Message ID | 1421661433-27141-1-git-send-email-srinivas.kandagatla@linaro.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On 01/19/2015 01:57 AM, Srinivas Kandagatla wrote: > Some of the clks can be registered & unregistered before the clk related debugfs > entries are initialized at late_initcall. In the unregister path checking for only > dentry before clk_debug_init() would lead dangling pointers in the debug clk list, > because the list is already populated in register path and the clk pointer freed in > unregister path. > The side effect of not removing it from the list is either a null pointer > dereference or if lucky to boot the system, the number of clk entries in > debugfs disappear. > > We could add more checks like if (inited && !clk->dentry) but just removing > the check for dentry made more sense as debugfs_remove_recursive() seems to be > safe with null pointers. This will ensure that the unregistering clk would be > removed from the debug list in all the code paths. > > Without this patch kernel would crash with log: > Unable to handle kernel NULL pointer dereference at virtual address 00000000 > pgd = c0204000 > [00000000] *pgd=00000000 > Internal error: Oops: 5 [#1] SMP ARM > Modules linked in: > CPU: 1 PID: 1 Comm: swapper/0 Tainted: G B 3.19.0-rc3-00007-g412f9ba-dirty #840 > Hardware name: Qualcomm (Flattened Device Tree) > task: ed948000 ti: ed944000 task.ti: ed944000 > PC is at strlen+0xc/0x40 > LR is at __create_file+0x64/0x1dc > pc : [<c04ee604>] lr : [<c049f1c4>] psr: 60000013 > sp : ed945e40 ip : ed945e50 fp : ed945e4c > r10: 00000000 r9 : c1006094 r8 : 00000000 > r7 : 000041ed r6 : 00000000 r5 : ed4af998 r4 : c11b5e28 > r3 : 00000000 r2 : ed945e38 r1 : a0000013 r0 : 00000000 > Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel > Control: 10c5787d Table: 8020406a DAC: 00000015 > Process swapper/0 (pid: 1, stack limit = 0xed944248) > Stack: (0xed945e40 to 0xed946000) > 5e40: ed945e7c ed945e50 c049f1c4 c04ee604 c0fc2fa4 00000000 ecb748c0 c11c2b80 > 5e60: c0beec04 0000011c c0fc2fa4 00000000 ed945e94 ed945e80 c049f3e0 c049f16c > 5e80: 00000000 00000000 ed945eac ed945e98 c08cbc50 c049f3c0 ecb748c0 c11c2b80 > 5ea0: ed945ed4 ed945eb0 c0fc3080 c08cbc30 c0beec04 c107e1d8 ecdf0600 c107e1d8 > 5ec0: c107e1d8 ecdf0600 ed945f54 ed945ed8 c0208ed4 c0fc2fb0 c026a784 c04ee628 > 5ee0: ed945f0c ed945ef0 c0f5d600 c04ee604 c0f5d5ec ef7fcc7d c0b40ecc 0000011c > 5f00: ed945f54 ed945f10 c026a994 c0f5d5f8 c04ecc00 00000007 ef7fcc95 00000007 > 5f20: c0e90744 c0dd0884 ed945f54 c106cde0 00000007 c117f8c0 0000011c c0f5d5ec > 5f40: c1006094 c100609c ed945f94 ed945f58 c0f5de34 c0208e50 00000007 00000007 > 5f60: c0f5d5ec be9b5ae0 00000000 c117f8c0 c0af1680 00000000 00000000 00000000 > 5f80: 00000000 00000000 ed945fac ed945f98 c0af169c c0f5dd2c ed944000 00000000 > 5fa0: 00000000 ed945fb0 c020f298 c0af168c 00000000 00000000 00000000 00000000 > 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 > 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ebcc6d33 bfffca73 > [<c04ee604>] (strlen) from [<c049f1c4>] (__create_file+0x64/0x1dc) > [<c049f1c4>] (__create_file) from [<c049f3e0>] (debugfs_create_dir+0x2c/0x34) > [<c049f3e0>] (debugfs_create_dir) from [<c08cbc50>] (clk_debug_create_one+0x2c/0x16c) > [<c08cbc50>] (clk_debug_create_one) from [<c0fc3080>] (clk_debug_init+0xdc/0x144) > [<c0fc3080>] (clk_debug_init) from [<c0208ed4>] (do_one_initcall+0x90/0x1e0) > [<c0208ed4>] (do_one_initcall) from [<c0f5de34>] (kernel_init_freeable+0x114/0x1e0) > [<c0f5de34>] (kernel_init_freeable) from [<c0af169c>] (kernel_init+0x1c/0xfc) > [<c0af169c>] (kernel_init) from [<c020f298>] (ret_from_fork+0x14/0x3c) > Code: c0b40ecc e1a0c00d e92dd800 e24cb004 (e5d02000) > ---[ end trace b940e45b5e25c1e7 ]--- > > Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> > Reviewed-by: Stephen Boyd <sboyd@codeaurora.org> Fixes: 6314b6796e3c "clk: Don't hold prepare_lock across debugfs creation"
