diff mbox

[2/2] power: Change device_wakeup_enable() to WARN_ON on null dev_name(dev)

Message ID 622a097f9780dc721354d0e2b6cb512280da1ebc.1384875691.git.shuah.kh@samsung.com (mailing list archive)
State Changes Requested, archived
Headers show

Commit Message

Shuah Khan Nov. 19, 2013, 4:05 p.m. UTC 
device_wakeup_enable() uses dev_name(dev) as the wakeup source name.
When it gets called with a device with its name not yet set, ws structure
with ws->name = NULL gets created.

When kernel is booted with wakeup_source_activate enabled, it will panic
when the trace point code tries to dereferences ws->name.

Change device_wakeup_enable() to WARN_ON on dev_name(dev) null condition
to detect driver bugs that result in calling device_wakeup_enable() before
device is fully initialized with its name in device_wakeup_enable().

This change without the power_supply_register() fix will result in early
boot panics when AC Adapter and Battery device drivers try to register
wakeup source.

The following panic resulted from power_supply_register() registering
wakeup source with a null device name.

[  819.769934] device: 'BAT1': device_add
[  819.770078] PM: Adding info for No Bus:BAT1
[  819.770235] BUG: unable to handle kernel NULL pointer dereference at           (null)
[  819.770435] IP: [<ffffffff813381c0>] skip_spaces+0x30/0x30
[  819.770572] PGD 3efd90067 PUD 3eff61067 PMD 0
[  819.770716] Oops: 0000 [#1] SMP
[  819.770829] Modules linked in: arc4 iwldvm mac80211 x86_pkg_temp_thermal coretemp kvm_intel joydev i915 kvm uvcvideo ghash_clmulni_intel videobuf2_vmalloc aesni_intel videobuf2_memops videobuf2_core aes_x86_64 ablk_helper cryptd videodev iwlwifi lrw rfcomm gf128mul glue_helper bnep btusb media bluetooth parport_pc hid_generic ppdev snd_hda_codec_hdmi drm_kms_helper snd_hda_codec_realtek cfg80211 drm tpm_infineon samsung_laptop snd_hda_intel usbhid snd_hda_codec hid snd_hwdep snd_pcm microcode snd_page_alloc snd_timer psmouse i2c_algo_bit lpc_ich tpm_tis video wmi mac_hid serio_raw ext2 lp parport r8169 mii
[  819.771802] CPU: 0 PID: 2167 Comm: bash Not tainted 3.12.0+ #25
[  819.771876] Hardware name: SAMSUNG ELECTRONICS CO., LTD. 900X3C/900X3D/900X4C/900X4D/SAMSUNG_NP1234567890, BIOS P03AAC 07/12/2012
[  819.772022] task: ffff88002e6ddcc0 ti: ffff8804015ca000 task.ti: ffff8804015ca000
[  819.772119] RIP: 0010:[<ffffffff813381c0>]  [<ffffffff813381c0>] skip_spaces+0x30/0x30
[  819.772242] RSP: 0018:ffff8804015cbc70  EFLAGS: 00010046
[  819.772310] RAX: 0000000000000003 RBX: ffff88040cfd6d40 RCX: 0000000000000018
[  819.772397] RDX: 0000000000020001 RSI: 0000000000000000 RDI: 0000000000000000
[  819.772484] RBP: ffff8804015cbcc0 R08: 0000000000000000 R09: ffff8803f0768d40
[  819.772570] R10: ffffea001033b800 R11: 0000000000000000 R12: ffffffff81c519c0
[  819.772656] R13: 0000000000020001 R14: 0000000000000000 R15: 0000000000020001
[  819.772744] FS:  00007ff98309b740(0000) GS:ffff88041f200000(0000) knlGS:0000000000000000
[  819.772845] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  819.772917] CR2: 0000000000000000 CR3: 00000003f59dc000 CR4: 00000000001407f0
[  819.773001] Stack:
[  819.773030]  ffffffff81114003 ffff8804015cbcb0 0000000000000000 0000000000000046
[  819.773146]  ffff880409757a18 ffff8803f065a160 0000000000000000 0000000000020001
[  819.773273]  0000000000000000 0000000000000000 ffff8804015cbce8 ffffffff8143e388
[  819.773387] Call Trace:
[  819.773434]  [<ffffffff81114003>] ? ftrace_raw_event_wakeup_source+0x43/0xe0
[  819.773520]  [<ffffffff8143e388>] wakeup_source_report_event+0xb8/0xd0
[  819.773595]  [<ffffffff8143e3cd>] __pm_stay_awake+0x2d/0x50
[  819.773724]  [<ffffffff8153395c>] power_supply_changed+0x3c/0x90
[  819.773795]  [<ffffffff8153407c>] power_supply_register+0x18c/0x250
[  819.773869]  [<ffffffff813d8d18>] sysfs_add_battery+0x61/0x7b
[  819.773935]  [<ffffffff813d8d69>] battery_notify+0x37/0x3f
[  819.774001]  [<ffffffff816ccb7c>] notifier_call_chain+0x4c/0x70
[  819.774071]  [<ffffffff81073ded>] __blocking_notifier_call_chain+0x4d/0x70
[  819.774149]  [<ffffffff81073e26>] blocking_notifier_call_chain+0x16/0x20
[  819.774227]  [<ffffffff8109397a>] pm_notifier_call_chain+0x1a/0x40
[  819.774316]  [<ffffffff81095b66>] hibernate+0x66/0x1c0
[  819.774407]  [<ffffffff81093931>] state_store+0x71/0xa0
[  819.774507]  [<ffffffff81331d8f>] kobj_attr_store+0xf/0x20
[  819.774613]  [<ffffffff811f8618>] sysfs_write_file+0x128/0x1c0
[  819.774735]  [<ffffffff8118579d>] vfs_write+0xbd/0x1e0
[  819.774841]  [<ffffffff811861d9>] SyS_write+0x49/0xa0
[  819.774939]  [<ffffffff816d1052>] system_call_fastpath+0x16/0x1b
[  819.775055] Code: 89 f8 48 89 e5 f6 82 c0 a6 84 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 c0 a6 84 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80
[  819.775760] RIP  [<ffffffff813381c0>] skip_spaces+0x30/0x30
[  819.775881]  RSP <ffff8804015cbc70>
[  819.775949] CR2: 0000000000000000
[  819.794175] ---[ end trace c4ef25127039952e ]---

Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
---
 drivers/base/power/wakeup.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Greg Kroah-Hartman Nov. 19, 2013, 11:14 p.m. UTC | #1 
On Tue, Nov 19, 2013 at 09:05:46AM -0700, Shuah Khan wrote:
> device_wakeup_enable() uses dev_name(dev) as the wakeup source name.
> When it gets called with a device with its name not yet set, ws structure
> with ws->name = NULL gets created.
> 
> When kernel is booted with wakeup_source_activate enabled, it will panic
> when the trace point code tries to dereferences ws->name.
> 
> Change device_wakeup_enable() to WARN_ON on dev_name(dev) null condition
> to detect driver bugs that result in calling device_wakeup_enable() before
> device is fully initialized with its name in device_wakeup_enable().
> 
> This change without the power_supply_register() fix will result in early
> boot panics when AC Adapter and Battery device drivers try to register
> wakeup source.
> 
> The following panic resulted from power_supply_register() registering
> wakeup source with a null device name.
> 
> [  819.769934] device: 'BAT1': device_add
> [  819.770078] PM: Adding info for No Bus:BAT1
> [  819.770235] BUG: unable to handle kernel NULL pointer dereference at           (null)
> [  819.770435] IP: [<ffffffff813381c0>] skip_spaces+0x30/0x30
> [  819.770572] PGD 3efd90067 PUD 3eff61067 PMD 0
> [  819.770716] Oops: 0000 [#1] SMP
> [  819.770829] Modules linked in: arc4 iwldvm mac80211 x86_pkg_temp_thermal coretemp kvm_intel joydev i915 kvm uvcvideo ghash_clmulni_intel videobuf2_vmalloc aesni_intel videobuf2_memops videobuf2_core aes_x86_64 ablk_helper cryptd videodev iwlwifi lrw rfcomm gf128mul glue_helper bnep btusb media bluetooth parport_pc hid_generic ppdev snd_hda_codec_hdmi drm_kms_helper snd_hda_codec_realtek cfg80211 drm tpm_infineon samsung_laptop snd_hda_intel usbhid snd_hda_codec hid snd_hwdep snd_pcm microcode snd_page_alloc snd_timer psmouse i2c_algo_bit lpc_ich tpm_tis video wmi mac_hid serio_raw ext2 lp parport r8169 mii
> [  819.771802] CPU: 0 PID: 2167 Comm: bash Not tainted 3.12.0+ #25
> [  819.771876] Hardware name: SAMSUNG ELECTRONICS CO., LTD. 900X3C/900X3D/900X4C/900X4D/SAMSUNG_NP1234567890, BIOS P03AAC 07/12/2012
> [  819.772022] task: ffff88002e6ddcc0 ti: ffff8804015ca000 task.ti: ffff8804015ca000
> [  819.772119] RIP: 0010:[<ffffffff813381c0>]  [<ffffffff813381c0>] skip_spaces+0x30/0x30
> [  819.772242] RSP: 0018:ffff8804015cbc70  EFLAGS: 00010046
> [  819.772310] RAX: 0000000000000003 RBX: ffff88040cfd6d40 RCX: 0000000000000018
> [  819.772397] RDX: 0000000000020001 RSI: 0000000000000000 RDI: 0000000000000000
> [  819.772484] RBP: ffff8804015cbcc0 R08: 0000000000000000 R09: ffff8803f0768d40
> [  819.772570] R10: ffffea001033b800 R11: 0000000000000000 R12: ffffffff81c519c0
> [  819.772656] R13: 0000000000020001 R14: 0000000000000000 R15: 0000000000020001
> [  819.772744] FS:  00007ff98309b740(0000) GS:ffff88041f200000(0000) knlGS:0000000000000000
> [  819.772845] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  819.772917] CR2: 0000000000000000 CR3: 00000003f59dc000 CR4: 00000000001407f0
> [  819.773001] Stack:
> [  819.773030]  ffffffff81114003 ffff8804015cbcb0 0000000000000000 0000000000000046
> [  819.773146]  ffff880409757a18 ffff8803f065a160 0000000000000000 0000000000020001
> [  819.773273]  0000000000000000 0000000000000000 ffff8804015cbce8 ffffffff8143e388
> [  819.773387] Call Trace:
> [  819.773434]  [<ffffffff81114003>] ? ftrace_raw_event_wakeup_source+0x43/0xe0
> [  819.773520]  [<ffffffff8143e388>] wakeup_source_report_event+0xb8/0xd0
> [  819.773595]  [<ffffffff8143e3cd>] __pm_stay_awake+0x2d/0x50
> [  819.773724]  [<ffffffff8153395c>] power_supply_changed+0x3c/0x90
> [  819.773795]  [<ffffffff8153407c>] power_supply_register+0x18c/0x250
> [  819.773869]  [<ffffffff813d8d18>] sysfs_add_battery+0x61/0x7b
> [  819.773935]  [<ffffffff813d8d69>] battery_notify+0x37/0x3f
> [  819.774001]  [<ffffffff816ccb7c>] notifier_call_chain+0x4c/0x70
> [  819.774071]  [<ffffffff81073ded>] __blocking_notifier_call_chain+0x4d/0x70
> [  819.774149]  [<ffffffff81073e26>] blocking_notifier_call_chain+0x16/0x20
> [  819.774227]  [<ffffffff8109397a>] pm_notifier_call_chain+0x1a/0x40
> [  819.774316]  [<ffffffff81095b66>] hibernate+0x66/0x1c0
> [  819.774407]  [<ffffffff81093931>] state_store+0x71/0xa0
> [  819.774507]  [<ffffffff81331d8f>] kobj_attr_store+0xf/0x20
> [  819.774613]  [<ffffffff811f8618>] sysfs_write_file+0x128/0x1c0
> [  819.774735]  [<ffffffff8118579d>] vfs_write+0xbd/0x1e0
> [  819.774841]  [<ffffffff811861d9>] SyS_write+0x49/0xa0
> [  819.774939]  [<ffffffff816d1052>] system_call_fastpath+0x16/0x1b
> [  819.775055] Code: 89 f8 48 89 e5 f6 82 c0 a6 84 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 c0 a6 84 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80
> [  819.775760] RIP  [<ffffffff813381c0>] skip_spaces+0x30/0x30
> [  819.775881]  RSP <ffff8804015cbc70>
> [  819.775949] CR2: 0000000000000000
> [  819.794175] ---[ end trace c4ef25127039952e ]---
> 
> Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
> ---
>  drivers/base/power/wakeup.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
> index 2d56f41..a605f0d 100644
> --- a/drivers/base/power/wakeup.c
> +++ b/drivers/base/power/wakeup.c
> @@ -223,6 +223,9 @@ int device_wakeup_enable(struct device *dev)
>  	if (!dev || !dev->power.can_wakeup)
>  		return -EINVAL;
>  
> +	if (WARN_ON(!dev_name(dev)))
> +		return -EINVAL;
> +
>  	ws = wakeup_source_register(dev_name(dev));

