Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755541AbbFBG4s (ORCPT ); Tue, 2 Jun 2015 02:56:48 -0400 Received: from e34.co.us.ibm.com ([32.97.110.152]:54914 "EHLO e34.co.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752245AbbFBG4j (ORCPT ); Tue, 2 Jun 2015 02:56:39 -0400 Message-ID: <556D53A0.1050109@linux.vnet.ibm.com> Date: Tue, 02 Jun 2015 12:26:32 +0530 From: Preeti U Murthy User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Viresh Kumar CC: rjw@rjwysocki.net, ego@linux.vnet.ibm.com, paulus@samba.org, linux-kernel@vger.kernel.org, shilpa.bhat@linux.vnet.ibm.com, linux-pm@vger.kernel.org Subject: Re: [RFC PATCH] cpufreq/hotplug: Fix cpu-hotplug cpufreq race conditions References: <20150601064031.2972.59208.stgit@perfhull-ltc.austin.ibm.com> <20150601071934.GC4242@linux> <556D3FAA.3080703@linux.vnet.ibm.com> <20150602053956.GD10443@linux> <556D4748.7040105@linux.vnet.ibm.com> <20150602061133.GE10443@linux> <556D4B32.3000407@linux.vnet.ibm.com> <20150602062724.GF10443@linux> In-Reply-To: <20150602062724.GF10443@linux> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 15060206-0017-0000-0000-00000B4F0F2A Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2766 Lines: 79 On 06/02/2015 11:57 AM, Viresh Kumar wrote: > On 02-06-15, 11:50, Preeti U Murthy wrote: >> CPU0 CPU1 >> >> store* store* >> >> lock(policy 1) lock(policy 2) >> cpufreq_set_policy() cpufreq_set_policy() >> EXIT() : >> dbs-data->usage_count-- >> >> INIT() EXIT() > > When will INIT() follow EXIT() in set_policy() for the same governor ? > Maybe not, and so this sequence is hypothetical ? Ah, yes, this will be hypothetical. > >> dbs_data exists dbs_data->usage_count -- = 0 >> kfree(dbs_data) >> dbs-data->usage_count++ >> *NULL dereference* > > But even if this happens, it should be handled with > dbs_data->mutex_lock, which is used at other places already. dbs_data->mutex_lock is used to serialize only START,STOP,LIMIT calls. It does not serialize EXIT/INIT with these operations, but that is understandable. We need to note that EXIT can proceed in parallel with START/STOP/LIMIT operations which can result in null pointer dereferences of dbs_data. Yet again, this is due to the reason that you pointed out. One such case is __cpufreq_remove_dev_finish(). It also drops policy locks before calling into START/LIMIT. So this can proceed in parallel with an EXIT operation from a store. So dbs_data->mutex does not help serialize these two and START can refer a freed dbs_data. Consider the scenario today where CPUFREQ_HAVE_GOVERNOR_PER_POLICY is set itself. CPU0 CPU1 cpufreq_set_policy() __cpufreq_governor (CPUFREQ_GOV_POLICY_EXIT) since the only usage becomes 0. __cpufreq_remove_dev_finish() free(dbs_data) __cpufreq_governor (CPUFRQ_GOV_START) dbs_data->mutex <= NULL dereference This is what we hit initially. So we will need the policy wide lock even for those drivers that have a governor per policy, before calls to __cpufreq_governor() in order to avoid such scenarios. So, your patch at https://git.linaro.org/people/viresh.kumar/linux.git/patch/57714d5b1778f2f610bcc5c74d85b29ba1cc1995 can lead to above races between different store operations themselves, won't it ? An EXIT on one of the policy cpus, followed by a STOP on another will lead to null dereference of dbs_data(For GOVERNOR_PER_POLICY). Today stores are serialized through the policy lock. Anyway, since taking the policy lock leads to ABBA deadlock and releasing it can lead to races like above, shouldn't we try another approach at serialization ? Regards Preeti U Murthy > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/