LinuxLists.cc - opp_get_notifier() needs to be under rcu

2012-11-20 20:08:28

Subject: opp_get_notifier() needs to be under rcu_lock?

Hi,

It looks like find_device_opp() (called from opp_get_notifier()) needs
to be under RCU read lock, but this doesn't seem to be happening in
drivers/devfreq/devfreq.c. Doesn't this run the risk of referencing a
freed variable?

Thanks,

-Kees

--
Kees Cook
Chrome OS Security

2012-11-21 09:59:00

by MyungJoo Ham

[permalink] [raw]

Subject: Re: opp_get_notifier() needs to be under rcu_lock?

> Hi,
>
> It looks like find_device_opp() (called from opp_get_notifier()) needs
> to be under RCU read lock, but this doesn't seem to be happening in
> drivers/devfreq/devfreq.c. Doesn't this run the risk of referencing a
> freed variable?
>
> Thanks,
>
> -Kees

Yes, that's an issue requiring updates.

Thank you for pointing out.

Cheers,
MyungJoo

>
> --
> Kees Cook
> Chrome OS Security
>

????{.n?+???????+%?????ݶ??w??{.n?+????{??G?????{ay?ʇڙ?,j??f???h?????????z_??(?階?ݢj"???m??????G????????????&???~???iO???z??v?^?m????????????I?

2012-11-21 10:10:45

by MyungJoo Ham

[permalink] [raw]

Subject: [PATCH] PM / devfreq: missing rcu_read_lock() added for find_device_opp()

opp_get_notifier() uses find_device_opp(), which requires to
held rcu_read_lock. In order to keep the notifier-header
valid, we have added rcu_read_lock().

Reported-by: Kees Cook <[email protected]>
Signed-off-by: MyungJoo Ham <[email protected]>
---
drivers/devfreq/devfreq.c | 26 ++++++++++++++++++++------
1 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
index 45e053e..e91cb22 100644
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -1023,11 +1023,18 @@ struct opp *devfreq_recommended_opp(struct device *dev, unsigned long *freq,
*/
int devfreq_register_opp_notifier(struct device *dev, struct devfreq *devfreq)
{
- struct srcu_notifier_head *nh = opp_get_notifier(dev);
+ struct srcu_notifier_head *nh;
+ int ret = 0;

+ rcu_read_lock();
+ nh = opp_get_notifier(dev);
if (IS_ERR(nh))
- return PTR_ERR(nh);
- return srcu_notifier_chain_register(nh, &devfreq->nb);
+ ret = PTR_ERR(nh);
+ if (!ret)
+ ret = srcu_notifier_chain_register(nh, &devfreq->nb);
+ rcu_read_unlock();
+
+ return ret;
}

/**
@@ -1042,11 +1049,18 @@ int devfreq_register_opp_notifier(struct device *dev, struct devfreq *devfreq)
*/
int devfreq_unregister_opp_notifier(struct device *dev, struct devfreq *devfreq)
{
- struct srcu_notifier_head *nh = opp_get_notifier(dev);
+ struct srcu_notifier_head *nh;
+ int ret = 0;

+ rcu_read_lock();
+ nh = opp_get_notifier(dev);
if (IS_ERR(nh))
- return PTR_ERR(nh);
- return srcu_notifier_chain_unregister(nh, &devfreq->nb);
+ ret = PTR_ERR(nh);
+ if (!ret)
+ ret = srcu_notifier_chain_unregister(nh, &devfreq->nb);
+ rcu_read_unlock();
+
+ return ret;
}

MODULE_AUTHOR("MyungJoo Ham <[email protected]>");
--
1.7.5.4

2012-11-21 13:42:17

by Serge E. Hallyn

[permalink] [raw]

Subject: Re: [PATCH] PM / devfreq: missing rcu_read_lock() added for find_device_opp()

2012-11-22 18:36:50

by Serge E. Hallyn

[permalink] [raw]

Subject: Re: [PATCH] PM / devfreq: missing rcu_read_lock() added for find_device_opp()

Quoting Serge E. Hallyn ([email protected]):
> Quoting MyungJoo Ham ([email protected]):
> > opp_get_notifier() uses find_device_opp(), which requires to
> > held rcu_read_lock. In order to keep the notifier-header
> > valid, we have added rcu_read_lock().
> >

Well, to be honest, the opp locking isn't 100% clear to me, but IIUC
(1) things can be added but never removed, (2) opp_get_notifier doesn't
pin a refcount on what it returns, but it returns something which won't
be deleted.