Shouldn't wakeup_source_register() just handle a NULL for a name better?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-pm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Shuah Khan Nov. 19, 2013, 11:52 p.m. UTC | #2 
On 11/19/2013 04:56 PM, Rafael J. Wysocki wrote:
> On Tuesday, November 19, 2013 03:14:01 PM Greg KH wrote:
>> On Tue, Nov 19, 2013 at 09:05:46AM -0700, Shuah Khan wrote:
>>> device_wakeup_enable() uses dev_name(dev) as the wakeup source name.
>>> When it gets called with a device with its name not yet set, ws structure
>>> with ws->name = NULL gets created.
>>>
>>> When kernel is booted with wakeup_source_activate enabled, it will panic
>>> when the trace point code tries to dereferences ws->name.
>>>
>>> Change device_wakeup_enable() to WARN_ON on dev_name(dev) null condition
>>> to detect driver bugs that result in calling device_wakeup_enable() before
>>> device is fully initialized with its name in device_wakeup_enable().
>>>
>>> This change without the power_supply_register() fix will result in early
>>> boot panics when AC Adapter and Battery device drivers try to register
>>> wakeup source.
>>>
>>> The following panic resulted from power_supply_register() registering
>>> wakeup source with a null device name.
>>>
>>> [  819.769934] device: 'BAT1': device_add
>>> [  819.770078] PM: Adding info for No Bus:BAT1
>>> [  819.770235] BUG: unable to handle kernel NULL pointer dereference at           (null)
>>> [  819.770435] IP: [<ffffffff813381c0>] skip_spaces+0x30/0x30
>>> [  819.770572] PGD 3efd90067 PUD 3eff61067 PMD 0
>>> [  819.770716] Oops: 0000 [#1] SMP
>>> [  819.770829] Modules linked in: arc4 iwldvm mac80211 x86_pkg_temp_thermal coretemp kvm_intel joydev i915 kvm uvcvideo ghash_clmulni_intel videobuf2_vmalloc aesni_intel videobuf2_memops videobuf2_core aes_x86_64 ablk_helper cryptd videodev iwlwifi lrw rfcomm gf128mul glue_helper bnep btusb media bluetooth parport_pc hid_generic ppdev snd_hda_codec_hdmi drm_kms_helper snd_hda_codec_realtek cfg80211 drm tpm_infineon samsung_laptop snd_hda_intel usbhid snd_hda_codec hid snd_hwdep snd_pcm microcode snd_page_alloc snd_timer psmouse i2c_algo_bit lpc_ich tpm_tis video wmi mac_hid serio_raw ext2 lp parport r8169 mii
>>> [  819.771802] CPU: 0 PID: 2167 Comm: bash Not tainted 3.12.0+ #25
>>> [  819.771876] Hardware name: SAMSUNG ELECTRONICS CO., LTD. 900X3C/900X3D/900X4C/900X4D/SAMSUNG_NP1234567890, BIOS P03AAC 07/12/2012
>>> [  819.772022] task: ffff88002e6ddcc0 ti: ffff8804015ca000 task.ti: ffff8804015ca000
>>> [  819.772119] RIP: 0010:[<ffffffff813381c0>]  [<ffffffff813381c0>] skip_spaces+0x30/0x30
>>> [  819.772242] RSP: 0018:ffff8804015cbc70  EFLAGS: 00010046
>>> [  819.772310] RAX: 0000000000000003 RBX: ffff88040cfd6d40 RCX: 0000000000000018
>>> [  819.772397] RDX: 0000000000020001 RSI: 0000000000000000 RDI: 0000000000000000
>>> [  819.772484] RBP: ffff8804015cbcc0 R08: 0000000000000000 R09: ffff8803f0768d40
>>> [  819.772570] R10: ffffea001033b800 R11: 0000000000000000 R12: ffffffff81c519c0
>>> [  819.772656] R13: 0000000000020001 R14: 0000000000000000 R15: 0000000000020001
>>> [  819.772744] FS:  00007ff98309b740(0000) GS:ffff88041f200000(0000) knlGS:0000000000000000
>>> [  819.772845] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [  819.772917] CR2: 0000000000000000 CR3: 00000003f59dc000 CR4: 00000000001407f0
>>> [  819.773001] Stack:
>>> [  819.773030]  ffffffff81114003 ffff8804015cbcb0 0000000000000000 0000000000000046
>>> [  819.773146]  ffff880409757a18 ffff8803f065a160 0000000000000000 0000000000020001
>>> [  819.773273]  0000000000000000 0000000000000000 ffff8804015cbce8 ffffffff8143e388
>>> [  819.773387] Call Trace:
>>> [  819.773434]  [<ffffffff81114003>] ? ftrace_raw_event_wakeup_source+0x43/0xe0
>>> [  819.773520]  [<ffffffff8143e388>] wakeup_source_report_event+0xb8/0xd0
>>> [  819.773595]  [<ffffffff8143e3cd>] __pm_stay_awake+0x2d/0x50
>>> [  819.773724]  [<ffffffff8153395c>] power_supply_changed+0x3c/0x90
>>> [  819.773795]  [<ffffffff8153407c>] power_supply_register+0x18c/0x250
>>> [  819.773869]  [<ffffffff813d8d18>] sysfs_add_battery+0x61/0x7b
>>> [  819.773935]  [<ffffffff813d8d69>] battery_notify+0x37/0x3f
>>> [  819.774001]  [<ffffffff816ccb7c>] notifier_call_chain+0x4c/0x70
>>> [  819.774071]  [<ffffffff81073ded>] __blocking_notifier_call_chain+0x4d/0x70
>>> [  819.774149]  [<ffffffff81073e26>] blocking_notifier_call_chain+0x16/0x20
>>> [  819.774227]  [<ffffffff8109397a>] pm_notifier_call_chain+0x1a/0x40
>>> [  819.774316]  [<ffffffff81095b66>] hibernate+0x66/0x1c0
>>> [  819.774407]  [<ffffffff81093931>] state_store+0x71/0xa0
>>> [  819.774507]  [<ffffffff81331d8f>] kobj_attr_store+0xf/0x20
>>> [  819.774613]  [<ffffffff811f8618>] sysfs_write_file+0x128/0x1c0
>>> [  819.774735]  [<ffffffff8118579d>] vfs_write+0xbd/0x1e0
>>> [  819.774841]  [<ffffffff811861d9>] SyS_write+0x49/0xa0
>>> [  819.774939]  [<ffffffff816d1052>] system_call_fastpath+0x16/0x1b
>>> [  819.775055] Code: 89 f8 48 89 e5 f6 82 c0 a6 84 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 c0 a6 84 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80
>>> [  819.775760] RIP  [<ffffffff813381c0>] skip_spaces+0x30/0x30
>>> [  819.775881]  RSP <ffff8804015cbc70>
>>> [  819.775949] CR2: 0000000000000000
>>> [  819.794175] ---[ end trace c4ef25127039952e ]---
>>>
>>> Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
>>> ---
>>>   drivers/base/power/wakeup.c | 3 +++
>>>   1 file changed, 3 insertions(+)
>>>
>>> diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
>>> index 2d56f41..a605f0d 100644
>>> --- a/drivers/base/power/wakeup.c
>>> +++ b/drivers/base/power/wakeup.c
>>> @@ -223,6 +223,9 @@ int device_wakeup_enable(struct device *dev)
>>>   	if (!dev || !dev->power.can_wakeup)
>>>   		return -EINVAL;
>>>
>>> +	if (WARN_ON(!dev_name(dev)))
>>> +		return -EINVAL;
>>> +
>>>   	ws = wakeup_source_register(dev_name(dev));
>>
>> Shouldn't wakeup_source_register() just handle a NULL for a name better?
>
> In fact, it does.
>
> The bug is in wakeup_source_activate() and that's because it passes ws->name
> to trace_wakeup_source_activate() which then doesn't bother to check it against
> NULL.
>
> So the solution here is to check ws->name before attempting to pass
> it to trace_wakeup_source_activate() in wakeup_source_activate().  It is
> actually valid to have a wakeup source with a NULL name and it shouldn't
> blow up like this.
>
> Thanks,
> Rafael
>

Rafael beat me to it. Yes adding the following to 
DECLARE_EVENT_CLASS(wakeup_source, should take care of the problem:


               const char *tmp_i = name ? name : "ws no name";

                 __assign_str(name, tmp_i);

should make trace_wakeup_source_activate() not blow up. I did consider 
this as one of the fixes to the oops. Would you rather see this fix 
instead of this change to device_wakeup_enable()?

