Hundreds of bugs in 2.3.99-pre3

From: Tim Waugh (tim@cyberelk.demon.co.uk)
Date: Fri Mar 31 2000 - 11:12:54 EST

I have made a list of functions that have module unload races -- see
below.

Please see the post from Keith Owens for a full explanation; the gist of
it is that this is bad:

foo_open (...)
{
        stuff..
        if (fail)
                return -EBUSY;
        sleep.. (might get unloaded here)
        stuff..
        MOD_INC_USE_COUNT;
        return 0;
}

whereas this is good:

foo_open (...)
{
        MOD_INC_USE_COUNT;
        stuff..
        if (fail) {
                MOD_DEC_USE_COUNT;
                return -EBUSY;
        }
        sleep.. (safe now)
        stuff..
        return 0;
}

Some of the functions I've listed are probably quite safe, but I think
that most of them are unsafe. Please review your code if you think this
might affect you, or if a function you maintain is in this list.

This list is also available at
<URL:ftp://people.redhat.com/twaugh/tmp/mod_inc_use>.

Thanks,
Tim.
*/

2.3.99-pre3 list of unsafe/broken functions (w.r.t. module reference counts):

[patch exists] arch/ppc/8xx_io/uart.c:rs_8xx_open -- wrong (left used on error)
drivers/atm/ambassador.c:amb_open -- kmalloc before inc
drivers/atm/atmtcp.c:atmtcp_create -- wrong
drivers/atm/eni.c:eni_init_one -- kmalloc before inc
drivers/atm/fore200e.c:fore200e_open -- kmalloc before inc
drivers/atm/horizon.c:hrz_open -- kmalloc before inc
drivers/atm/nicstar.c:ns_init_card -- ??
drivers/atm/nicstar.c:ns_open -- ??
drivers/block/DAC960.c:DAC960_Open -- might be okay
drivers/block/acsi.c:acsi_open -- sleeps before inc
[patch exists] drivers/block/xd.c:xd_open -- sleeps before inc
drivers/block/amiflop.c:floppy_open -- sleeps before inc
drivers/block/ataflop.c:floppy_open -- left used on error
drivers/block/loop.c:lo_open -- can potentially sleep before inc?
drivers/block/lvm.c:lvm_do_vg_create -- kmalloc before inc
drivers/block/rd.c:rd_open -- igrab before inc
drivers/block/z2ram.c:z2_open -- kmalloc before inc
drivers/cdrom/aztcd.c:aztcd_open -- seems to be okay
drivers/cdrom/mcd.c:mcd_open -- blocks before inc
drivers/cdrom/optcd.c:opt_open -- COMCLOSE can block
drivers/cdrom/sjcd.c:sjcd_open -- looks okay
drivers/cdrom/sonycd535.c:cdu_open -- can check_drive_status block?
drivers/char/agp/agpgart_be.c:agp_allocate_memory -- kmalloc called first (intel_810_alloc_by_type) -- but do we care here?
drivers/char/agp/agpgart_be.c:intel_810_alloc_by_type -- agp_create_memory can block
drivers/char/agp/agpgart_fe:agp_open -- calls kmalloc first
drivers/char/drm/gamma_drv.c:gamma_open -- drm_open_helper can block
drivers/char/drm/tdfx_drv.c:tdfx_open -- drm_open_helper can block
drivers/char/bttv.c:bttv_open -- calls vmalloc before inc
drivers/char/bttv.c:vbi_open -- can block (down)
drivers/char/bttv.c:radio_open -- ?? someone needs to look at bttv
drivers/char/busmouse.c:busmouse_open -- calls down before inc
drivers/char/buz.c:zoran_open -- calls kmalloc first (in v4l_fbuffer_alloc)
drivers/char/dtlk.c:dtlk_open -- dangling module reference on error
drivers/char/epca.c:pc_open -- dangling module reference on error
drivers/char/istallion.c:stli_open -- dangling module reference on error
drivers/char/logibusmouse.c:open_mouse -- wrong
drivers/char/moxa.c:moxa_open -- get_free_page can block
drivers/char/msbusmouse.c:open_mouse -- request_irq can block
drivers/char/msp3400.c:msp_attach -- calls kmalloc further up
drivers/char/mxser.c:mxser_open -- can block first