Quoting Stephen Boyd (2015-01-19 11:44:35) > On 01/19/2015 01:57 AM, Srinivas Kandagatla wrote: > > Some of the clks can be registered & unregistered before the clk related debugfs > > entries are initialized at late_initcall. In the unregister path checking for only > > dentry before clk_debug_init() would lead dangling pointers in the debug clk list, > > because the list is already populated in register path and the clk pointer freed in > > unregister path. > > The side effect of not removing it from the list is either a null pointer > > dereference or if lucky to boot the system, the number of clk entries in > > debugfs disappear. > > > > We could add more checks like if (inited && !clk->dentry) but just removing > > the check for dentry made more sense as debugfs_remove_recursive() seems to be > > safe with null pointers. This will ensure that the unregistering clk would be > > removed from the debug list in all the code paths. > > > > Without this patch kernel would crash with log: > > Unable to handle kernel NULL pointer dereference at virtual address 00000000 > > pgd = c0204000 > > [00000000] *pgd=00000000 > > Internal error: Oops: 5 [#1] SMP ARM > > Modules linked in: > > CPU: 1 PID: 1 Comm: swapper/0 Tainted: G B 3.19.0-rc3-00007-g412f9ba-dirty #840 > > Hardware name: Qualcomm (Flattened Device Tree) > > task: ed948000 ti: ed944000 task.ti: ed944000 > > PC is at strlen+0xc/0x40 > > LR is at __create_file+0x64/0x1dc > > pc : [<c04ee604>] lr : [<c049f1c4>] psr: 60000013 > > sp : ed945e40 ip : ed945e50 fp : ed945e4c > > r10: 00000000 r9 : c1006094 r8 : 00000000 > > r7 : 000041ed r6 : 00000000 r5 : ed4af998 r4 : c11b5e28 > > r3 : 00000000 r2 : ed945e38 r1 : a0000013 r0 : 00000000 > > Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel > > Control: 10c5787d Table: 8020406a DAC: 00000015 > > Process swapper/0 (pid: 1, stack limit = 0xed944248) > > Stack: (0xed945e40 to 0xed946000) > > 5e40: ed945e7c ed945e50 c049f1c4 c04ee604 c0fc2fa4 00000000 ecb748c0 c11c2b80 > > 5e60: c0beec04 0000011c c0fc2fa4 00000000 ed945e94 ed945e80 c049f3e0 c049f16c > > 5e80: 00000000 00000000 ed945eac ed945e98 c08cbc50 c049f3c0 ecb748c0 c11c2b80 > > 5ea0: ed945ed4 ed945eb0 c0fc3080 c08cbc30 c0beec04 c107e1d8 ecdf0600 c107e1d8 > > 5ec0: c107e1d8 ecdf0600 ed945f54 ed945ed8 c0208ed4 c0fc2fb0 c026a784 c04ee628 > > 5ee0: ed945f0c ed945ef0 c0f5d600 c04ee604 c0f5d5ec ef7fcc7d c0b40ecc 0000011c > > 5f00: ed945f54 ed945f10 c026a994 c0f5d5f8 c04ecc00 00000007 ef7fcc95 00000007 > > 5f20: c0e90744 c0dd0884 ed945f54 c106cde0 00000007 c117f8c0 0000011c c0f5d5ec > > 5f40: c1006094 c100609c ed945f94 ed945f58 c0f5de34 c0208e50 00000007 00000007 > > 5f60: c0f5d5ec be9b5ae0 00000000 c117f8c0 c0af1680 00000000 00000000 00000000 > > 5f80: 00000000 00000000 ed945fac ed945f98 c0af169c c0f5dd2c ed944000 00000000 > > 5fa0: 00000000 ed945fb0 c020f298 c0af168c 00000000 00000000 00000000 00000000 > > 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 > > 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ebcc6d33 bfffca73 > > [<c04ee604>] (strlen) from [<c049f1c4>] (__create_file+0x64/0x1dc) > > [<c049f1c4>] (__create_file) from [<c049f3e0>] (debugfs_create_dir+0x2c/0x34) > > [<c049f3e0>] (debugfs_create_dir) from [<c08cbc50>] (clk_debug_create_one+0x2c/0x16c) > > [<c08cbc50>] (clk_debug_create_one) from [<c0fc3080>] (clk_debug_init+0xdc/0x144) > > [<c0fc3080>] (clk_debug_init) from [<c0208ed4>] (do_one_initcall+0x90/0x1e0) > > [<c0208ed4>] (do_one_initcall) from [<c0f5de34>] (kernel_init_freeable+0x114/0x1e0) > > [<c0f5de34>] (kernel_init_freeable) from [<c0af169c>] (kernel_init+0x1c/0xfc) > > [<c0af169c>] (kernel_init) from [<c020f298>] (ret_from_fork+0x14/0x3c) > > Code: c0b40ecc e1a0c00d e92dd800 e24cb004 (e5d02000) > > ---[ end trace b940e45b5e25c1e7 ]--- > > > > Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> > > > > Reviewed-by: Stephen Boyd <sboyd@codeaurora.org> > Fixes: 6314b6796e3c "clk: Don't hold prepare_lock across debugfs creation" Applied to clk-next. Regards, Mike > > -- > Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, > a Linux Foundation Collaborative Project >
diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c index f4963b7..e310691 100644 --- a/drivers/clk/clk.c +++ b/drivers/clk/clk.c @@ -343,13 +343,9 @@ unlock: static void clk_debug_unregister(struct clk *clk) { mutex_lock(&clk_debug_lock); - if (!clk->dentry) - goto out; - hlist_del_init(&clk->debug_node); debugfs_remove_recursive(clk->dentry); clk->dentry = NULL; -out: mutex_unlock(&clk_debug_lock); }
Some of the clks can be registered & unregistered before the clk related debugfs entries are initialized at late_initcall. In the unregister path checking for only dentry before clk_debug_init() would lead dangling pointers in the debug clk list, because the list is already populated in register path and the clk pointer freed in unregister path. The side effect of not removing it from the list is either a null pointer dereference or if lucky to boot the system, the number of clk entries in debugfs disappear. We could add more checks like if (inited && !clk->dentry) but just removing the check for dentry made more sense as debugfs_remove_recursive() seems to be safe with null pointers. This will ensure that the unregistering clk would be removed from the debug list in all the code paths. Without this patch kernel would crash with log: Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = c0204000 [00000000] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: CPU: 1 PID: 1 Comm: swapper/0 Tainted: G B 3.19.0-rc3-00007-g412f9ba-dirty #840 Hardware name: Qualcomm (Flattened Device Tree) task: ed948000 ti: ed944000 task.ti: ed944000 PC is at strlen+0xc/0x40 LR is at __create_file+0x64/0x1dc pc : [<c04ee604>] lr : [<c049f1c4>] psr: 60000013 sp : ed945e40 ip : ed945e50 fp : ed945e4c r10: 00000000 r9 : c1006094 r8 : 00000000 r7 : 000041ed r6 : 00000000 r5 : ed4af998 r4 : c11b5e28 r3 : 00000000 r2 : ed945e38 r1 : a0000013 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5787d Table: 8020406a DAC: 00000015 Process swapper/0 (pid: 1, stack limit = 0xed944248) Stack: (0xed945e40 to 0xed946000) 5e40: ed945e7c ed945e50 c049f1c4 c04ee604 c0fc2fa4 00000000 ecb748c0 c11c2b80 5e60: c0beec04 0000011c c0fc2fa4 00000000 ed945e94 ed945e80 c049f3e0 c049f16c 5e80: 00000000 00000000 ed945eac ed945e98 c08cbc50 c049f3c0 ecb748c0 c11c2b80 5ea0: ed945ed4 ed945eb0 c0fc3080 c08cbc30 c0beec04 c107e1d8 ecdf0600 c107e1d8 5ec0: c107e1d8 ecdf0600 ed945f54 ed945ed8 c0208ed4 c0fc2fb0 c026a784 c04ee628 5ee0: ed945f0c ed945ef0 c0f5d600 c04ee604 c0f5d5ec ef7fcc7d c0b40ecc 0000011c 5f00: ed945f54 ed945f10 c026a994 c0f5d5f8 c04ecc00 00000007 ef7fcc95 00000007 5f20: c0e90744 c0dd0884 ed945f54 c106cde0 00000007 c117f8c0 0000011c c0f5d5ec 5f40: c1006094 c100609c ed945f94 ed945f58 c0f5de34 c0208e50 00000007 00000007 5f60: c0f5d5ec be9b5ae0 00000000 c117f8c0 c0af1680 00000000 00000000 00000000 5f80: 00000000 00000000 ed945fac ed945f98 c0af169c c0f5dd2c ed944000 00000000 5fa0: 00000000 ed945fb0 c020f298 c0af168c 00000000 00000000 00000000 00000000 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ebcc6d33 bfffca73 [<c04ee604>] (strlen) from [<c049f1c4>] (__create_file+0x64/0x1dc) [<c049f1c4>] (__create_file) from [<c049f3e0>] (debugfs_create_dir+0x2c/0x34) [<c049f3e0>] (debugfs_create_dir) from [<c08cbc50>] (clk_debug_create_one+0x2c/0x16c) [<c08cbc50>] (clk_debug_create_one) from [<c0fc3080>] (clk_debug_init+0xdc/0x144) [<c0fc3080>] (clk_debug_init) from [<c0208ed4>] (do_one_initcall+0x90/0x1e0) [<c0208ed4>] (do_one_initcall) from [<c0f5de34>] (kernel_init_freeable+0x114/0x1e0) [<c0f5de34>] (kernel_init_freeable) from [<c0af169c>] (kernel_init+0x1c/0xfc) [<c0af169c>] (kernel_init) from [<c020f298>] (ret_from_fork+0x14/0x3c) Code: c0b40ecc e1a0c00d e92dd800 e24cb004 (e5d02000) ---[ end trace b940e45b5e25c1e7 ]--- Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> --- drivers/clk/clk.c | 4 ---- 1 file changed, 4 deletions(-)