-- Shuah
Rafael J. Wysocki Nov. 19, 2013, 11:56 p.m. UTC | #3 
On Tuesday, November 19, 2013 03:14:01 PM Greg KH wrote:
> On Tue, Nov 19, 2013 at 09:05:46AM -0700, Shuah Khan wrote:
> > device_wakeup_enable() uses dev_name(dev) as the wakeup source name.
> > When it gets called with a device with its name not yet set, ws structure
> > with ws->name = NULL gets created.
> > 
> > When kernel is booted with wakeup_source_activate enabled, it will panic
> > when the trace point code tries to dereferences ws->name.
> > 
> > Change device_wakeup_enable() to WARN_ON on dev_name(dev) null condition
> > to detect driver bugs that result in calling device_wakeup_enable() before
> > device is fully initialized with its name in device_wakeup_enable().
> > 
> > This change without the power_supply_register() fix will result in early
> > boot panics when AC Adapter and Battery device drivers try to register
> > wakeup source.
> > 
> > The following panic resulted from power_supply_register() registering
> > wakeup source with a null device name.
> > 
> > [  819.769934] device: 'BAT1': device_add
> > [  819.770078] PM: Adding info for No Bus:BAT1
> > [  819.770235] BUG: unable to handle kernel NULL pointer dereference at           (null)
> > [  819.770435] IP: [<ffffffff813381c0>] skip_spaces+0x30/0x30
> > [  819.770572] PGD 3efd90067 PUD 3eff61067 PMD 0
> > [  819.770716] Oops: 0000 [#1] SMP
> > [  819.770829] Modules linked in: arc4 iwldvm mac80211 x86_pkg_temp_thermal coretemp kvm_intel joydev i915 kvm uvcvideo ghash_clmulni_intel videobuf2_vmalloc aesni_intel videobuf2_memops videobuf2_core aes_x86_64 ablk_helper cryptd videodev iwlwifi lrw rfcomm gf128mul glue_helper bnep btusb media bluetooth parport_pc hid_generic ppdev snd_hda_codec_hdmi drm_kms_helper snd_hda_codec_realtek cfg80211 drm tpm_infineon samsung_laptop snd_hda_intel usbhid snd_hda_codec hid snd_hwdep snd_pcm microcode snd_page_alloc snd_timer psmouse i2c_algo_bit lpc_ich tpm_tis video wmi mac_hid serio_raw ext2 lp parport r8169 mii
> > [  819.771802] CPU: 0 PID: 2167 Comm: bash Not tainted 3.12.0+ #25
> > [  819.771876] Hardware name: SAMSUNG ELECTRONICS CO., LTD. 900X3C/900X3D/900X4C/900X4D/SAMSUNG_NP1234567890, BIOS P03AAC 07/12/2012
> > [  819.772022] task: ffff88002e6ddcc0 ti: ffff8804015ca000 task.ti: ffff8804015ca000
> > [  819.772119] RIP: 0010:[<ffffffff813381c0>]  [<ffffffff813381c0>] skip_spaces+0x30/0x30
> > [  819.772242] RSP: 0018:ffff8804015cbc70  EFLAGS: 00010046
> > [  819.772310] RAX: 0000000000000003 RBX: ffff88040cfd6d40 RCX: 0000000000000018
> > [  819.772397] RDX: 0000000000020001 RSI: 0000000000000000 RDI: 0000000000000000
> > [  819.772484] RBP: ffff8804015cbcc0 R08: 0000000000000000 R09: ffff8803f0768d40
> > [  819.772570] R10: ffffea001033b800 R11: 0000000000000000 R12: ffffffff81c519c0
> > [  819.772656] R13: 0000000000020001 R14: 0000000000000000 R15: 0000000000020001
> > [  819.772744] FS:  00007ff98309b740(0000) GS:ffff88041f200000(0000) knlGS:0000000000000000
> > [  819.772845] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [  819.772917] CR2: 0000000000000000 CR3: 00000003f59dc000 CR4: 00000000001407f0
> > [  819.773001] Stack:
> > [  819.773030]  ffffffff81114003 ffff8804015cbcb0 0000000000000000 0000000000000046
> > [  819.773146]  ffff880409757a18 ffff8803f065a160 0000000000000000 0000000000020001
> > [  819.773273]  0000000000000000 0000000000000000 ffff8804015cbce8 ffffffff8143e388
> > [  819.773387] Call Trace:
> > [  819.773434]  [<ffffffff81114003>] ? ftrace_raw_event_wakeup_source+0x43/0xe0
> > [  819.773520]  [<ffffffff8143e388>] wakeup_source_report_event+0xb8/0xd0
> > [  819.773595]  [<ffffffff8143e3cd>] __pm_stay_awake+0x2d/0x50
> > [  819.773724]  [<ffffffff8153395c>] power_supply_changed+0x3c/0x90
> > [  819.773795]  [<ffffffff8153407c>] power_supply_register+0x18c/0x250
> > [  819.773869]  [<ffffffff813d8d18>] sysfs_add_battery+0x61/0x7b
> > [  819.773935]  [<ffffffff813d8d69>] battery_notify+0x37/0x3f
> > [  819.774001]  [<ffffffff816ccb7c>] notifier_call_chain+0x4c/0x70
> > [  819.774071]  [<ffffffff81073ded>] __blocking_notifier_call_chain+0x4d/0x70
> > [  819.774149]  [<ffffffff81073e26>] blocking_notifier_call_chain+0x16/0x20
> > [  819.774227]  [<ffffffff8109397a>] pm_notifier_call_chain+0x1a/0x40
> > [  819.774316]  [<ffffffff81095b66>] hibernate+0x66/0x1c0
> > [  819.774407]  [<ffffffff81093931>] state_store+0x71/0xa0
> > [  819.774507]  [<ffffffff81331d8f>] kobj_attr_store+0xf/0x20
> > [  819.774613]  [<ffffffff811f8618>] sysfs_write_file+0x128/0x1c0
> > [  819.774735]  [<ffffffff8118579d>] vfs_write+0xbd/0x1e0
> > [  819.774841]  [<ffffffff811861d9>] SyS_write+0x49/0xa0
> > [  819.774939]  [<ffffffff816d1052>] system_call_fastpath+0x16/0x1b
> > [  819.775055] Code: 89 f8 48 89 e5 f6 82 c0 a6 84 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 c0 a6 84 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80
> > [  819.775760] RIP  [<ffffffff813381c0>] skip_spaces+0x30/0x30
> > [  819.775881]  RSP <ffff8804015cbc70>
> > [  819.775949] CR2: 0000000000000000
> > [  819.794175] ---[ end trace c4ef25127039952e ]---
> > 
> > Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
> > ---
> >  drivers/base/power/wakeup.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
> > index 2d56f41..a605f0d 100644
> > --- a/drivers/base/power/wakeup.c
> > +++ b/drivers/base/power/wakeup.c
> > @@ -223,6 +223,9 @@ int device_wakeup_enable(struct device *dev)
> >  	if (!dev || !dev->power.can_wakeup)
> >  		return -EINVAL;
> >  
> > +	if (WARN_ON(!dev_name(dev)))
> > +		return -EINVAL;
> > +
> >  	ws = wakeup_source_register(dev_name(dev));
> 
> Shouldn't wakeup_source_register() just handle a NULL for a name better?