drivers/char/n_hdlc.c:n_hdlc_tty_open -- n_hdlc_alloc calls kmalloc
drivers/char/n_r3964.c:r3964_open -- dangling module reference on error
drivers/char/pcxx.c:pcxe_open -- dangling module reference on error
drivers/char/planb.c:planb_open -- planb_prepare_open calls kmalloc
drivers/char/qpmouse.c:open_qp -- wrong
drivers/char/riscom8.c:rc_setup_board -- calls request_irq further up
drivers/char/rocket.c:rp_open -- sleeps first
drivers/char/saa5249.c:saa5249_attach -- calls kmalloc further up
drivers/char/saa5249.c:saa5249_open -- ?? does i2c_master_send block?
drivers/char/saa7110.c:saa7110_attach -- wrong
drivers/char/saa7110.c:saa7111_attach -- wrong
drivers/char/saa7185.c:saa7185_attach -- wrong
drivers/char/sh-sci.c:sci_open -- looks suspicious -- can reference count go negative here?
drivers/char/specialix.c:sx_setup_board -- wrong
drivers/char/stallion.c:stl_open -- leaves dangling module reference on error
drivers/char/sx.c:sx_open -- module count can go negative on error
drivers/char/tda8425.c:tda8425_attach -- wrong
drivers/char/tda985x.c:tda985x_attach -- wrong
drivers/char/tea6300.c:tea6300_attach -- wrong
drivers/char/tuner-3036.c:tuner_attach -- wrong
drivers/char/tuner.c:tuner_attach -- calls kmalloc further up
drivers/char/vme_scc.c:scc_open -- suspicious reference count handling
drivers/char/zr36120.c:zoran_open -- wrong I think
drivers/char/zr36120.c:vbi_open -- wrong I think
drivers/char/joystick/joy-magellan.c:js_mag_ldisc_open -- js_register_port calls kmalloc
drivers/char/joystick/joy-spaceball.c:js_sball_ldisc_open -- wrong
drivers/char/joystick/joy-spaceorb.c:js_orb_ldisc_open -- wrong
drivers/char/joystick/joy-warrior.c:js_war_ldisc_open -- wrong
drivers/char/joystick/joystick.c:js_open -- wrong
drivers/char/pcmcia/serial_cb.c:serial_attach -- wrong
drivers/i2c/i2c-algo-bit.c:i2c_bit_add_bus -- maybe test_bus can block? might be fine
drivers/i2c/i2c-algo-pcf.c:i2c_pcd_add_bus -- maybe test_bus can block? might be fine
drivers/i2c/i2c-dev.c:i2cdev_open -- calls kmalloc first
drivers/i2o/i2o_block.c:i2ob_open -- i2o_post_wait calls kmalloc
drivers/i2o/i2o_config.c:cfg_open -- calls kmalloc first
drivers/i2o/i2o_lan.c:i2o_lan_open -- calls kmalloc first
drivers/ieee1394/raw1394.c:dev_open -- calls kmalloc further up
drivers/isdn/isdn_bsdcomp.c:bsd_alloc -- vmalloc
drivers/isdn/avmb1/b1pci.c:b1pci_add_card -- calls kmalloc further up
drivers/isdn/avmb1/capi.c:capiminor_alloc -- kmem_cache_alloc
drivers/isdn/avmb1/kcapi.c:notify_push -- wrong
drivers/net/3c501.c:el_open -- wrong
drivers/net/3c503.c:el2_open -- wrong
drivers/net/3c505.c:elp_open -- calls request_xxx further up
drivers/net/3c509.c:el3_open -- calls request_irq further up
drivers/net/3c515.c:corkscrew_open -- calls request_irq further up
drivers/net/3c523.c:elmc_open -- calls request_irq further up
drivers/net/3c527.c:mc32_open -- could call sleep_on? in mc32_command
drivers/net/3c59x.c:vortex_attach -- wrong
drivers/net/3c59x.c:vortex_open -- calls request_irq further up
drivers/net/82596.c:i596_open -- request_irq
drivers/net/a2065.c:lance_open -- calls request_irq further up
drivers/net/ac3200.c:ac_open -- wrong (but notyet)
drivers/net/am79c961a.c:am79c961_open -- danging reference count on error
drivers/net/ariadne.c:ariadne_open -- wrong (request_irq)
drivers/net/arlan.c:arlan_open -- request_irq further up
drivers/net/atari_bionet.c:bionet_open -- stdma_lock can sleep I think
drivers/net/atari_pamsnet.c:pamsnet_open -- stdma_lock can sleep I think
