On Mon, Mar 30, 2015 at 09:06:43AM +0000, EunTaik Lee wrote:
> There is a possible race condition when a device
> is added while another device with the same parent
> , with ref count of one, is deleted.
>
> CPU0 CPU1
> device_add() device_del()
> get_device_parent() put_device(parent);
> kobj = kobject_get(k); kobject_put()
> kref_put()
> refcount=0
> refcount is 0
> WARNS it was 0 but
> return kobj frees kobj
> uses the freed parent kobj
>
> The race condition exists because kref_put() and the
> release function is not atomic.
> Using kobject_get_unless_zero() instead of
> kobject_get() in get_device_parent() will prevent
> this race condition.
The bus that the device is on should prevent this, why isn't that
working for you? What type of device/bus do you see this problem on?
> Signed-off-by: eun.taik.lee <eun.taik....@samsung.com>
We need a "real" name here, I don't think your name has '.' in it,
right?
> ---
> drivers/base/core.c | 2 +-
> include/linux/kobject.h | 2 ++
> lib/kobject.c | 2 +-
> 3 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/base/core.c b/drivers/base/core.c
> index 07304a3..ec2f211 100644
> --- a/drivers/base/core.c
> +++ b/drivers/base/core.c
> @@ -761,7 +761,7 @@ static struct kobject *get_device_parent(struct device
> *dev,
> spin_lock(&dev->class->p->glue_dirs.list_lock);
> list_for_each_entry(k, &dev->class->p->glue_dirs.list, entry)
> if (k->parent == parent_kobj) {
> - kobj = kobject_get(k);
> + kobj = kobject_get_unless_zero(k);
> break;
Your email client turned all tabs to spaces and made the patch unable to
be applied.
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