So IIUC what's below is fine, bc it doesn't need to pin the nh for the
nh to remain valid outside of the rcu_read_lock. If I'm wrong about
that, then the below is not sufficient.

> Reviewed-by: Serge Hallyn <[email protected]>
>
> > Reported-by: Kees Cook <[email protected]>
> > Signed-off-by: MyungJoo Ham <[email protected]>
> > ---
> > drivers/devfreq/devfreq.c | 26 ++++++++++++++++++++------
> > 1 files changed, 20 insertions(+), 6 deletions(-)
> >
> > diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
> > index 1388d46..5275883 100644
> > --- a/drivers/devfreq/devfreq.c
> > +++ b/drivers/devfreq/devfreq.c
> > @@ -1023,11 +1023,18 @@ struct opp *devfreq_recommended_opp(struct device *dev, unsigned long *freq,
> > */
> > int devfreq_register_opp_notifier(struct device *dev, struct devfreq *devfreq)
> > {
> > - struct srcu_notifier_head *nh = opp_get_notifier(dev);
> > + struct srcu_notifier_head *nh;
> > + int ret = 0;
> >
> > + rcu_read_lock();
> > + nh = opp_get_notifier(dev);
> > if (IS_ERR(nh))
> > - return PTR_ERR(nh);
> > - return srcu_notifier_chain_register(nh, &devfreq->nb);
> > + ret = PTR_ERR(nh);
> > + rcu_read_unlock();
> > + if (!ret)
> > + ret = srcu_notifier_chain_register(nh, &devfreq->nb);
> > +
> > + return ret;
> > }
> >
> > /**
> > @@ -1042,11 +1049,18 @@ int devfreq_register_opp_notifier(struct device *dev, struct devfreq *devfreq)
> > */
> > int devfreq_unregister_opp_notifier(struct device *dev, struct devfreq *devfreq)
> > {
> > - struct srcu_notifier_head *nh = opp_get_notifier(dev);
> > + struct srcu_notifier_head *nh;
> > + int ret = 0;
> >
> > + rcu_read_lock();
> > + nh = opp_get_notifier(dev);
> > if (IS_ERR(nh))
> > - return PTR_ERR(nh);
> > - return srcu_notifier_chain_unregister(nh, &devfreq->nb);
> > + ret = PTR_ERR(nh);
> > + rcu_read_unlock();
> > + if (!ret)
> > + ret = srcu_notifier_chain_unregister(nh, &devfreq->nb);
> > +
> > + return ret;
> > }
> >
> > MODULE_AUTHOR("MyungJoo Ham <[email protected]>");
> > --
> > 1.7.5.4

2012-11-22 18:46:59

by MyungJoo Ham

[permalink] [raw]

Subject: [PATCH] PM / devfreq: missing rcu_read_lock() added for find_device_opp()

opp_get_notifier() uses find_device_opp(), which requires to
held rcu_read_lock. In order to keep the notifier-header
valid, we have added rcu_read_lock().

