2015-07-06 18:01:50

by Felipe Balbi

[permalink] [raw]
Subject: [PATCH] base: power: wakeirq: don't leak dev->power.wakeirq

on a first call to dev_pm_attach_wake_irq(), if it
fails, it will leave dev->power.wakeirq set to a
dangling pointer. Instead, let's clear it to make
sure a subsequent call to dev_pm_attach_wake_irq()
has chance to succeed.

Cc: Tony Lindgren <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
---
drivers/base/power/wakeirq.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/base/power/wakeirq.c b/drivers/base/power/wakeirq.c
index 7470004ca810..394d250a1ad8 100644
--- a/drivers/base/power/wakeirq.c
+++ b/drivers/base/power/wakeirq.c
@@ -50,9 +50,16 @@ static int dev_pm_attach_wake_irq(struct device *dev, int irq,

err = device_wakeup_attach_irq(dev, wirq);
if (err)
- return err;
+ goto err_cleanup;

return 0;
+
+err_cleanup:
+ spin_lock_irqsave(&dev->power.lock, flags);
+ dev->power.wakeirq = NULL;
+ spin_unlock_irqrestore(&dev->power.lock, flags);
+
+ return err;
}

/**
--
2.4.4


2015-07-06 18:09:51

by Felipe Balbi

[permalink] [raw]
Subject: Re: [PATCH] base: power: wakeirq: don't leak dev->power.wakeirq

On Mon, Jul 06, 2015 at 08:06:17PM +0200, Michael Trimarchi wrote:
> Hi
>
> On Jul 6, 2015 8:01 PM, "Felipe Balbi" <[email protected]> wrote:
> >
> > on a first call to dev_pm_attach_wake_irq(), if it
> > fails, it will leave dev->power.wakeirq set to a
> > dangling pointer. Instead, let's clear it to make
> > sure a subsequent call to dev_pm_attach_wake_irq()
> > has chance to succeed.
> >
> > Cc: Tony Lindgren <[email protected]>
> > Signed-off-by: Felipe Balbi <[email protected]>
> > ---
> > drivers/base/power/wakeirq.c | 9 ++++++++-
> > 1 file changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/base/power/wakeirq.c b/drivers/base/power/wakeirq.c
> > index 7470004ca810..394d250a1ad8 100644
> > --- a/drivers/base/power/wakeirq.c
> > +++ b/drivers/base/power/wakeirq.c
> > @@ -50,9 +50,16 @@ static int dev_pm_attach_wake_irq(struct device *dev,
> int irq,
> >
> > err = device_wakeup_attach_irq(dev, wirq);
> > if (err)
> > - return err;
> > + goto err_cleanup;
> >
> > return 0;
> > +
> > +err_cleanup:
> > + spin_lock_irqsave(&dev->power.lock, flags);
> > + dev->power.wakeirq = NULL;
> > + spin_unlock_irqrestore(&dev->power.lock, flags);
> > +
>
> Why here and not in the fuction that return the error?

because the field was set here, why would I clear it elsewhere ?

--
balbi


Attachments:
(No filename) (1.35 kB)
signature.asc (819.00 B)
Digital signature
Download all attachments

2015-07-06 22:47:04

by Rafael J. Wysocki

[permalink] [raw]
Subject: Re: [PATCH] base: power: wakeirq: don't leak dev->power.wakeirq

On Monday, July 06, 2015 01:01:18 PM Felipe Balbi wrote:
> on a first call to dev_pm_attach_wake_irq(), if it
> fails, it will leave dev->power.wakeirq set to a
> dangling pointer. Instead, let's clear it to make
> sure a subsequent call to dev_pm_attach_wake_irq()
> has chance to succeed.
>
> Cc: Tony Lindgren <[email protected]>
> Signed-off-by: Felipe Balbi <[email protected]>
> ---
> drivers/base/power/wakeirq.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/base/power/wakeirq.c b/drivers/base/power/wakeirq.c
> index 7470004ca810..394d250a1ad8 100644
> --- a/drivers/base/power/wakeirq.c
> +++ b/drivers/base/power/wakeirq.c
> @@ -50,9 +50,16 @@ static int dev_pm_attach_wake_irq(struct device *dev, int irq,
>
> err = device_wakeup_attach_irq(dev, wirq);
> if (err)
> - return err;
> + goto err_cleanup;
>
> return 0;
> +
> +err_cleanup:
> + spin_lock_irqsave(&dev->power.lock, flags);
> + dev->power.wakeirq = NULL;
> + spin_unlock_irqrestore(&dev->power.lock, flags);
> +
> + return err;
> }

Too many labels for me and the fact that acquiring of the lock again in the error
patch doesn't look good.

