1 files changed, 74 insertions, 9 deletions
diff --git a/drivers/base/core.c b/drivers/base/core.c
index da84a73f2ba6..1669d41fcddc 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -1663,6 +1663,9 @@ void device_initialize(struct device *dev)
        kobject_init(&dev->kobj, &device_ktype);
        INIT_LIST_HEAD(&dev->dma_pools);
        mutex_init(&dev->mutex);
+#ifdef CONFIG_PROVE_LOCKING
+        mutex_init(&dev->lockdep_mutex);
+#endif
        lockdep_set_novalidate_class(&dev->mutex);
        spin_lock_init(&dev->devres_lock);
        INIT_LIST_HEAD(&dev->devres_head);
@@ -1820,12 +1823,63 @@ static inline struct kobject *get_glue_dir(struct device *dev)
 */
 static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
 {
+        unsigned int ref;
        /* see if we live in a "glue" directory */
        if (!live_in_glue_dir(glue_dir, dev))
                return;
        mutex_lock(&gdp_mutex);
-        if (!kobject_has_children(glue_dir))
+        /**
+         * There is a race condition between removing glue directory
+         * and adding a new device under the glue directory.
+         *
+         * CPU1:                                         CPU2:
+         *
+         * device_add()
+         *   get_device_parent()
+         *     class_dir_create_and_add()
+         *       kobject_add_internal()
+         *         create_dir()    // create glue_dir
+         *
+         *                                               device_add()
+         *                                                 get_device_parent()
+         *                                                   kobject_get() // get glue_dir
+         *
+         * device_del()
+         *   cleanup_glue_dir()
+         *     kobject_del(glue_dir)
+         *
+         *                                               kobject_add()
+         *                                                 kobject_add_internal()
+         *                                                   create_dir() // in glue_dir
+         *                                                     sysfs_create_dir_ns()
+         *                                                       kernfs_create_dir_ns(sd)
+         *
+         *       sysfs_remove_dir() // glue_dir->sd=NULL
+         *       sysfs_put()        // free glue_dir->sd
+         *
+         *                                                         // sd is freed
+         *                                                         kernfs_new_node(sd)
+         *                                                           kernfs_get(glue_dir)
+         *                                                           kernfs_add_one()
+         *                                                           kernfs_put()
+         *
+         * Before CPU1 remove last child device under glue dir, if CPU2 add
+         * a new device under glue dir, the glue_dir kobject reference count
+         * will be increase to 2 in kobject_get(k). And CPU2 has been called
+         * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir()
+         * and sysfs_put(). This result in glue_dir->sd is freed.
+         *
+         * Then the CPU2 will see a stale "empty" but still potentially used
+         * glue dir around in kernfs_new_node().
+         *
+         * In order to avoid this happening, we also should make sure that
+         * kernfs_node for glue_dir is released in CPU1 only when refcount
+         * for glue_dir kobj is 1.
+         */
+        ref = kref_read(&glue_dir->kref);
+        if (!kobject_has_children(glue_dir) && !--ref)
                kobject_del(glue_dir);
        kobject_put(glue_dir);
        mutex_unlock(&gdp_mutex);
@@ -2211,6 +2265,24 @@ void put_device(struct device *dev)
 }
 EXPORT_SYMBOL_GPL(put_device);
+bool kill_device(struct device *dev)
+{
+        /*
+         * Require the device lock and set the "dead" flag to guarantee that
+         * the update behavior is consistent with the other bitfields near
+         * it and that we cannot have an asynchronous probe routine trying
+         * to run while we are tearing out the bus/class/sysfs from
+         * underneath the device.
+         */
+        lockdep_assert_held(&dev->mutex);
+        if (dev->p->dead)
+                return false;
+        dev->p->dead = true;
+        return true;
+}
+EXPORT_SYMBOL_GPL(kill_device);
 /**
 * device_del - delete device from system.
 * @dev: device.
@@ -2230,15 +2302,8 @@ void device_del(struct device *dev)
        struct kobject *glue_dir = NULL;
        struct class_interface *class_intf;
-        /*
-         * Hold the device lock and set the "dead" flag to guarantee that
-         * the update behavior is consistent with the other bitfields near
-         * it and that we cannot have an asynchronous probe routine trying
-         * to run while we are tearing out the bus/class/sysfs from
-         * underneath the device.
