Re: On trace_*_rcuidle functions in modules

From: Bjorn Andersson
Date: Wed Apr 15 2020 - 21:02:52 EST

Next message: Tian Tao: "[PATCH v2] drm/hisilicon: Add the shutdown for hibmc_pci_driver"
Previous message: Eric Sandeen: "Re: [PATCH 2/5] blktrace: fix debugfs use after free"
In reply to: Steven Rostedt: "Re: On trace_*_rcuidle functions in modules"
Next in thread: Steven Rostedt: "Re: On trace_*_rcuidle functions in modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed 15 Apr 17:48 PDT 2020, Steven Rostedt wrote:

> On Wed, 15 Apr 2020 17:06:24 -0700
> John Stultz <john.stultz@xxxxxxxxxx> wrote:
>
> > So you're saying the recent change to move to using trace_*_rcuidle()
> > was unnecessary?
> >
> > Or is there a different notifier then cpu_pm_register_notifier() that
> > the driver should be using (that one seems to be using
> > atomic_notifier_chain_register())?
>
> From looking at the trace event in __tcs_buffer_write() in
> drivers/soc/qcom/rpmh-rsc.c, the _rcuidle() was added by:
>
> efde2659b0fe8 ("drivers: qcom: rpmh-rsc: Use rcuidle tracepoints for rpmh")
>
> Which shows a backtrace dump of:
>
> Call trace:
> dump_backtrace+0x0/0x174
> show_stack+0x20/0x2c
> dump_stack+0xc8/0x124
> lockdep_rcu_suspicious+0xe4/0x104
> __tcs_buffer_write+0x230/0x2d0
> rpmh_rsc_write_ctrl_data+0x210/0x270
> rpmh_flush+0x84/0x24c
> rpmh_domain_power_off+0x78/0x98
> _genpd_power_off+0x40/0xc0
> genpd_power_off+0x168/0x208
> genpd_power_off+0x1e0/0x208
> genpd_power_off+0x1e0/0x208
> genpd_runtime_suspend+0x1ac/0x220
> __rpm_callback+0x70/0xfc
> rpm_callback+0x34/0x8c
> rpm_suspend+0x218/0x4a4
> __pm_runtime_suspend+0x88/0xac
> psci_enter_domain_idle_state+0x3c/0xb4
> cpuidle_enter_state+0xb8/0x284
> cpuidle_enter+0x38/0x4c
> call_cpuidle+0x3c/0x68
> do_idle+0x194/0x260
> cpu_startup_entry+0x24/0x28
> secondary_start_kernel+0x150/0x15c
>
>
> There's no notifier that calls this. This is called by the rpm_callback
> logic. Perhaps that callback will require a call to rcu_irq_enter()
> before calling the callback.
>
> In any case, I think it is wrong that these callbacks are called
> without RCU watching. The _rcuidle() on that tracepoint should be
> removed, and we fix the code that gets there to ensure that RCU is
> enabled. I agree with Peter, that no module code should be executed
> without RCU watching.
>

Forgive me, but how is this problem related to the fact that the code is
dynamically loaded, i.e. encapsulated in a module?

Per the example earlier in this thread, the thing we're worried about is
a use after free in the following scenario, right?

cpu_pm_unregister_notifier(my_notifier);
kfree(my_data);

But a driver implementing this snippet might do this regardless of being
builtin or module and afaict exiting probe() unsuccessfully or unbinding
the device would risk triggering this issue?

Regards,
Bjorn

Next message: Tian Tao: "[PATCH v2] drm/hisilicon: Add the shutdown for hibmc_pci_driver"
Previous message: Eric Sandeen: "Re: [PATCH 2/5] blktrace: fix debugfs use after free"
In reply to: Steven Rostedt: "Re: On trace_*_rcuidle functions in modules"
Next in thread: Steven Rostedt: "Re: On trace_*_rcuidle functions in modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]