diff options
| author | Srinivasarao P <spathi@codeaurora.org> | 2019-09-24 10:58:02 +0530 |
|---|---|---|
| committer | Srinivasarao P <spathi@codeaurora.org> | 2019-09-24 10:58:13 +0530 |
| commit | 90582d7c19b7af63c8311c757b98ce082e1bf29b (patch) | |
| tree | 250d05d76c8c9fd047793d5715f14fc90cad0ac9 /drivers/base/core.c | |
| parent | 869c392a217ba62afb53a5609563f97d4d8b92f5 (diff) | |
| parent | a749771ac273a479161cb12e1de1122483778ebf (diff) | |
Merge android-4.4.194 (a749771) into msm-4.4
* refs/heads/tmp-a749771
Linux 4.4.194
net_sched: let qdisc_put() accept NULL pointer
ARC: export "abort" for modules
media: technisat-usb2: break out of loop at end of buffer
floppy: fix usercopy direction
keys: Fix missing null pointer check in request_key_auth_describe()
dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe()
net: seeq: Fix the function used to release some memory in an error handling path
tools/power turbostat: fix buffer overrun
sky2: Disable MSI on yet another ASUS boards (P6Xxxx)
cifs: Use kzfree() to zero out the password
cifs: set domainName when a domain-key is used in multiuser
NFSv2: Fix write regression
NFSv2: Fix eof handling
netfilter: nf_conntrack_ftp: Fix debug output
x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines
r8152: Set memory to all 0xFFs on failed reg reads
ARM: 8874/1: mm: only adjust sections of valid mm structures
Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105
NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup
NFSv4: Fix return values for nfs4_file_open()
s390/bpf: use 32-bit index for tail calls
ARM: OMAP2+: Fix omap4 errata warning on other SoCs
s390/bpf: fix lcgr instruction encoding
mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
tty/serial: atmel: reschedule TX after RX was started
serial: sprd: correct the wrong sequence of arguments
KVM: coalesced_mmio: add bounds checking
xen-netfront: do not assume sk_buff_head list is empty in error handling
x86/boot: Add missing bootparam that breaks boot on some platforms
media: tm6000: double free if usb disconnect while streaming
USB: usbcore: Fix slab-out-of-bounds bug during device reset
ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs
MIPS: netlogic: xlr: Remove erroneous check in nlm_fmn_send()
x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning
crypto: talitos - check data blocksize in ablkcipher.
crypto: talitos - check AES key size
driver core: Fix use-after-free and double free on glue directory
clk: rockchip: Don't yell about bad mmc phases when getting
MIPS: VDSO: Use same -m%-float cflag as the kernel proper
MIPS: VDSO: Prevent use of smp_processor_id()
KVM: nVMX: handle page fault in vmread
KVM: x86: work around leak of uninitialized stack contents
KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl
genirq: Prevent NULL pointer dereference in resend_irqs()
Btrfs: fix assertion failure during fsync and use of stale transaction
Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur"
tun: fix use-after-free when register netdev failed
tipc: add NULL pointer check before calling kfree_rcu
tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR
sctp: use transport pf_retrans in sctp_do_8_2_transport_strike
sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()'
sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
net: Fix null de-reference of device refcount
isdn/capi: check message length in capi_write()
ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'
cdc_ether: fix rndis support for Mediatek based smartphones
bridge/mdb: remove wrong use of NLM_F_MULTI
Change-Id: I950778c771159febb721a4ebc2656c57ef40ad83
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Diffstat (limited to 'drivers/base/core.c')
| -rw-r--r-- | drivers/base/core.c | 53 |
1 files changed, 52 insertions, 1 deletions
diff --git a/drivers/base/core.c b/drivers/base/core.c index cef0f5c1bf85..4e27b3abf5a5 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -862,12 +862,63 @@ static inline struct kobject *get_glue_dir(struct device *dev) */ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir) { + unsigned int ref; + /* see if we live in a "glue" directory */ if (!live_in_glue_dir(glue_dir, dev)) return; mutex_lock(&gdp_mutex); - if (!kobject_has_children(glue_dir)) + /** + * There is a race condition between removing glue directory + * and adding a new device under the glue directory. + * + * CPU1: CPU2: + * + * device_add() + * get_device_parent() + * class_dir_create_and_add() + * kobject_add_internal() + * create_dir() // create glue_dir + * + * device_add() + * get_device_parent() + * kobject_get() // get glue_dir + * + * device_del() + * cleanup_glue_dir() + * kobject_del(glue_dir) + * + * kobject_add() + * kobject_add_internal() + * create_dir() // in glue_dir + * sysfs_create_dir_ns() + * kernfs_create_dir_ns(sd) + * + * sysfs_remove_dir() // glue_dir->sd=NULL + * sysfs_put() // free glue_dir->sd + * + * // sd is freed + * kernfs_new_node(sd) + * kernfs_get(glue_dir) + * kernfs_add_one() + * kernfs_put() + * + * Before CPU1 remove last child device under glue dir, if CPU2 add + * a new device under glue dir, the glue_dir kobject reference count + * will be increase to 2 in kobject_get(k). And CPU2 has been called + * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir() + * and sysfs_put(). This result in glue_dir->sd is freed. + * + * Then the CPU2 will see a stale "empty" but still potentially used + * glue dir around in kernfs_new_node(). + * + * In order to avoid this happening, we also should make sure that + * kernfs_node for glue_dir is released in CPU1 only when refcount + * for glue_dir kobj is 1. + */ + ref = atomic_read(&glue_dir->kref.refcount); + if (!kobject_has_children(glue_dir) && !--ref) kobject_del(glue_dir); kobject_put(glue_dir); mutex_unlock(&gdp_mutex); |