-         */
        device_lock(dev);
-        dev->p->dead = true;
+        kill_device(dev);
        device_unlock(dev);
        /* Notify clients of device removal.  This call must come

diff --git a/drivers/base/core.c b/drivers/base/core.c index da84a73f2ba6..1669d41fcddc 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c
@@ -1663,6 +1663,9 @@ void device_initialize(struct device *dev)
1663	kobject_init(&dev->kobj, &device_ktype);	1663	kobject_init(&dev->kobj, &device_ktype);
1664	INIT_LIST_HEAD(&dev->dma_pools);	1664	INIT_LIST_HEAD(&dev->dma_pools);
1665	mutex_init(&dev->mutex);	1665	mutex_init(&dev->mutex);
		1666	#ifdef CONFIG_PROVE_LOCKING
		1667	mutex_init(&dev->lockdep_mutex);
		1668	#endif
1666	lockdep_set_novalidate_class(&dev->mutex);	1669	lockdep_set_novalidate_class(&dev->mutex);
1667	spin_lock_init(&dev->devres_lock);	1670	spin_lock_init(&dev->devres_lock);
1668	INIT_LIST_HEAD(&dev->devres_head);	1671	INIT_LIST_HEAD(&dev->devres_head);
@@ -1820,12 +1823,63 @@ static inline struct kobject get_glue_dir(struct device dev)
1820	*/	1823	*/
1821	static void cleanup_glue_dir(struct device dev, struct kobject glue_dir)	1824	static void cleanup_glue_dir(struct device dev, struct kobject glue_dir)
1822	{	1825	{
		1826	unsigned int ref;
		1827
1823	/* see if we live in a "glue" directory */	1828	/* see if we live in a "glue" directory */
1824	if (!live_in_glue_dir(glue_dir, dev))	1829	if (!live_in_glue_dir(glue_dir, dev))
1825	return;	1830	return;
1826		1831
1827	mutex_lock(&gdp_mutex);	1832	mutex_lock(&gdp_mutex);
1828	if (!kobject_has_children(glue_dir))	1833	/**
		1834	* There is a race condition between removing glue directory
		1835	* and adding a new device under the glue directory.
		1836	*
		1837	* CPU1: CPU2:
		1838	*
		1839	* device_add()
		1840	* get_device_parent()
		1841	* class_dir_create_and_add()
		1842	* kobject_add_internal()
		1843	* create_dir() // create glue_dir
		1844	*
		1845	* device_add()
		1846	* get_device_parent()
		1847	* kobject_get() // get glue_dir
		1848	*
		1849	* device_del()
		1850	* cleanup_glue_dir()
		1851	* kobject_del(glue_dir)
		1852	*
		1853	* kobject_add()
		1854	* kobject_add_internal()
		1855	* create_dir() // in glue_dir
		1856	* sysfs_create_dir_ns()
		1857	* kernfs_create_dir_ns(sd)
		1858	*
		1859	* sysfs_remove_dir() // glue_dir->sd=NULL
		1860	* sysfs_put() // free glue_dir->sd
		1861	*
		1862	* // sd is freed
		1863	* kernfs_new_node(sd)
		1864	* kernfs_get(glue_dir)
		1865	* kernfs_add_one()
		1866	* kernfs_put()
		1867	*
		1868	* Before CPU1 remove last child device under glue dir, if CPU2 add
		1869	* a new device under glue dir, the glue_dir kobject reference count
		1870	* will be increase to 2 in kobject_get(k). And CPU2 has been called
		1871	* kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir()
		1872	* and sysfs_put(). This result in glue_dir->sd is freed.
		1873	*
		1874	* Then the CPU2 will see a stale "empty" but still potentially used
		1875	* glue dir around in kernfs_new_node().
		1876	*
		1877	* In order to avoid this happening, we also should make sure that
		1878	* kernfs_node for glue_dir is released in CPU1 only when refcount
		1879	* for glue_dir kobj is 1.
		1880	*/
		1881	ref = kref_read(&glue_dir->kref);
		1882	if (!kobject_has_children(glue_dir) && !--ref)
1829	kobject_del(glue_dir);	1883	kobject_del(glue_dir);
1830	kobject_put(glue_dir);	1884	kobject_put(glue_dir);
1831	mutex_unlock(&gdp_mutex);	1885	mutex_unlock(&gdp_mutex);
@@ -2211,6 +2265,24 @@ void put_device(struct device *dev)
2211	}	2265	}
2212	EXPORT_SYMBOL_GPL(put_device);	2266	EXPORT_SYMBOL_GPL(put_device);
2213		2267
		2268	bool kill_device(struct device *dev)
		2269	{
		2270	/*
		2271	* Require the device lock and set the "dead" flag to guarantee that
		2272	* the update behavior is consistent with the other bitfields near
		2273	* it and that we cannot have an asynchronous probe routine trying
		2274	* to run while we are tearing out the bus/class/sysfs from
		2275	* underneath the device.
		2276	*/
		2277	lockdep_assert_held(&dev->mutex);
		2278
		2279	if (dev->p->dead)
		2280	return false;
		2281	dev->p->dead = true;
		2282	return true;
		2283	}
		2284	EXPORT_SYMBOL_GPL(kill_device);
		2285
2214	/**	2286	/**
2215	* device_del - delete device from system.	2287	* device_del - delete device from system.
2216	* @dev: device.	2288	* @dev: device.
@@ -2230,15 +2302,8 @@ void device_del(struct device *dev)
2230	struct kobject *glue_dir = NULL;	2302	struct kobject *glue_dir = NULL;
2231	struct class_interface *class_intf;	2303	struct class_interface *class_intf;
2232		2304
2233	/*
2234	* Hold the device lock and set the "dead" flag to guarantee that
2235	* the update behavior is consistent with the other bitfields near
2236	* it and that we cannot have an asynchronous probe routine trying
2237	* to run while we are tearing out the bus/class/sysfs from
2238	* underneath the device.
2239	*/
2240	device_lock(dev);	2305	device_lock(dev);
2241	dev->p->dead = true;	2306	kill_device(dev);
2242	device_unlock(dev);	2307	device_unlock(dev);
2243		2308
2244	/* Notify clients of device removal. This call must come	2309	/* Notify clients of device removal. This call must come