drivers/net/bmac.c:bmac_open -- probably fine; easy to make obviously correct
drivers/net/bonding.c:bond_enslave -- calls kmalloc further up
drivers/net/bsd_comp.c:bsd_alloc -- vmalloc
drivers/net/cs89x0.c:net_open -- calls request_irq further up
drivers/net/daynaport.c:ns8390_open -- wrong
drivers/net/de4x5.c:de4x5_open -- calls request_irq further up
drivers/net/de600.c:de600_open -- wrong
drivers/net/de620.c:de620_open -- wrong
drivers/net/declance.c:lance_open -- !! doesn't bump reference count at all??
drivers/net/depca.c:depca_open -- calls request_irq further up
drivers/net/dmfe.c:dmfe_open -- calls kmalloc first
drivers/net/e2100.c:e21_open -- calls request_irq further up
drivers/net/eepro.c:eepro_open -- calls request_irq further up
drivers/net/eexpress.c:eexp_open -- request_region can block
drivers/net/eql.c:eql_open -- eql_new_slave_queue calls kmalloc
drivers/net/ewrk3.c:ewrk3_open -- calls request_irq further up
drivers/net/hp-plus.c:hpp_open -- calls request_irq further up
drivers/net/hp100.c:hp100_open -- wrong
drivers/net/hplance.c:hplance_open -- lance_open calls request_irq
drivers/net/hydra.c:hydra_open -- wrong
drivers/net/ioc3-eth.c:ioc3_open -- calls request_irq further up
drivers/net/lance.c:lance_open -- wrong
drivers/net/mac89x0.c:net_open -- calls request_irq further up
drivers/net/mvme147.c:m147lance_open -- lance_open can block
drivers/net/ncr885e.c:ncr885e_open -- calls request_irq further up
drivers/net/ni5010.c:ni5010_open -- calls request_irq further up
drivers/net/ni52.c:ni52_open -- wrong
drivers/net/ni65.c:ni65_open -- calls request_irq further up
drivers/net/pcnet32.c:pcnet32_open -- calls request_irq further up
drivers/net/ppp_async.c:ppp_asynctty_open -- kmalloc
drivers/net/ppp_deflate.c:z_comp_alloc -- kmalloc
drivers/net/ppp_deflate.c:z_decomp_alloc -- kmalloc
drivers/net/ppp_generic.c:ppp_register_channel -- this code is changing and the patch I saw was wrong
drivers/net/ppp_synctty.c:ppp_sync_open -- wrong
drivers/net/rcpci45.c:RCopen -- kmalloc
drivers/net/rrunner.c:rr_open -- kmalloc, request_irq
drivers/net/rtl8129.c:rtl8129_open -- wrong
drivers/net/sb1000.c:sb1000_open -- calls request_irq further up
drivers/net/sis900.c:sis900_open -- wrong
drivers/net/sk_mca.c:skmca_open -- request_irq
drivers/net/skeleton.c:net_open -- request_irq
drivers/net/smc-mca.c:ultramca_open -- calls request_irq further up
drivers/net/smc-ultra.c:ultra_open -- calls request_irq further up
drivers/net/smc-ultra32.c:ultra32_open -- request_irq
drivers/net/strip.c:strip_open -- strip_alloc calls kmalloc
drivers/net/sunbmac.c:bigmac_open -- wrong
drivers/net/sunhme.c:happy_meal_open -- request_irq
drivers/net/sunlance.c:lance_open -- request_irq
drivers/net/tlan.c:TLan_Open -- dangling reference count on error
drivers/net/wavelan.c:wavelan_open -- request_irq
drivers/net/yellowfin.c:yellowfin_open -- wrong
drivers/net/hamradio/6pack.c:sixpack_open -- sp_alloc can block
drivers/net/hamradio/soundmodem/sm.c:sm_open -- can call parport_register_device, which can block
drivers/net/hamradio/baycom_epp.c:epp_open -- parport_register_device
drivers/net/hamradio/baycom_par.c:par96_open -- parport_register_device
drivers/net/hamradio/baycom_ser_fdx.c:ser12_open -- request_irq
drivers/net/hamradio/baycom_ser_hdx.c:ser12_open -- request_irq
drivers/net/hamradio/dmascc.c:scc_open -- ??
drivers/net/hamradio/hdlcdrv.c:hdlcdrv_register_hdlcdrv -- kmalloc further up
drivers/net/hamradio/mkiss.c:ax25_open -- ax_alloc calls kmalloc