However, we can do the entire device_wakeup_attach_irq() under the lock (after
removing the locking from it), because we're its only caller.

So what about the below instead (build-tested only)?

Rafael


---
drivers/base/power/wakeirq.c | 12 +++++-------
drivers/base/power/wakeup.c | 31 ++++++++++---------------------
2 files changed, 15 insertions(+), 28 deletions(-)

Index: linux-pm/drivers/base/power/wakeirq.c
===================================================================
--- linux-pm.orig/drivers/base/power/wakeirq.c
+++ linux-pm/drivers/base/power/wakeirq.c
@@ -45,14 +45,12 @@ static int dev_pm_attach_wake_irq(struct
return -EEXIST;
}

- dev->power.wakeirq = wirq;
- spin_unlock_irqrestore(&dev->power.lock, flags);
-
err = device_wakeup_attach_irq(dev, wirq);
- if (err)
- return err;
+ if (!err)
+ dev->power.wakeirq = wirq;

- return 0;
+ spin_unlock_irqrestore(&dev->power.lock, flags);
+ return err;
}

/**
@@ -105,10 +103,10 @@ void dev_pm_clear_wake_irq(struct device
return;

spin_lock_irqsave(&dev->power.lock, flags);
+ device_wakeup_detach_irq(dev);
dev->power.wakeirq = NULL;
spin_unlock_irqrestore(&dev->power.lock, flags);

- device_wakeup_detach_irq(dev);
if (wirq->dedicated_irq)
free_irq(wirq->irq, wirq);
kfree(wirq);
Index: linux-pm/drivers/base/power/wakeup.c
===================================================================
--- linux-pm.orig/drivers/base/power/wakeup.c
+++ linux-pm/drivers/base/power/wakeup.c
@@ -281,32 +281,25 @@ EXPORT_SYMBOL_GPL(device_wakeup_enable);
* Attach a device wakeirq to the wakeup source so the device
* wake IRQ can be configured automatically for suspend and
* resume.
+ *
+ * Call under the device's power.lock lock.
*/
int device_wakeup_attach_irq(struct device *dev,
struct wake_irq *wakeirq)
{
struct wakeup_source *ws;
- int ret = 0;

- spin_lock_irq(&dev->power.lock);
ws = dev->power.wakeup;
if (!ws) {
dev_err(dev, "forgot to call call device_init_wakeup?\n");
- ret = -EINVAL;
- goto unlock;
+ return -EINVAL;
}

- if (ws->wakeirq) {
- ret = -EEXIST;
- goto unlock;
- }
+ if (ws->wakeirq)
+ return -EEXIST;

ws->wakeirq = wakeirq;
-
-unlock:
- spin_unlock_irq(&dev->power.lock);
-
- return ret;
+ return 0;
}

/**
@@ -314,20 +307,16 @@ unlock:
* @dev: Device to handle
*
* Removes a device wakeirq from the wakeup source.
+ *
+ * Call under the device's power.lock lock.
*/
void device_wakeup_detach_irq(struct device *dev)
{
struct wakeup_source *ws;

- spin_lock_irq(&dev->power.lock);
ws = dev->power.wakeup;
- if (!ws)
- goto unlock;
-
- ws->wakeirq = NULL;
-
-unlock:
- spin_unlock_irq(&dev->power.lock);
+ if (ws)
+ ws->wakeirq = NULL;
}

