From: Alexey Dobriyan <adobriyan@openvz.org>
To: Duncan Sands <duncan.sands@math.u-psud.fr>
Cc: linux-kernel@vger.kernel.org, adobriyan@gmail.com
Subject: Re: remove_proc_entry and read_proc
Date: Thu, 1 Feb 2007 19:09:04 +0300 [thread overview]
Message-ID: <20070201160904.GC6023@localhost.sw.ru> (raw)
Duncan Sands wrote:
> On Wednesday 31 January 2007 19:42:51 Alexey Dobriyan wrote:
> > On Wed, Jan 31, 2007 at 11:54:35AM +0100, Duncan Sands wrote:
> > > Can read_proc still be executing when remove_proc_entry returns?
> > >
> > > In my driver [*] I allocate some data and create a proc entry using
> > > create_proc_entry. My read method reads from my allocated data. When
> > > shutting down, I call remove_proc_entry and immediately free the data.
> > > If some call to read_proc is still executing at this point then it will
> > > be accessing freed memory. Can this happen? I've been rummaging around
> > > in fs/proc to see what prevents it, but didn't find anything yet.
> >
> > This should be fixed by the following patch (in -mm currently):
> > http://kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.20-rc6/2.6.20-rc6-mm3/broken-out/fix-rmmod-read-write-races-in-proc-entries.patch
> >
> > Tell me if you're unsure it will.
>
> Excellent! But tell me,
>
> + atomic_inc(&dp->pde_users);
> + if (!dp->proc_fops)
>
> don't you need a memory barrier between these two? Also a corresponding
> one where proc_fops is set to NULL.
I believe, barriers not needed, not now.
This scheme relies on the fact that remove_proc_entry() will be the only
place that will clear ->proc_fops and, once cleared, ->proc_fops will
never be resurrected. Clearing of ->proc_fops will eventually propagate
to CPU doing first check, thus preveting refcount bumps from this CPU.
What can be missed is some "rogue" readers or writers¹. Big deal.
> + /*
> + * Stop accepting new readers/writers. If you're dynamically
> + * allocating ->proc_fops, save a pointer somewhere.
> + */
> + de->proc_fops = NULL;
> + /* Wait until all readers/writers are done. */
> + if (atomic_read(&de->pde_users) > 0) {
> + spin_unlock(&proc_subdir_lock);
> + msleep(1);
> + goto again;
> + }
>
> I don't understand how this is supposed to work. Consider
>
> CPU1 CPU2
>
> atomic_inc(&dp->pde_users);
> if (dp->proc_fops)
> de->proc_fops = NULL;
> use_proc_fops <= BOOM
> if (atomic_read(&de->pde_users) > 0) {
>
> what prevents dereference of a NULL proc_fops value?
¹ Sigh, modules should do removals of proc entries first. And I should check
for that.
next reply other threads:[~2007-02-01 16:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-01 16:09 Alexey Dobriyan [this message]
2007-02-02 7:31 ` remove_proc_entry and read_proc Duncan Sands
2007-02-05 11:39 ` Alexey Dobriyan
2007-02-05 12:05 ` Duncan Sands
-- strict thread matches above, loose matches on Subject: below --
2007-01-31 10:54 Duncan Sands
2007-01-31 18:42 ` Alexey Dobriyan
2007-01-31 19:26 ` Duncan Sands
2007-02-01 10:15 ` Duncan Sands
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070201160904.GC6023@localhost.sw.ru \
--to=adobriyan@openvz.org \
--cc=adobriyan@gmail.com \
--cc=duncan.sands@math.u-psud.fr \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.