drivers/net/hamradio/pi2.c:pi_open -- calls request_dma -- might free a free irq too (first_time never zeroed)
drivers/net/hamradio/pt.c:pt_open -- same as pi2
drivers/net/hamradio/yam.c:yam_open -- request_irq
drivers/net/irda/actisys.c:actisys_open -- might be okay -- does set_dtr_rts ever block?
drivers/net/irda/irport.c:irport_net_open -- request_irq further up
drivers/net/irda/irtty.c:irtty_open -- calls kmalloc further up
drivers/net/irda/irtty.c:irtty_net_open -- don't know
drivers/net/irda/nsc-ircc.c:nsc_ircc_net_open -- request_irq further up
drivers/net/irda/smc-ircc.c:ircc_net_open -- request_dma
drivers/net/irda/toshoboe.c:toshoboe_net_open -- don't know
drivers/net/irda/w83977af_ir.c:w83977af_net_open -- request_irq further up
drivers/net/pcmcia/3c575_cb.c:vortex_open -- request_irq
drivers/net/pcmcia/com20020_cs.c:com20020_config -- looks wrong
drivers/net/pcmcia/smc91c92_cs.c:smc91c92_open -- Not sure -- looks suspicious
drivers/net/pcmcia/xircom_tulip_cb.c:tulip_open -- wrong
drivers/net/sk98lin/skge.c:SkGeOpen -- who knows? easy to make safe
drivers/net/skfp/skfddi.c:skfp_open -- request_irq
drivers/net/tokenring/abyss.c:abyss_open -- tms380tr_open can block
drivers/net/tokenring/ibmtr.c:tok_close -- sleep_on
drivers/net/tokenring/madgemc.c:madgemc_open -- wrong
drivers/net/tokenring/olympic.c:olympic_open -- request_irq
drivers/net/tokenring/smctr.c:smctr_open -- not sure; might be fine
drivers/net/tokenring/tmspci.c:tms_pci_open -- wrong
drivers/net/tokenring/lanstreamer.c:streamer_open -- request_irq
drivers/net/wan/dlci.c:dlci_add -- calls kmalloc further up
drivers/net/wan/hostess_sv11.c:hostess_open -- needs checking
drivers/net/wan/lapbether.c:lapbeth_open -- where is lapb_register?
drivers/net/wan/sdla.c:sdla_open -- looks okay?
drivers/net/wan/sealevel.c:sealevel_open -- needs checking
drivers/net/wan/x25_asy.c:x25_asy_open_tty -- calls kmalloc
drivers/net/wan/comx-hw-comx.c:COMX_init -- calls kmalloc further up
drivers/net/wan/comx-hw-locomx.c:LOCOMX_init -- calls kmalloc further up
drivers/net/wan/comx-hw-mixcom.c:MIXOM_init -- kmalloc
drivers/net/wan/comx-proto-fr.c:fr_master_init -- kmalloc
drivers/net/wan/comx-proto-fr.c:fr_slave_init -- kmalloc
drivers/net/wan/comx-proto-lapb.c:comxlapb_open -- where is lapb_connect_request?
drivers/net/wan/comx-proto-lapb.c:comxlapb_init -- what about lapb_register?
drivers/net/wan/comx-proto-ppp.c:syncppp_init -- kmalloc
drivers/net/wan/comx.c:comx_mkdir -- kmalloc
drivers/pcmcia/cb_enabler.c:cb_attach -- wrong
drivers/pcmcia/ds.c:ds_open -- kmalloc
drivers/pnp/isapnp_proc.c:isapnp_info_entry_open -- vmalloc
drivers/sbus/audio/audio.c:sparcaudio_open -- can sleep
drivers/sbus/audio/audio.c:register_sparcaudio_driver -- calls kmalloc further up
drivers/sbus/char/aurora.c:aurora_setup_port -- can block (get_free_page)
drivers/sbus/char/openprom.c:openprom_open -- wrong
drivers/sbus/char/pcikbd.c:aux_open -- poll_aux_status can block
drivers/sbus/char/sab82532.c:sab82532_open -- blocks further up
drivers/sbus/char/su.c:su_open -- blocks further up
drivers/scsi/scsi.c:scsi_register_host -- can block further up -- also leaves danging reference count on error
drivers/scsi/scsi.c:scsi_register_device_module -- dangling reference count -- needs checking for races
drivers/scsi/pcmcia/apa1480_stub.c:apa1480_attach -- calls kmalloc further up
drivers/sound/cmpci.c:cm_open -- can block
drivers/sound/cmpci.c:cm_mini_open -- can block
drivers/sound/cmpci.c:cm_dmfm_open -- can block