In fact, it does.

The bug is in wakeup_source_activate() and that's because it passes ws->name
to trace_wakeup_source_activate() which then doesn't bother to check it against
NULL.

So the solution here is to check ws->name before attempting to pass
it to trace_wakeup_source_activate() in wakeup_source_activate().  It is
actually valid to have a wakeup source with a NULL name and it shouldn't
blow up like this.

Thanks,
Rafael

--
To unsubscribe from this list: send the line "unsubscribe linux-pm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Greg Kroah-Hartman Nov. 20, 2013, 12:05 a.m. UTC | #4 
On Tue, Nov 19, 2013 at 04:52:59PM -0700, Shuah Khan wrote:
> On 11/19/2013 04:56 PM, Rafael J. Wysocki wrote:
> > On Tuesday, November 19, 2013 03:14:01 PM Greg KH wrote:
> >> On Tue, Nov 19, 2013 at 09:05:46AM -0700, Shuah Khan wrote:
> >>> device_wakeup_enable() uses dev_name(dev) as the wakeup source name.
> >>> When it gets called with a device with its name not yet set, ws structure
> >>> with ws->name = NULL gets created.
> >>>
> >>> When kernel is booted with wakeup_source_activate enabled, it will panic
> >>> when the trace point code tries to dereferences ws->name.
> >>>
> >>> Change device_wakeup_enable() to WARN_ON on dev_name(dev) null condition
> >>> to detect driver bugs that result in calling device_wakeup_enable() before
> >>> device is fully initialized with its name in device_wakeup_enable().
> >>>
> >>> This change without the power_supply_register() fix will result in early
> >>> boot panics when AC Adapter and Battery device drivers try to register
> >>> wakeup source.
> >>>
> >>> The following panic resulted from power_supply_register() registering
> >>> wakeup source with a null device name.
> >>>
> >>> [  819.769934] device: 'BAT1': device_add
> >>> [  819.770078] PM: Adding info for No Bus:BAT1
> >>> [  819.770235] BUG: unable to handle kernel NULL pointer dereference at           (null)
> >>> [  819.770435] IP: [<ffffffff813381c0>] skip_spaces+0x30/0x30
> >>> [  819.770572] PGD 3efd90067 PUD 3eff61067 PMD 0
> >>> [  819.770716] Oops: 0000 [#1] SMP
> >>> [  819.770829] Modules linked in: arc4 iwldvm mac80211 x86_pkg_temp_thermal coretemp kvm_intel joydev i915 kvm uvcvideo ghash_clmulni_intel videobuf2_vmalloc aesni_intel videobuf2_memops videobuf2_core aes_x86_64 ablk_helper cryptd videodev iwlwifi lrw rfcomm gf128mul glue_helper bnep btusb media bluetooth parport_pc hid_generic ppdev snd_hda_codec_hdmi drm_kms_helper snd_hda_codec_realtek cfg80211 drm tpm_infineon samsung_laptop snd_hda_intel usbhid snd_hda_codec hid snd_hwdep snd_pcm microcode snd_page_alloc snd_timer psmouse i2c_algo_bit lpc_ich tpm_tis video wmi mac_hid serio_raw ext2 lp parport r8169 mii
> >>> [  819.771802] CPU: 0 PID: 2167 Comm: bash Not tainted 3.12.0+ #25
> >>> [  819.771876] Hardware name: SAMSUNG ELECTRONICS CO., LTD. 900X3C/900X3D/900X4C/900X4D/SAMSUNG_NP1234567890, BIOS P03AAC 07/12/2012
> >>> [  819.772022] task: ffff88002e6ddcc0 ti: ffff8804015ca000 task.ti: ffff8804015ca000
> >>> [  819.772119] RIP: 0010:[<ffffffff813381c0>]  [<ffffffff813381c0>] skip_spaces+0x30/0x30
> >>> [  819.772242] RSP: 0018:ffff8804015cbc70  EFLAGS: 00010046
> >>> [  819.772310] RAX: 0000000000000003 RBX: ffff88040cfd6d40 RCX: 0000000000000018
> >>> [  819.772397] RDX: 0000000000020001 RSI: 0000000000000000 RDI: 0000000000000000
> >>> [  819.772484] RBP: ffff8804015cbcc0 R08: 0000000000000000 R09: ffff8803f0768d40
> >>> [  819.772570] R10: ffffea001033b800 R11: 0000000000000000 R12: ffffffff81c519c0
> >>> [  819.772656] R13: 0000000000020001 R14: 0000000000000000 R15: 0000000000020001
> >>> [  819.772744] FS:  00007ff98309b740(0000) GS:ffff88041f200000(0000) knlGS:0000000000000000
> >>> [  819.772845] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >>> [  819.772917] CR2: 0000000000000000 CR3: 00000003f59dc000 CR4: 00000000001407f0
> >>> [  819.773001] Stack:
> >>> [  819.773030]  ffffffff81114003 ffff8804015cbcb0 0000000000000000 0000000000000046
> >>> [  819.773146]  ffff880409757a18 ffff8803f065a160 0000000000000000 0000000000020001
> >>> [  819.773273]  0000000000000000 0000000000000000 ffff8804015cbce8 ffffffff8143e388
> >>> [  819.773387] Call Trace:
> >>> [  819.773434]  [<ffffffff81114003>] ? ftrace_raw_event_wakeup_source+0x43/0xe0
> >>> [  819.773520]  [<ffffffff8143e388>] wakeup_source_report_event+0xb8/0xd0
> >>> [  819.773595]  [<ffffffff8143e3cd>] __pm_stay_awake+0x2d/0x50
> >>> [  819.773724]  [<ffffffff8153395c>] power_supply_changed+0x3c/0x90
> >>> [  819.773795]  [<ffffffff8153407c>] power_supply_register+0x18c/0x250
> >>> [  819.773869]  [<ffffffff813d8d18>] sysfs_add_battery+0x61/0x7b
> >>> [  819.773935]  [<ffffffff813d8d69>] battery_notify+0x37/0x3f
> >>> [  819.774001]  [<ffffffff816ccb7c>] notifier_call_chain+0x4c/0x70
> >>> [  819.774071]  [<ffffffff81073ded>] __blocking_notifier_call_chain+0x4d/0x70
> >>> [  819.774149]  [<ffffffff81073e26>] blocking_notifier_call_chain+0x16/0x20
> >>> [  819.774227]  [<ffffffff8109397a>] pm_notifier_call_chain+0x1a/0x40
> >>> [  819.774316]  [<ffffffff81095b66>] hibernate+0x66/0x1c0
> >>> [  819.774407]  [<ffffffff81093931>] state_store+0x71/0xa0
> >>> [  819.774507]  [<ffffffff81331d8f>] kobj_attr_store+0xf/0x20
> >>> [  819.774613]  [<ffffffff811f8618>] sysfs_write_file+0x128/0x1c0
> >>> [  819.774735]  [<ffffffff8118579d>] vfs_write+0xbd/0x1e0
> >>> [  819.774841]  [<ffffffff811861d9>] SyS_write+0x49/0xa0
> >>> [  819.774939]  [<ffffffff816d1052>] system_call_fastpath+0x16/0x1b
> >>> [  819.775055] Code: 89 f8 48 89 e5 f6 82 c0 a6 84 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 c0 a6 84 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80
> >>> [  819.775760] RIP  [<ffffffff813381c0>] skip_spaces+0x30/0x30
> >>> [  819.775881]  RSP <ffff8804015cbc70>
> >>> [  819.775949] CR2: 0000000000000000
> >>> [  819.794175] ---[ end trace c4ef25127039952e ]---
> >>>
> >>> Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
> >>> ---
> >>>   drivers/base/power/wakeup.c | 3 +++
> >>>   1 file changed, 3 insertions(+)
> >>>
> >>> diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
> >>> index 2d56f41..a605f0d 100644
> >>> --- a/drivers/base/power/wakeup.c
> >>> +++ b/drivers/base/power/wakeup.c
> >>> @@ -223,6 +223,9 @@ int device_wakeup_enable(struct device *dev)
> >>>   	if (!dev || !dev->power.can_wakeup)
> >>>   		return -EINVAL;
> >>>
> >>> +	if (WARN_ON(!dev_name(dev)))
> >>> +		return -EINVAL;
> >>> +
> >>>   	ws = wakeup_source_register(dev_name(dev));
> >>
> >> Shouldn't wakeup_source_register() just handle a NULL for a name better?
> >
> > In fact, it does.
> >
> > The bug is in wakeup_source_activate() and that's because it passes ws->name
> > to trace_wakeup_source_activate() which then doesn't bother to check it against
> > NULL.
> >
> > So the solution here is to check ws->name before attempting to pass
> > it to trace_wakeup_source_activate() in wakeup_source_activate().  It is
> > actually valid to have a wakeup source with a NULL name and it shouldn't
> > blow up like this.
> >
> > Thanks,
> > Rafael
> >
> 
> Rafael beat me to it. Yes adding the following to 
> DECLARE_EVENT_CLASS(wakeup_source, should take care of the problem:
> 
> 
>                const char *tmp_i = name ? name : "ws no name";
> 
>                  __assign_str(name, tmp_i);
> 
> should make trace_wakeup_source_activate() not blow up. I did consider 
> this as one of the fixes to the oops. Would you rather see this fix 
> instead of this change to device_wakeup_enable()?