Reported-by: Kees Cook <[email protected]>
Signed-off-by: MyungJoo Ham <[email protected]>
---
drivers/devfreq/devfreq.c | 26 ++++++++++++++++++++------
1 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
index 1388d46..5275883 100644
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -1023,11 +1023,18 @@ struct opp *devfreq_recommended_opp(struct device *dev, unsigned long *freq,
*/
int devfreq_register_opp_notifier(struct device *dev, struct devfreq *devfreq)
{
- struct srcu_notifier_head *nh = opp_get_notifier(dev);
+ struct srcu_notifier_head *nh;
+ int ret = 0;

+ rcu_read_lock();
+ nh = opp_get_notifier(dev);
if (IS_ERR(nh))
- return PTR_ERR(nh);
- return srcu_notifier_chain_register(nh, &devfreq->nb);
+ ret = PTR_ERR(nh);
+ rcu_read_unlock();
+ if (!ret)
+ ret = srcu_notifier_chain_register(nh, &devfreq->nb);
+
+ return ret;
}

/**
@@ -1042,11 +1049,18 @@ int devfreq_register_opp_notifier(struct device *dev, struct devfreq *devfreq)
*/
int devfreq_unregister_opp_notifier(struct device *dev, struct devfreq *devfreq)
{
- struct srcu_notifier_head *nh = opp_get_notifier(dev);
+ struct srcu_notifier_head *nh;
+ int ret = 0;

+ rcu_read_lock();
+ nh = opp_get_notifier(dev);
if (IS_ERR(nh))
- return PTR_ERR(nh);
- return srcu_notifier_chain_unregister(nh, &devfreq->nb);
+ ret = PTR_ERR(nh);
+ rcu_read_unlock();
+ if (!ret)
+ ret = srcu_notifier_chain_unregister(nh, &devfreq->nb);
+
+ return ret;
}

MODULE_AUTHOR("MyungJoo Ham <[email protected]>");
--
1.7.5.4

2012-11-22 18:51:53

by Serge E. Hallyn

[permalink] [raw]

Subject: Re: [PATCH] PM / devfreq: missing rcu_read_lock() added for find_device_opp()

Quoting MyungJoo Ham ([email protected]):
> opp_get_notifier() uses find_device_opp(), which requires to
> held rcu_read_lock. In order to keep the notifier-header
> valid, we have added rcu_read_lock().
>

Reviewed-by: Serge Hallyn <[email protected]>

> Reported-by: Kees Cook <[email protected]>
> Signed-off-by: MyungJoo Ham <[email protected]>
> ---
> drivers/devfreq/devfreq.c | 26 ++++++++++++++++++++------
> 1 files changed, 20 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
> index 1388d46..5275883 100644
> --- a/drivers/devfreq/devfreq.c
> +++ b/drivers/devfreq/devfreq.c
> @@ -1023,11 +1023,18 @@ struct opp *devfreq_recommended_opp(struct device *dev, unsigned long *freq,
> */
> int devfreq_register_opp_notifier(struct device *dev, struct devfreq *devfreq)
> {
> - struct srcu_notifier_head *nh = opp_get_notifier(dev);
> + struct srcu_notifier_head *nh;
> + int ret = 0;
>
> + rcu_read_lock();
> + nh = opp_get_notifier(dev);
> if (IS_ERR(nh))
> - return PTR_ERR(nh);
> - return srcu_notifier_chain_register(nh, &devfreq->nb);
> + ret = PTR_ERR(nh);
> + rcu_read_unlock();
> + if (!ret)
> + ret = srcu_notifier_chain_register(nh, &devfreq->nb);
> +
> + return ret;
> }
>
> /**
> @@ -1042,11 +1049,18 @@ int devfreq_register_opp_notifier(struct device *dev, struct devfreq *devfreq)
> */
> int devfreq_unregister_opp_notifier(struct device *dev, struct devfreq *devfreq)
> {
> - struct srcu_notifier_head *nh = opp_get_notifier(dev);
> + struct srcu_notifier_head *nh;
> + int ret = 0;
>
> + rcu_read_lock();
> + nh = opp_get_notifier(dev);
> if (IS_ERR(nh))
> - return PTR_ERR(nh);
> - return srcu_notifier_chain_unregister(nh, &devfreq->nb);
> + ret = PTR_ERR(nh);
> + rcu_read_unlock();
> + if (!ret)
> + ret = srcu_notifier_chain_unregister(nh, &devfreq->nb);
> +
> + return ret;
> }
>
> MODULE_AUTHOR("MyungJoo Ham <[email protected]>");
> --
> 1.7.5.4