drivers/sound/es1370.c:es1370_open -- can block
drivers/sound/es1370.c:es1370_open_dac -- can block
drivers/sound/es1370.c:es1370_open_midi -- can block
drivers/sound/es1371.c:es1371_open -- can block
drivers/sound/es1371.c:es1371_open_dac -- can block
drivers/sound/es1371.c:es1371_open_midi -- can block
drivers/sound/esssolo1.c:solo1_open -- can block
drivers/sound/esssolo1.c:solo1_midi_open -- can block
drivers/sound/esssolo1.c:solo1_dmfm_open -- can block
drivers/sound/maestro.c:ess_open -- can block
drivers/sound/midi_synth.c:midi_synth_open -- needs checking
drivers/sound/sonicvibes.c:sv_open -- can block
drivers/sound/sonicvibes.c:sv_midi_open -- can block
drivers/sound/sonicvibes.c:sv_dmfm_open -- can block
drivers/sound/trident.c:trident_open -- can block
drivers/usb/audio.c:usb_audio_open_mixdev -- can block
drivers/usb/audio.c:usb_audio_open -- can block
drivers/usb/cpia.c:cpia_open -- can block
drivers/usb/dc2xx.c:camera_open -- wrong
drivers/usb/evdev.c:evdev_open -- calls kmalloc
drivers/usb/ibmcam.c:ibmcam_open -- can block
drivers/usb/ibmcam.c:usb_ibmcam_probe -- can block
drivers/usb/joydev.c:joydev_open -- calls kmalloc first
drivers/usb/mousedev.c:mousedev_open -- calls kmalloc first
drivers/usb/ov511.c:ov511_open -- can block
drivers/usb/pegasus.c:pegasus_open -- not clear but easy to fix
drivers/usb/plusb.c:plusb_net_open -- plusb_alloc calls kmalloc
drivers/usb/plusb.c:plusb_probe -- plusb_alloc calls kmalloc
drivers/usb/printer.c:usblp_open -- usblp_check_status calls kmalloc eventually
drivers/usb/uss720.c:uss720_probe -- calls kmalloc further up
drivers/usb/serial/usb-serial.c:usb_serial_probe -- calls kmalloc further up
drivers/usb/mdc800.c:mdc800_device_open -- usb_submit_urb can block
drivers/video/atafb.c:atafb_init -- request_irq further up
drivers/video/cyberfb.c:cyberfb_init -- looks unsafe
drivers/video/mdacon.c:mdacon_init -- not sure -- needs checking
drivers/video/pm2fb.c:pm2fb_init -- looks unsafe
drivers/video/retz3fb.c:z3fb_init -- looks unsafe
drivers/video/skeletonfb.c:xxxfb_init -- see the others
drivers/video/tdfxfb.c:tdfxfb_init -- not sure, looks unsafe
drivers/video/virgefb.c:virgefb_init -- looks unsafe
drivers/ide/ide-tape.c:idetape_chrdev_open -- unreadable code, ifdefs everywhere
net/atm/lec.c:lecd_attach -- not sure; easy to make safer
net/atm/mpc.c:atm_mpoa_mpoad_attach -- unsafe (kmalloc)
net/appletalk/ddp.c:atif_add_device -- kmalloc further up
net/appletalk/ddp.c:atalk_create -- sk_alloc(..GFP_KERNEL..)
net/ax25/af_ax25.c:ax25_create_db -- wrong
net/decnet/af_decnet.c:dn_alloc_sock -- might sleep
net/ipv4/netfilter/ip_tables.c:ipt_register_target -- wrong
net/ipv4/netfilter/ip_tables.c:ipt_register_match -- wrong
net/ipv4/netfilter/ip_tables.c:ipt_register_table -- wrong
net/ipv6/af_inet6.c:inet6_create -- unsafe
net/ipv6/tcp_ipv6.c:tcp_v6_syn_recv_sock -- not sure, looks unsafe
net/ipx/af_ipx.c:ipx_create -- unsafe
net/ipx/af_spx.c:spx_create -- unsafe
net/irda/compressors/irda_deflate.c:z_comp_alloc -- wrong
net/irda/compressors/irda_deflate.c:z_decomp_alloc -- wrong
net/lapb/lapb_iface.c:lapb_create_cb -- wrong
net/sched/sch_atm.c:atm_tc_init -- qdisc_create_dflt calls kmalloc
net/sched/sch_dsmark.c:dsmark_init -- wrong
net/sched/sch_prio.c:prio_init -- prio_tune can call qdisc_create_dflt which calls kmalloc
net/wanrouter/wanmain.c:register_wan_device -- create_proc_entry can block

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Fri Mar 31 2000 - 21:00:29 EST