/**

Subject: Re: [PATCH] base: power: wakeirq: don't leak dev->power.wakeirq

Hi

On Mon, Jul 6, 2015 at 8:09 PM, Felipe Balbi <[email protected]> wrote:
> On Mon, Jul 06, 2015 at 08:06:17PM +0200, Michael Trimarchi wrote:
>> Hi
>>
>> On Jul 6, 2015 8:01 PM, "Felipe Balbi" <[email protected]> wrote:
>> >
>> > on a first call to dev_pm_attach_wake_irq(), if it
>> > fails, it will leave dev->power.wakeirq set to a
>> > dangling pointer. Instead, let's clear it to make
>> > sure a subsequent call to dev_pm_attach_wake_irq()
>> > has chance to succeed.
>> >
>> > Cc: Tony Lindgren <[email protected]>
>> > Signed-off-by: Felipe Balbi <[email protected]>
>> > ---
>> > drivers/base/power/wakeirq.c | 9 ++++++++-
>> > 1 file changed, 8 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/drivers/base/power/wakeirq.c b/drivers/base/power/wakeirq.c
>> > index 7470004ca810..394d250a1ad8 100644
>> > --- a/drivers/base/power/wakeirq.c
>> > +++ b/drivers/base/power/wakeirq.c
>> > @@ -50,9 +50,16 @@ static int dev_pm_attach_wake_irq(struct device *dev,
>> int irq,
>> >
>> > err = device_wakeup_attach_irq(dev, wirq);
>> > if (err)
>> > - return err;
>> > + goto err_cleanup;
>> >
>> > return 0;
>> > +
>> > +err_cleanup:
>> > + spin_lock_irqsave(&dev->power.lock, flags);
>> > + dev->power.wakeirq = NULL;
>> > + spin_unlock_irqrestore(&dev->power.lock, flags);
>> > +
>>
>> Why here and not in the fuction that return the error?
>
> because the field was set here, why would I clear it elsewhere ?
>

Clear now and even more from the other patch proposal.

Michael

> --
> balbi



--
| Michael Nazzareno Trimarchi Amarula Solutions BV |
| COO - Founder Cruquiuskade 47 |
| +31(0)851119172 Amsterdam 1018 AM NL |
| [`as] http://www.amarulasolutions.com |

2015-07-07 07:41:22

by Tony Lindgren

[permalink] [raw]
Subject: Re: [PATCH] base: power: wakeirq: don't leak dev->power.wakeirq

* Rafael J. Wysocki <[email protected]> [150706 15:49]:
> On Monday, July 06, 2015 01:01:18 PM Felipe Balbi wrote:
> > on a first call to dev_pm_attach_wake_irq(), if it
> > fails, it will leave dev->power.wakeirq set to a
> > dangling pointer. Instead, let's clear it to make
> > sure a subsequent call to dev_pm_attach_wake_irq()
> > has chance to succeed.
> >
> > Cc: Tony Lindgren <[email protected]>
> > Signed-off-by: Felipe Balbi <[email protected]>
> > ---
> > drivers/base/power/wakeirq.c | 9 ++++++++-
> > 1 file changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/base/power/wakeirq.c b/drivers/base/power/wakeirq.c
> > index 7470004ca810..394d250a1ad8 100644
> > --- a/drivers/base/power/wakeirq.c
> > +++ b/drivers/base/power/wakeirq.c
> > @@ -50,9 +50,16 @@ static int dev_pm_attach_wake_irq(struct device *dev, int irq,
> >
> > err = device_wakeup_attach_irq(dev, wirq);
> > if (err)
> > - return err;
> > + goto err_cleanup;
> >
> > return 0;
> > +
> > +err_cleanup:
> > + spin_lock_irqsave(&dev->power.lock, flags);
> > + dev->power.wakeirq = NULL;
> > + spin_unlock_irqrestore(&dev->power.lock, flags);
> > +
> > + return err;
> > }
>
> Too many labels for me and the fact that acquiring of the lock again in the error
> patch doesn't look good.
>
> However, we can do the entire device_wakeup_attach_irq() under the lock (after
> removing the locking from it), because we're its only caller.
>
> So what about the below instead (build-tested only)?

Nice, still works for me and simplifies things:

Tested-by: Tony Lindgren <[email protected]>

2015-07-07 08:12:47

by Felipe Balbi

[permalink] [raw]
Subject: Re: [PATCH] base: power: wakeirq: don't leak dev->power.wakeirq