No, that's fine, it makes more sense now.

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-pm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Rafael J. Wysocki Nov. 20, 2013, 12:12 a.m. UTC | #5 
On Tuesday, November 19, 2013 04:52:59 PM Shuah Khan wrote:
> On 11/19/2013 04:56 PM, Rafael J. Wysocki wrote:
> > On Tuesday, November 19, 2013 03:14:01 PM Greg KH wrote:
> >> On Tue, Nov 19, 2013 at 09:05:46AM -0700, Shuah Khan wrote:
> >>> device_wakeup_enable() uses dev_name(dev) as the wakeup source name.
> >>> When it gets called with a device with its name not yet set, ws structure
> >>> with ws->name = NULL gets created.
> >>>
> >>> When kernel is booted with wakeup_source_activate enabled, it will panic
> >>> when the trace point code tries to dereferences ws->name.
> >>>
> >>> Change device_wakeup_enable() to WARN_ON on dev_name(dev) null condition
> >>> to detect driver bugs that result in calling device_wakeup_enable() before
> >>> device is fully initialized with its name in device_wakeup_enable().
> >>>
> >>> This change without the power_supply_register() fix will result in early
> >>> boot panics when AC Adapter and Battery device drivers try to register
> >>> wakeup source.
> >>>
> >>> The following panic resulted from power_supply_register() registering
> >>> wakeup source with a null device name.
> >>>
> >>> [  819.769934] device: 'BAT1': device_add
> >>> [  819.770078] PM: Adding info for No Bus:BAT1
> >>> [  819.770235] BUG: unable to handle kernel NULL pointer dereference at           (null)
> >>> [  819.770435] IP: [<ffffffff813381c0>] skip_spaces+0x30/0x30
> >>> [  819.770572] PGD 3efd90067 PUD 3eff61067 PMD 0
> >>> [  819.770716] Oops: 0000 [#1] SMP
> >>> [  819.770829] Modules linked in: arc4 iwldvm mac80211 x86_pkg_temp_thermal coretemp kvm_intel joydev i915 kvm uvcvideo ghash_clmulni_intel videobuf2_vmalloc aesni_intel videobuf2_memops videobuf2_core aes_x86_64 ablk_helper cryptd videodev iwlwifi lrw rfcomm gf128mul glue_helper bnep btusb media bluetooth parport_pc hid_generic ppdev snd_hda_codec_hdmi drm_kms_helper snd_hda_codec_realtek cfg80211 drm tpm_infineon samsung_laptop snd_hda_intel usbhid snd_hda_codec hid snd_hwdep snd_pcm microcode snd_page_alloc snd_timer psmouse i2c_algo_bit lpc_ich tpm_tis video wmi mac_hid serio_raw ext2 lp parport r8169 mii
> >>> [  819.771802] CPU: 0 PID: 2167 Comm: bash Not tainted 3.12.0+ #25
> >>> [  819.771876] Hardware name: SAMSUNG ELECTRONICS CO., LTD. 900X3C/900X3D/900X4C/900X4D/SAMSUNG_NP1234567890, BIOS P03AAC 07/12/2012
> >>> [  819.772022] task: ffff88002e6ddcc0 ti: ffff8804015ca000 task.ti: ffff8804015ca000
> >>> [  819.772119] RIP: 0010:[<ffffffff813381c0>]  [<ffffffff813381c0>] skip_spaces+0x30/0x30
> >>> [  819.772242] RSP: 0018:ffff8804015cbc70  EFLAGS: 00010046
> >>> [  819.772310] RAX: 0000000000000003 RBX: ffff88040cfd6d40 RCX: 0000000000000018
> >>> [  819.772397] RDX: 0000000000020001 RSI: 0000000000000000 RDI: 0000000000000000
> >>> [  819.772484] RBP: ffff8804015cbcc0 R08: 0000000000000000 R09: ffff8803f0768d40
> >>> [  819.772570] R10: ffffea001033b800 R11: 0000000000000000 R12: ffffffff81c519c0
> >>> [  819.772656] R13: 0000000000020001 R14: 0000000000000000 R15: 0000000000020001
> >>> [  819.772744] FS:  00007ff98309b740(0000) GS:ffff88041f200000(0000) knlGS:0000000000000000
> >>> [  819.772845] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >>> [  819.772917] CR2: 0000000000000000 CR3: 00000003f59dc000 CR4: 00000000001407f0
> >>> [  819.773001] Stack:
> >>> [  819.773030]  ffffffff81114003 ffff8804015cbcb0 0000000000000000 0000000000000046
> >>> [  819.773146]  ffff880409757a18 ffff8803f065a160 0000000000000000 0000000000020001
> >>> [  819.773273]  0000000000000000 0000000000000000 ffff8804015cbce8 ffffffff8143e388
> >>> [  819.773387] Call Trace:
> >>> [  819.773434]  [<ffffffff81114003>] ? ftrace_raw_event_wakeup_source+0x43/0xe0
> >>> [  819.773520]  [<ffffffff8143e388>] wakeup_source_report_event+0xb8/0xd0
> >>> [  819.773595]  [<ffffffff8143e3cd>] __pm_stay_awake+0x2d/0x50
> >>> [  819.773724]  [<ffffffff8153395c>] power_supply_changed+0x3c/0x90
> >>> [  819.773795]  [<ffffffff8153407c>] power_supply_register+0x18c/0x250
> >>> [  819.773869]  [<ffffffff813d8d18>] sysfs_add_battery+0x61/0x7b
> >>> [  819.773935]  [<ffffffff813d8d69>] battery_notify+0x37/0x3f
> >>> [  819.774001]  [<ffffffff816ccb7c>] notifier_call_chain+0x4c/0x70
> >>> [  819.774071]  [<ffffffff81073ded>] __blocking_notifier_call_chain+0x4d/0x70
> >>> [  819.774149]  [<ffffffff81073e26>] blocking_notifier_call_chain+0x16/0x20
> >>> [  819.774227]  [<ffffffff8109397a>] pm_notifier_call_chain+0x1a/0x40
> >>> [  819.774316]  [<ffffffff81095b66>] hibernate+0x66/0x1c0
> >>> [  819.774407]  [<ffffffff81093931>] state_store+0x71/0xa0
> >>> [  819.774507]  [<ffffffff81331d8f>] kobj_attr_store+0xf/0x20
> >>> [  819.774613]  [<ffffffff811f8618>] sysfs_write_file+0x128/0x1c0
> >>> [  819.774735]  [<ffffffff8118579d>] vfs_write+0xbd/0x1e0
> >>> [  819.774841]  [<ffffffff811861d9>] SyS_write+0x49/0xa0
> >>> [  819.774939]  [<ffffffff816d1052>] system_call_fastpath+0x16/0x1b
> >>> [  819.775055] Code: 89 f8 48 89 e5 f6 82 c0 a6 84 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 c0 a6 84 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80
> >>> [  819.775760] RIP  [<ffffffff813381c0>] skip_spaces+0x30/0x30
> >>> [  819.775881]  RSP <ffff8804015cbc70>
> >>> [  819.775949] CR2: 0000000000000000
> >>> [  819.794175] ---[ end trace c4ef25127039952e ]---
> >>>
> >>> Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
> >>> ---
> >>>   drivers/base/power/wakeup.c | 3 +++
> >>>   1 file changed, 3 insertions(+)
> >>>
> >>> diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
> >>> index 2d56f41..a605f0d 100644
> >>> --- a/drivers/base/power/wakeup.c
> >>> +++ b/drivers/base/power/wakeup.c
> >>> @@ -223,6 +223,9 @@ int device_wakeup_enable(struct device *dev)
> >>>   	if (!dev || !dev->power.can_wakeup)
> >>>   		return -EINVAL;
> >>>
> >>> +	if (WARN_ON(!dev_name(dev)))
> >>> +		return -EINVAL;
> >>> +
> >>>   	ws = wakeup_source_register(dev_name(dev));
> >>
> >> Shouldn't wakeup_source_register() just handle a NULL for a name better?
> >
> > In fact, it does.
> >
> > The bug is in wakeup_source_activate() and that's because it passes ws->name
> > to trace_wakeup_source_activate() which then doesn't bother to check it against
> > NULL.
> >
> > So the solution here is to check ws->name before attempting to pass
> > it to trace_wakeup_source_activate() in wakeup_source_activate().  It is
> > actually valid to have a wakeup source with a NULL name and it shouldn't
> > blow up like this.
> >
> > Thanks,
> > Rafael
> >
> 
> Rafael beat me to it. Yes adding the following to 
> DECLARE_EVENT_CLASS(wakeup_source, should take care of the problem:
> 
> 
>                const char *tmp_i = name ? name : "ws no name";
> 
>                  __assign_str(name, tmp_i);
> 
> should make trace_wakeup_source_activate() not blow up. I did consider 
> this as one of the fixes to the oops. Would you rather see this fix 
> instead of this change to device_wakeup_enable()?

