[BUG] kobject module-ref race-condition or unsafe module_put(THIS_MODULE)

From: David Herrmann
Date: Sat Oct 29 2011 - 13:52:50 EST

Next message: Scott James Remnant: "Re: [PATCH] coredump: wait on the core pattern umh at least once"
Previous message: Arjan van de Ven: "[PATCH 3/3] tty: remove the (now) unused tty_default_fops() function"
Next in thread: Greg KH: "Re: [BUG] kobject module-ref race-condition or unsafemodule_put(THIS_MODULE)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

I currently do not understand how kobjects keep a reference to the
owning module. Lets assume I provide a "release" method via a
kobj_type for my kobject. I want to go sure my module is still alive
when this method is called. Otherwise, this "release" method would be
no longer available and we would jump into invalid memory. Therefore,
I need to take a reference to my own module. This seems trivial.
However, how do I release this reference again?
The most simple solution might be calling module_put(THIS_MODULE) in
my "release" method. However, if this call drops the module-refcount
to 0 and immediately removes the module, the module_put() returns to
my "release" function which now is no longer available.

It seems quite unlikely that the cleanup of a module is faster than
two function-returns, however, theoretically there is a race
condition.

The following example is based on fs/char_dev.c. Lets assume my module
provides a kobject structure. On init I take a ref to myself with
try_module_get(THIS_MODULE).
I add my own kobj_type with the following release function:

static void mydev_put(struct mydev *p)
{
if (p) {
kobject_put(&p->kobj);
module_put(THIS_MODULE);
}
}

How can we go sure that module_put() doesn't free my own module before
it returns? Isn't a call to module_put(THIS_MODULE) always unsafe
(unless I own at least two references)?

grep "module_put(THIS_MODULE)" -r ./kernel_src/ | wc -l
returns 118 results.
I doubt that all these 118 places can got sure that they own at least
2 references when calling this, otherwise it would be quite unsafe to
call this function.

Maybe I have missed some important fact here, but this seems quite
unsafe to me. Adding a "owner" field to a kobj_type would fix that
issue for kobjects/devices.

Regards
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Scott James Remnant: "Re: [PATCH] coredump: wait on the core pattern umh at least once"
Previous message: Arjan van de Ven: "[PATCH 3/3] tty: remove the (now) unused tty_default_fops() function"
Next in thread: Greg KH: "Re: [BUG] kobject module-ref race-condition or unsafemodule_put(THIS_MODULE)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]