On Tue, Jul 07, 2015 at 12:40:53AM -0700, Tony Lindgren wrote:
> * Rafael J. Wysocki <[email protected]> [150706 15:49]:
> > On Monday, July 06, 2015 01:01:18 PM Felipe Balbi wrote:
> > > on a first call to dev_pm_attach_wake_irq(), if it
> > > fails, it will leave dev->power.wakeirq set to a
> > > dangling pointer. Instead, let's clear it to make
> > > sure a subsequent call to dev_pm_attach_wake_irq()
> > > has chance to succeed.
> > >
> > > Cc: Tony Lindgren <[email protected]>
> > > Signed-off-by: Felipe Balbi <[email protected]>
> > > ---
> > > drivers/base/power/wakeirq.c | 9 ++++++++-
> > > 1 file changed, 8 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/base/power/wakeirq.c b/drivers/base/power/wakeirq.c
> > > index 7470004ca810..394d250a1ad8 100644
> > > --- a/drivers/base/power/wakeirq.c
> > > +++ b/drivers/base/power/wakeirq.c
> > > @@ -50,9 +50,16 @@ static int dev_pm_attach_wake_irq(struct device *dev, int irq,
> > >
> > > err = device_wakeup_attach_irq(dev, wirq);
> > > if (err)
> > > - return err;
> > > + goto err_cleanup;
> > >
> > > return 0;
> > > +
> > > +err_cleanup:
> > > + spin_lock_irqsave(&dev->power.lock, flags);
> > > + dev->power.wakeirq = NULL;
> > > + spin_unlock_irqrestore(&dev->power.lock, flags);
> > > +
> > > + return err;
> > > }
> >
> > Too many labels for me and the fact that acquiring of the lock again in the error
> > patch doesn't look good.
> >
> > However, we can do the entire device_wakeup_attach_irq() under the lock (after
> > removing the locking from it), because we're its only caller.
> >
> > So what about the below instead (build-tested only)?
>
> Nice, still works for me and simplifies things:
>
> Tested-by: Tony Lindgren <[email protected]>

Cool, thanks for testing Tony. Rafael, I'm fine with your version too.
FWIW:

Reported-by: Felipe Balbi <[email protected]>

--
balbi


Attachments:
(No filename) (1.84 kB)
signature.asc (819.00 B)
Digital signature
Download all attachments

2015-07-07 11:11:40

by Rafael J. Wysocki

[permalink] [raw]
Subject: Re: [PATCH] base: power: wakeirq: don't leak dev->power.wakeirq

On Tue, Jul 7, 2015 at 10:11 AM, Felipe Balbi <[email protected]> wrote:
> On Tue, Jul 07, 2015 at 12:40:53AM -0700, Tony Lindgren wrote:
>> * Rafael J. Wysocki <[email protected]> [150706 15:49]:
>> > On Monday, July 06, 2015 01:01:18 PM Felipe Balbi wrote:
>> > > on a first call to dev_pm_attach_wake_irq(), if it
>> > > fails, it will leave dev->power.wakeirq set to a
>> > > dangling pointer. Instead, let's clear it to make
>> > > sure a subsequent call to dev_pm_attach_wake_irq()
>> > > has chance to succeed.
>> > >
>> > > Cc: Tony Lindgren <[email protected]>
>> > > Signed-off-by: Felipe Balbi <[email protected]>
>> > > ---
>> > > drivers/base/power/wakeirq.c | 9 ++++++++-
>> > > 1 file changed, 8 insertions(+), 1 deletion(-)
>> > >
>> > > diff --git a/drivers/base/power/wakeirq.c b/drivers/base/power/wakeirq.c
>> > > index 7470004ca810..394d250a1ad8 100644
>> > > --- a/drivers/base/power/wakeirq.c
>> > > +++ b/drivers/base/power/wakeirq.c
>> > > @@ -50,9 +50,16 @@ static int dev_pm_attach_wake_irq(struct device *dev, int irq,
>> > >
>> > > err = device_wakeup_attach_irq(dev, wirq);
>> > > if (err)
>> > > - return err;
>> > > + goto err_cleanup;
>> > >
>> > > return 0;
>> > > +
>> > > +err_cleanup:
>> > > + spin_lock_irqsave(&dev->power.lock, flags);
>> > > + dev->power.wakeirq = NULL;
>> > > + spin_unlock_irqrestore(&dev->power.lock, flags);
>> > > +
>> > > + return err;
>> > > }
>> >
>> > Too many labels for me and the fact that acquiring of the lock again in the error
>> > patch doesn't look good.
>> >
>> > However, we can do the entire device_wakeup_attach_irq() under the lock (after
>> > removing the locking from it), because we're its only caller.
>> >
>> > So what about the below instead (build-tested only)?
>>
>> Nice, still works for me and simplifies things:
>>
>> Tested-by: Tony Lindgren <[email protected]>
>
> Cool, thanks for testing Tony. Rafael, I'm fine with your version too.
> FWIW:
>
> Reported-by: Felipe Balbi <[email protected]>

OK, applied.

Thanks,
Rafael