Obviously, I would. :-)

As I said, it should be possible to register a wakeup source without a name.

Also please find the commit that added trace_wakeup_source_activate() to
wakeup_source_activate() and add a Fixes: tag for it to the patch.

Thanks!
Rafael J. Wysocki Nov. 20, 2013, 12:17 a.m. UTC | #6 
On Wednesday, November 20, 2013 01:12:17 AM Rafael J. Wysocki wrote:
> On Tuesday, November 19, 2013 04:52:59 PM Shuah Khan wrote:
> > On 11/19/2013 04:56 PM, Rafael J. Wysocki wrote:
> > > On Tuesday, November 19, 2013 03:14:01 PM Greg KH wrote:
> > >> On Tue, Nov 19, 2013 at 09:05:46AM -0700, Shuah Khan wrote:
> > >>> device_wakeup_enable() uses dev_name(dev) as the wakeup source name.
> > >>> When it gets called with a device with its name not yet set, ws structure
> > >>> with ws->name = NULL gets created.
> > >>>
> > >>> When kernel is booted with wakeup_source_activate enabled, it will panic
> > >>> when the trace point code tries to dereferences ws->name.
> > >>>
> > >>> Change device_wakeup_enable() to WARN_ON on dev_name(dev) null condition
> > >>> to detect driver bugs that result in calling device_wakeup_enable() before
> > >>> device is fully initialized with its name in device_wakeup_enable().
> > >>>
> > >>> This change without the power_supply_register() fix will result in early
> > >>> boot panics when AC Adapter and Battery device drivers try to register
> > >>> wakeup source.
> > >>>
> > >>> The following panic resulted from power_supply_register() registering
> > >>> wakeup source with a null device name.
> > >>>
> > >>> [  819.769934] device: 'BAT1': device_add
> > >>> [  819.770078] PM: Adding info for No Bus:BAT1
> > >>> [  819.770235] BUG: unable to handle kernel NULL pointer dereference at           (null)
> > >>> [  819.770435] IP: [<ffffffff813381c0>] skip_spaces+0x30/0x30
> > >>> [  819.770572] PGD 3efd90067 PUD 3eff61067 PMD 0
> > >>> [  819.770716] Oops: 0000 [#1] SMP
> > >>> [  819.770829] Modules linked in: arc4 iwldvm mac80211 x86_pkg_temp_thermal coretemp kvm_intel joydev i915 kvm uvcvideo ghash_clmulni_intel videobuf2_vmalloc aesni_intel videobuf2_memops videobuf2_core aes_x86_64 ablk_helper cryptd videodev iwlwifi lrw rfcomm gf128mul glue_helper bnep btusb media bluetooth parport_pc hid_generic ppdev snd_hda_codec_hdmi drm_kms_helper snd_hda_codec_realtek cfg80211 drm tpm_infineon samsung_laptop snd_hda_intel usbhid snd_hda_codec hid snd_hwdep snd_pcm microcode snd_page_alloc snd_timer psmouse i2c_algo_bit lpc_ich tpm_tis video wmi mac_hid serio_raw ext2 lp parport r8169 mii
> > >>> [  819.771802] CPU: 0 PID: 2167 Comm: bash Not tainted 3.12.0+ #25
> > >>> [  819.771876] Hardware name: SAMSUNG ELECTRONICS CO., LTD. 900X3C/900X3D/900X4C/900X4D/SAMSUNG_NP1234567890, BIOS P03AAC 07/12/2012
> > >>> [  819.772022] task: ffff88002e6ddcc0 ti: ffff8804015ca000 task.ti: ffff8804015ca000
> > >>> [  819.772119] RIP: 0010:[<ffffffff813381c0>]  [<ffffffff813381c0>] skip_spaces+0x30/0x30
> > >>> [  819.772242] RSP: 0018:ffff8804015cbc70  EFLAGS: 00010046
> > >>> [  819.772310] RAX: 0000000000000003 RBX: ffff88040cfd6d40 RCX: 0000000000000018
> > >>> [  819.772397] RDX: 0000000000020001 RSI: 0000000000000000 RDI: 0000000000000000
> > >>> [  819.772484] RBP: ffff8804015cbcc0 R08: 0000000000000000 R09: ffff8803f0768d40
> > >>> [  819.772570] R10: ffffea001033b800 R11: 0000000000000000 R12: ffffffff81c519c0
> > >>> [  819.772656] R13: 0000000000020001 R14: 0000000000000000 R15: 0000000000020001
> > >>> [  819.772744] FS:  00007ff98309b740(0000) GS:ffff88041f200000(0000) knlGS:0000000000000000
> > >>> [  819.772845] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > >>> [  819.772917] CR2: 0000000000000000 CR3: 00000003f59dc000 CR4: 00000000001407f0
> > >>> [  819.773001] Stack:
> > >>> [  819.773030]  ffffffff81114003 ffff8804015cbcb0 0000000000000000 0000000000000046
> > >>> [  819.773146]  ffff880409757a18 ffff8803f065a160 0000000000000000 0000000000020001
> > >>> [  819.773273]  0000000000000000 0000000000000000 ffff8804015cbce8 ffffffff8143e388
> > >>> [  819.773387] Call Trace:
> > >>> [  819.773434]  [<ffffffff81114003>] ? ftrace_raw_event_wakeup_source+0x43/0xe0
> > >>> [  819.773520]  [<ffffffff8143e388>] wakeup_source_report_event+0xb8/0xd0
> > >>> [  819.773595]  [<ffffffff8143e3cd>] __pm_stay_awake+0x2d/0x50
> > >>> [  819.773724]  [<ffffffff8153395c>] power_supply_changed+0x3c/0x90
> > >>> [  819.773795]  [<ffffffff8153407c>] power_supply_register+0x18c/0x250
> > >>> [  819.773869]  [<ffffffff813d8d18>] sysfs_add_battery+0x61/0x7b
> > >>> [  819.773935]  [<ffffffff813d8d69>] battery_notify+0x37/0x3f
> > >>> [  819.774001]  [<ffffffff816ccb7c>] notifier_call_chain+0x4c/0x70
> > >>> [  819.774071]  [<ffffffff81073ded>] __blocking_notifier_call_chain+0x4d/0x70
> > >>> [  819.774149]  [<ffffffff81073e26>] blocking_notifier_call_chain+0x16/0x20
> > >>> [  819.774227]  [<ffffffff8109397a>] pm_notifier_call_chain+0x1a/0x40
> > >>> [  819.774316]  [<ffffffff81095b66>] hibernate+0x66/0x1c0
> > >>> [  819.774407]  [<ffffffff81093931>] state_store+0x71/0xa0
> > >>> [  819.774507]  [<ffffffff81331d8f>] kobj_attr_store+0xf/0x20
> > >>> [  819.774613]  [<ffffffff811f8618>] sysfs_write_file+0x128/0x1c0
> > >>> [  819.774735]  [<ffffffff8118579d>] vfs_write+0xbd/0x1e0
> > >>> [  819.774841]  [<ffffffff811861d9>] SyS_write+0x49/0xa0
> > >>> [  819.774939]  [<ffffffff816d1052>] system_call_fastpath+0x16/0x1b
> > >>> [  819.775055] Code: 89 f8 48 89 e5 f6 82 c0 a6 84 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 c0 a6 84 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80
> > >>> [  819.775760] RIP  [<ffffffff813381c0>] skip_spaces+0x30/0x30
> > >>> [  819.775881]  RSP <ffff8804015cbc70>
> > >>> [  819.775949] CR2: 0000000000000000
> > >>> [  819.794175] ---[ end trace c4ef25127039952e ]---
> > >>>
> > >>> Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
> > >>> ---
> > >>>   drivers/base/power/wakeup.c | 3 +++
> > >>>   1 file changed, 3 insertions(+)
> > >>>
> > >>> diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
> > >>> index 2d56f41..a605f0d 100644
> > >>> --- a/drivers/base/power/wakeup.c
> > >>> +++ b/drivers/base/power/wakeup.c
> > >>> @@ -223,6 +223,9 @@ int device_wakeup_enable(struct device *dev)
> > >>>   	if (!dev || !dev->power.can_wakeup)
> > >>>   		return -EINVAL;
> > >>>
> > >>> +	if (WARN_ON(!dev_name(dev)))
> > >>> +		return -EINVAL;
> > >>> +
> > >>>   	ws = wakeup_source_register(dev_name(dev));
> > >>
> > >> Shouldn't wakeup_source_register() just handle a NULL for a name better?
> > >
> > > In fact, it does.
> > >
> > > The bug is in wakeup_source_activate() and that's because it passes ws->name
> > > to trace_wakeup_source_activate() which then doesn't bother to check it against
> > > NULL.
> > >
> > > So the solution here is to check ws->name before attempting to pass
> > > it to trace_wakeup_source_activate() in wakeup_source_activate().  It is
> > > actually valid to have a wakeup source with a NULL name and it shouldn't
> > > blow up like this.
> > >
> > > Thanks,
> > > Rafael
> > >
> > 
> > Rafael beat me to it. Yes adding the following to 
> > DECLARE_EVENT_CLASS(wakeup_source, should take care of the problem:
> > 
> > 
> >                const char *tmp_i = name ? name : "ws no name";

Well, please use something like "(no name)" here.

> > 
> >                  __assign_str(name, tmp_i);
> > 
> > should make trace_wakeup_source_activate() not blow up. I did consider 
> > this as one of the fixes to the oops. Would you rather see this fix 
> > instead of this change to device_wakeup_enable()?
> 
> Obviously, I would. :-)
> 
> As I said, it should be possible to register a wakeup source without a name.
> 
> Also please find the commit that added trace_wakeup_source_activate() to
> wakeup_source_activate() and add a Fixes: tag for it to the patch.

Thanks!
diff mbox

Patch

diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
index 2d56f41..a605f0d 100644
--- a/drivers/base/power/wakeup.c
+++ b/drivers/base/power/wakeup.c
@@ -223,6 +223,9 @@  int device_wakeup_enable(struct device *dev)
 	if (!dev || !dev->power.can_wakeup)
 		return -EINVAL;
 
+	if (WARN_ON(!dev_name(dev)))
+		return -EINVAL;
+
 	ws = wakeup_source_register(dev_name(dev));
 	if (!ws)
 		return -ENOMEM;