinks(struct device *dev)
|
||||||
{
|
{
|
||||||
struct device_node *of_node = dev_of_node(dev);
|
struct device_node *of_node = dev_of_node(dev);
|
||||||
|
@ -1028,6 +1041,7 @@ int device_add(struct device *dev)
|
||||||
struct kobject *kobj;
|
struct kobject *kobj;
|
||||||
struct class_interface *class_intf;
|
struct class_interface *class_intf;
|
||||||
int error = -EINVAL;
|
int error = -EINVAL;
|
||||||
|
struct kobject *glue_dir = NULL;
|
||||||
|
|
||||||
dev = get_device(dev);
|
dev = get_device(dev);
|
||||||
if (!dev)
|
if (!dev)
|
||||||
|
@ -1072,8 +1086,10 @@ int device_add(struct device *dev)
|
||||||
/* first, register with generic layer. */
|
/* first, register with generic layer. */
|
||||||
/* we require the name to be set before, and pass NULL */
|
/* we require the name to be set before, and pass NULL */
|
||||||
error = kobject_add(&dev->kobj, dev->kobj.parent, NULL);
|
error = kobject_add(&dev->kobj, dev->kobj.parent, NULL);
|
||||||
if (error)
|
if (error) {
|
||||||
|
glue_dir = get_glue_dir(dev);
|
||||||
goto Error;
|
goto Error;
|
||||||
|
}
|
||||||
|
|
||||||
/* notify platform of device entry */
|
/* notify platform of device entry */
|
||||||
if (platform_notify)
|
if (platform_notify)
|
||||||
|
@ -1154,9 +1170,10 @@ done:
|
||||||
device_remove_file(dev, &dev_attr_uevent);
|
device_remove_file(dev, &dev_attr_uevent);
|
||||||
attrError:
|
attrError:
|
||||||
kobject_uevent(&dev->kobj, KOBJ_REMOVE);
|
kobject_uevent(&dev->kobj, KOBJ_REMOVE);
|
||||||
|
glue_dir = get_glue_dir(dev);
|
||||||
kobject_del(&dev->kobj);
|
kobject_del(&dev->kobj);
|
||||||
Error:
|
Error:
|
||||||
cleanup_device_parent(dev);
|
cleanup_glue_dir(dev, glue_dir);
|
||||||
put_device(parent);
|
put_device(parent);
|
||||||
name_error:
|
name_error:
|
||||||
kfree(dev->p);
|
kfree(dev->p);
|
||||||
|
@ -1232,6 +1249,7 @@ EXPORT_SYMBOL_GPL(put_device);
|
||||||
void device_del(struct device *dev)
|
void device_del(struct device *dev)
|
||||||
{
|
{
|
||||||
struct device *parent = dev->parent;
|
struct device *parent = dev->parent;
|
||||||
|
struct kobject *glue_dir = NULL;
|
||||||
struct class_interface *class_intf;
|
struct class_interface *class_intf;
|
||||||
|
|
||||||
/* Notify clients of device removal. This call must come
|
/* Notify clients of device removal. This call must come
|
||||||
|
@ -1276,8 +1294,9 @@ void device_del(struct device *dev)
|
||||||
blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
|
blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
|
||||||
BUS_NOTIFY_REMOVED_DEVICE, dev);
|
BUS_NOTIFY_REMOVED_DEVICE, dev);
|
||||||
kobject_uevent(&dev->kobj, KOBJ_REMOVE);
|
kobject_uevent(&dev->kobj, KOBJ_REMOVE);
|
||||||
cleanup_device_parent(dev);
|
glue_dir = get_glue_dir(dev);
|
||||||
kobject_del(&dev->kobj);
|
kobject_del(&dev->kobj);
|
||||||
|
cleanup_glue_dir(dev, glue_dir);
|
||||||
put_device(parent);
|
put_device(parent);
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(device_del);
|
EXPORT_SYMBOL_GPL(device_del);
|
||||||
|
|
Loading…
Add table
Reference in a new issue