OPP: Fix race between OPP addition and lookup - kernel/linux.git

diff options

author	Di Shen <di.shen@unisoc.com>	2026-04-27 15:00:47 +0300
committer	Viresh Kumar <viresh.kumar@linaro.org>	2026-05-07 06:24:10 +0300
commit	f5e1cc9a284bff2510981643a5bca4bc4c21b81a (patch)
tree	9b9b36e0ff8b4564d50ea7bf10104b7dd9f90793 /include/linux/timerqueue.h
parent	254f49634ee16a731174d2ae34bc50bd5f45e731 (diff)
download	linux-f5e1cc9a284bff2510981643a5bca4bc4c21b81a.tar.xz

OPP: Fix race between OPP addition and lookup

A race exists between dev_pm_opp_add_dynamic() and dev_pm_opp_find_freq_exact(): CPU0 (add) CPU1 (lookup) ------------------------------- ------------------------------ _opp_add() mutex_lock() list_add(&new_opp->node, head) mutex_unlock() _opp_table_find_key() mutex_lock() dev_pm_opp_get(opp) kref_get() mutex_unlock() kref_init(&new_opp->kref) dev_pm_opp_put() kref_put_mutex() The newly added OPP is inserted into the list before its kref is initialized. A concurrent lookup can find this OPP and increment its reference count while it is still uninitialized, leading to refcount corruption and a potential premature free. Fix this by initializing ->kref and ->opp_table before making the OPP visible via list_add(). This ensures any concurrent lookup observes a fully initialized object. Fixes: 7034764a1e4a (PM / OPP: Add 'struct kref' to struct dev_pm_opp) Co-developed-by: Ling Xu <ling_ling.xu@unisoc.com> Signed-off-by: Ling Xu <ling_ling.xu@unisoc.com> Signed-off-by: Di Shen <di.shen@unisoc.com> [ Viresh: Updated commit log ] Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>

Diffstat (limited to 'include/linux/timerqueue.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: