[PATCH v5] uio: fix unregister_device

[Igor Klochko (Nokia)]

uio: mirrored uio_register/unregister_device

When uio devices are created end removed in parallel, then we sometimes
encounter kernel traces along the following lines:

  sysfs: cannot create duplicate filename '/class/uio/uio899'

which stem from:

  sysfs_create_link+0x24/0x50
  device_add+0x2f0/0x780
  __uio_register_device+0x18c/0x550

The sysfs directory creation is performed synchronously as part of the
device_add call. The high level sequence for uio registration is:

  1. uio_get_minor (idr call, in critical section)
  2. device_add (leads to sysfs directory)
  3. manage attributes (popuplates part of the sysfs directory)

For unregistration we have by default the following flow:

  1. clean-up attributes
  2. uio_free_minor (idr call, in critical section)
  3. device_unregister (cleans up sysfs directory)

This creates a racing problem when we are in parallel creating and
removing uio devices.
The uio-minor that is freed when calling uio_free_minor can be
claimed by a subsequent uio_get_minor call.
The problem is that the device_add flow can end up triggered,
leading to a sysfs directory creation; while the
device_unregister flow has not yet cleaned up the sysfs directory.

This patch cleans up this problem by mirroring the registration and
Unregistration flow correctly.
After this patch, the unregistration flow becomes:

  1. clean-up attributes
  2. device_unregister
  3. uio_free_minor

Fixes: 0c9ae0b86050 ("uio: Fix use-after-free in uio_open")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Philippe Belet <philippe.belet@xxxxxxxxx>
Reviewed-by: Igor Klochko <igor.klochko@xxxxxxxxx>
---
 v5:
   - fixed broken link
 v4:
   - reformat the patch
 v3:
   - Updated email subject
 v2:
   - Fixed commit message wrapping
   - Placed 12 char sha1 in "fixes"
   - cc'd stable
 v1: https://lore.kernel.org/all/AM9PR07MB720434A2B0CC99BC0BDCD74E8D61A@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
---
 drivers/uio/uio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
index 5a4998e2caf8..10e265c49035 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -1125,8 +1125,8 @@ void uio_unregister_device(struct uio_info *info)
 	wake_up_interruptible(&idev->wait);
 	kill_fasync(&idev->async_queue, SIGIO, POLL_HUP);

-	uio_free_minor(minor);
 	device_unregister(&idev->dev);
+	uio_free_minor(minor);

 	return;
 }
--
2.43.7