Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.9 2013-04-13T22:15:30Z 2013-04-13T22:15:30Z Linus Torvalds torvalds@linux-foundation.org 2013-04-13T22:15:30Z urn:sha1:a49b7e82cab0f9b41f483359be83f44fbb6b4979 Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-07T23:51:19Z Zhi Yong Wu wuzhy@linux.vnet.ibm.com 2012-05-07T02:48:25Z urn:sha1:9ff1f838e9c019b16b720dca9b04565f1a6e0316 Signed-off-by: Zhi Yong Wu <wuzhy@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-05-02T21:33:37Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2012-05-02T21:33:37Z urn:sha1:eb1574270a6de8fb8d31ffc3b021e30df0afcda3 This was done to resolve a merge issue with the init/main.c file. Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-04-23T20:34:29Z yan clouds.yan@gmail.com 2012-04-20T13:25:53Z urn:sha1:6b9606106ba58d2bd80610f97e06fea58206b47c create_dir is a static function used only in kobject_add_internal. There's no need to do check here, for kobject_add_internal will reject kobject with invalid name. Signed-off-by: Yan Hong <clouds.yan@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-04-10T21:48:51Z Dan Williams dan.j.williams@intel.com 2012-04-06T20:41:15Z urn:sha1:282029c005e65ffdce3aa9f8220f88a8bbbc4dae 1/ convert open-coded KERN_ERR+dump_stack() to WARN(), so that automated tools pick up this warning. 2/ include the 'child' and 'parent' kobject names. This information was useful for tracking down the case where scsi invoked device_del() on a parent object and subsequently invoked device_add() on a child. Now the warning looks like: kobject_add_internal failed for target8:0:16 (error: -2 parent: end_device-8:0:24) Pid: 2942, comm: scsi_scan_8 Not tainted 3.3.0-rc7-isci+ #2 Call Trace: [<ffffffff8125e551>] kobject_add_internal+0x1c1/0x1f3 [<ffffffff81075149>] ? trace_hardirqs_on+0xd/0xf [<ffffffff8125e659>] kobject_add_varg+0x41/0x50 [<ffffffff8125e723>] kobject_add+0x64/0x66 [<ffffffff8131124b>] device_add+0x12d/0x63a [<ffffffff8125e0ef>] ? kobject_put+0x4c/0x50 [<ffffffff8132f370>] scsi_sysfs_add_sdev+0x4e/0x28a [<ffffffff8132dce3>] do_scan_async+0x9c/0x145 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: James Bottomley <JBottomley@parallels.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-03-07T20:04:04Z Paul Gortmaker paul.gortmaker@windriver.com 2011-11-17T02:29:17Z urn:sha1:8bc3bcc93a2b4e47d5d410146f6546bca6171663 For files only using THIS_MODULE and/or EXPORT_SYMBOL, map them onto including export.h -- or if the file isn't even using those, then just delete the include. Fix up any implicit include dependencies that were being masked by module.h along the way. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-12-21T23:13:54Z Kay Sievers kay.sievers@vrfy.org 2011-12-21T23:13:54Z urn:sha1:b3e8d7b2478401b2f25f4566a90faad54f7d6d07 Now that there are no in-kernel users of this function, remove it as it is no longer needed. Signed-off-by: Kay Sievers <kay.sievers@vrfy.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2011-06-12T21:45:41Z Al Viro viro@zeniv.linux.org.uk 2011-06-09T01:13:01Z urn:sha1:a685e08987d1edf1995b76511d4c98ea0e905377 * new refcount in struct net, controlling actual freeing of the memory * new method in kobj_ns_type_operations (->drop_ns()) * ->current_ns() semantics change - it's supposed to be followed by corresponding ->drop_ns(). For struct net in case of CONFIG_NET_NS it bumps the new refcount; net_drop_ns() decrements it and calls net_free() if the last reference has been dropped. Method renamed to ->grab_current_ns(). * old net_free() callers call net_drop_ns() instead. * sysfs_exit_ns() is gone, along with a large part of callchain leading to it; now that the references stored in ->ns[...] stay valid we do not need to hunt them down and replace them with NULL. That fixes problems in sysfs_lookup() and sysfs_readdir(), along with getting rid of sb->s_instances abuse. Note that struct net *shutdown* logics has not changed - net_cleanup() is called exactly when it used to be called. The only thing postponed by having a sysfs instance refering to that struct net is actual freeing of memory occupied by struct net. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2010-10-22T17:16:44Z Robin Holt holt@sgi.com 2010-09-29T19:00:54Z urn:sha1:c25d1dfbd403209025df41a737f82ce8f43d93f5 One call chain getting to kset_find_obj is: link_mem_sections() find_mem_section() kset_find_obj() This is done during boot. The memory sections were added in a linearly increasing order and link_mem_sections tends to utilize them in that same linear order. Introduce a kset_find_obj_hinted which is passed the result of the previous kset_find_obj which it uses for a quick "is the next object our desired object" check before falling back to the old behavior. Signed-off-by: Robin Holt <holt@sgi.com> To: Robert P. J. Day <rpjday@crashcourse.ca> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2010-05-21T16:37:31Z Serge E. Hallyn serue@us.ibm.com 2010-05-03T21:23:15Z urn:sha1:be867b194a3ae3c680c29521287ae49b4d44d420 Add some in-line comments to explain the new infrastructure, which was introduced to support sysfs directory tagging with namespaces. I think an overall description someplace might be good too, but it didn't really seem to fit into Documentation/filesystems/sysfs.txt, which appears more geared toward users, rather than maintainers, of sysfs. (Tejun, please let me know if I can make anything clearer or failed altogether to comment something that should be commented.) Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Tejun Heo <tj@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>