Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4228347ybl; Tue, 21 Jan 2020 15:37:20 -0800 (PST) X-Google-Smtp-Source: APXvYqzpO+cPT/LIYQe2rIQcja+yss+JnHNcFcCD8S8ATv7ZI6o8hCWIFv5Cw4y2NM1LLUvuDf8X X-Received: by 2002:a05:6830:10c4:: with SMTP id z4mr5556275oto.120.1579649840589; Tue, 21 Jan 2020 15:37:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579649840; cv=none; d=google.com; s=arc-20160816; b=vPg66UXDZs8cppBiGyq2F17varK1FvGHNFzs5rqQC99quFOrBWheZvvsWNfLmoHBGF q568yKb6SzJTtC0d7Qm154+0XWBrwAuylt8j/ngC3hS1YD05drnyVFvmTI8ieLozBNzi n7uKbQ5WzOsYa/XtxpvpztutS5D/eLS4roqayVqc1jlIyiABjtGDWT47/2idSNcbS3Kg VjuVbWHupdVrBYAtZCwt7nz8mCa2EQGXeTuvKj4ypywNP3PsAe2Aib1a1jtAcElskCO/ TPDaJNtnzAUzxPrkvo9885mvVXgcfw/p1kS+VeQ0gvX4JqkFO6tRpV2uhfoWYtVgVokH Rx1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=XNPbCQ722Fuh0OQaozBuvTNj4MkPrdvcy/n5Lidf5IA=; b=XMnMZjlJ+0Br08PWEctN+BIdUK4p6ugH0K4xirXlc7hq9WM8GQjlS6V7ygFu6QaKou eG8P4aPb/uhT3Wi2c0E4DsRSzxZZHglwLa308ebP2MFw1nI4jCNGMqr1pjm0zDWVq1Lb f/v2gkNeygoiEGmApyX4+FCH67tFOUvXPJEIocvN8Fgwy2ynqR1iOjAYBRtd2KQG2eLY iol9cN+wxVhtGe2V7mHxPFgYyyeHBJqpkBINJY186I/3bgbWPOm4MQPrxSKWt5Anwy8d M1pkz2wk2k3q9fG5891E8TI3gdMmf9LDV048ZBX53wxqnb6MspnJVGy9O06PTQHuqdkX SpVg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a19si20511242oic.77.2020.01.21.15.37.08; Tue, 21 Jan 2020 15:37:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728760AbgAUXfO (ORCPT + 99 others); Tue, 21 Jan 2020 18:35:14 -0500 Received: from cloudserver094114.home.pl ([79.96.170.134]:43769 "EHLO cloudserver094114.home.pl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725933AbgAUXfN (ORCPT ); Tue, 21 Jan 2020 18:35:13 -0500 Received: from 79.184.255.84.ipv4.supernova.orange.pl (79.184.255.84) (HELO kreacher.localnet) by serwer1319399.home.pl (79.96.170.134) with SMTP (IdeaSmtpServer 0.83.320) id 282784e7c78b0209; Wed, 22 Jan 2020 00:35:11 +0100 From: "Rafael J. Wysocki" To: Chanho Min Cc: "Rafael J. Wysocki" , Pavel Machek , Len Brown , Greg Kroah-Hartman , Linux PM , Linux Kernel Mailing List , Daewoong Kim , Seokjoo Lee , Lee Gunho Subject: Re: [PATCH] PM / sleep: fix use-after-free on async resume Date: Wed, 22 Jan 2020 00:35:11 +0100 Message-ID: <24696489.X8ojiuEZiU@kreacher> In-Reply-To: <175529881.VBaH80lGUZ@kreacher> References: <1579568452-27253-1-git-send-email-chanho.min@lge.com> <175529881.VBaH80lGUZ@kreacher> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wednesday, January 22, 2020 12:03:16 AM CET Rafael J. Wysocki wrote: > On Tuesday, January 21, 2020 5:54:58 PM CET Rafael J. Wysocki wrote: > > On Tue, Jan 21, 2020 at 2:31 AM Chanho Min wrote: > > > > > > Some device can be released during suspend (e.g. usb disconnection). > > > But, Its child device still use dev->parent's lock in dpm_wait(). > > > It can be ocurred use-after-free as bellows. This is happened during > > > usb resume in practice. > > > > In that case the resume of the child is going to be carried out after > > its parent has gone away, which is generally incorrect.. > > That isn't really a problem in the case at hand, though, because the memory > taken up by the parent can only be freed when all of its children have been > unregistered and all of the class, type, bus, driver etc pointers of the > children are NULL then, so there won't be a resume callback to execute for > the child. Well, not really true, because device_del() doesn't clear dev->bus, for example, AFAICS, so the resume really needs to be explicitly avoided if the device has been deleted. [cut] > > > -- > > > > Something a bit more sophisticated is needed here, let me think about that. > > > > I've ended up with the patch below. > > The lock prevents the unregistration of dev from completing, if it is acquired > before device_pm_remove() in device_del(), and that prevents the parent > reference from being dropped (at the end of the latter) until the lock is held. > If the lock is acquired after device_pm_remove() has been called for the > device, there obviously is no need to wait for the parent. > So something like this should work: --- drivers/base/power/main.c | 42 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) Index: linux-pm/drivers/base/power/main.c =================================================================== --- linux-pm.orig/drivers/base/power/main.c +++ linux-pm/drivers/base/power/main.c @@ -273,10 +273,38 @@ static void dpm_wait_for_suppliers(struc device_links_read_unlock(idx); } -static void dpm_wait_for_superior(struct device *dev, bool async) +static bool dpm_wait_for_superior(struct device *dev, bool async) { - dpm_wait(dev->parent, async); + struct device *parent; + + /* + * If the device and its parent are both resumed asynchronously and the + * parent's callback deletes both the device and the parent itself, the + * parent object may be freed while this function is running, so avoid + * that by reference counting the parent once more unless the device has + * been deleted already. + */ + mutex_lock(&dpm_list_mtx); + + if (!device_pm_initialized(dev)) { + mutex_unlock(&dpm_list_mtx); + return false; + } + + parent = get_device(dev->parent); + + mutex_unlock(&dpm_list_mtx); + + dpm_wait(parent, async); + put_device(parent); + dpm_wait_for_suppliers(dev, async); + + /* + * If the parent's callback has deleted the device, it is not correct to + * attempt to resume it, so avoid doing that then. + */ + return device_pm_initialized(dev); } static void dpm_wait_for_consumers(struct device *dev, bool async) @@ -621,7 +649,8 @@ static int device_resume_noirq(struct de if (!dev->power.is_noirq_suspended) goto Out; - dpm_wait_for_superior(dev, async); + if (!dpm_wait_for_superior(dev, async)) + goto Out; skip_resume = dev_pm_may_skip_resume(dev); @@ -829,7 +858,8 @@ static int device_resume_early(struct de if (!dev->power.is_late_suspended) goto Out; - dpm_wait_for_superior(dev, async); + if (!dpm_wait_for_superior(dev, async)) + goto Out; callback = dpm_subsys_resume_early_cb(dev, state, &info); @@ -944,7 +974,9 @@ static int device_resume(struct device * goto Complete; } - dpm_wait_for_superior(dev, async); + if (!dpm_wait_for_superior(dev, async)) + goto Complete; + dpm_watchdog_set(&wd, dev); device_lock(dev);