From 2da55cfd603d1c08dd1a396f943d6205eca47227 Mon Sep 17 00:00:00 2001 From: Tomas Winkler Date: Wed, 28 Oct 2015 14:34:34 +0200 Subject: [PATCH] mei: bus: use correct lock ordering The correct lock order is cl_bus_lock device_lock me_clients_rwsem This order was violated in bus rescan and remove routines when me_client_rwsem was locked before cl_bus_lock. Chain exists of: [ 4.321653] &dev->device_lock --> &dev->me_clients_rwsem --> &dev->cl_bus_lock [ 4.321653] [ 4.321679] Possible unsafe locking scenario: [ 4.321679] [ 4.321693] CPU0 CPU1 [ 4.321701] ---- ---- [ 4.321709] lock(&dev->cl_bus_lock); [ 4.321720] lock(&dev->me_clients_rwsem); [ 4.321733] lock(&dev->cl_bus_lock); [ 4.321745] lock(&dev->device_lock); [ 4.321755] [ 4.321755] *** DEADLOCK *** [ 4.321755] Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mei/bus.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c index 160e084..46403e4 100644 --- a/drivers/misc/mei/bus.c +++ b/drivers/misc/mei/bus.c @@ -830,17 +830,20 @@ static void mei_cl_bus_dev_stop(struct mei_cl_device *cldev) * mei_cl_bus_dev_destroy - destroy me client devices object * * @cldev: me client device + * + * Locking: called under "dev->cl_bus_lock" lock */ static void mei_cl_bus_dev_destroy(struct mei_cl_device *cldev) { + + WARN_ON(!mutex_is_locked(&cldev->bus->cl_bus_lock)); + if (!cldev->is_added) return; device_del(&cldev->dev); - mutex_lock(&cldev->bus->cl_bus_lock); list_del_init(&cldev->bus_list); - mutex_unlock(&cldev->bus->cl_bus_lock); cldev->is_added = 0; put_device(&cldev->dev); @@ -866,8 +869,10 @@ void mei_cl_bus_remove_devices(struct mei_device *bus) { struct mei_cl_device *cldev, *next; + mutex_lock(&bus->cl_bus_lock); list_for_each_entry_safe(cldev, next, &bus->device_list, bus_list) mei_cl_bus_remove_device(cldev); + mutex_unlock(&bus->cl_bus_lock); } @@ -877,12 +882,16 @@ void mei_cl_bus_remove_devices(struct mei_device *bus) * * @bus: mei device * @me_cl: me client + * + * Locking: called under "dev->cl_bus_lock" lock */ static void mei_cl_bus_dev_init(struct mei_device *bus, struct mei_me_client *me_cl) { struct mei_cl_device *cldev; + WARN_ON(!mutex_is_locked(&bus->cl_bus_lock)); + dev_dbg(bus->dev, "initializing %pUl", mei_me_cl_uuid(me_cl)); if (me_cl->bus_added) @@ -892,10 +901,8 @@ static void mei_cl_bus_dev_init(struct mei_device *bus, if (!cldev) return; - mutex_lock(&cldev->bus->cl_bus_lock); me_cl->bus_added = true; list_add_tail(&cldev->bus_list, &bus->device_list); - mutex_unlock(&cldev->bus->cl_bus_lock); } @@ -910,12 +917,13 @@ void mei_cl_bus_rescan(struct mei_device *bus) struct mei_cl_device *cldev, *n; struct mei_me_client *me_cl; + mutex_lock(&bus->cl_bus_lock); + down_read(&bus->me_clients_rwsem); list_for_each_entry(me_cl, &bus->me_clients, list) mei_cl_bus_dev_init(bus, me_cl); up_read(&bus->me_clients_rwsem); - mutex_lock(&bus->cl_bus_lock); list_for_each_entry_safe(cldev, n, &bus->device_list, bus_list) { if (!mei_me_cl_is_active(cldev->me_cl)) { -- 2.7.4