Re: kref refcounting breakage in mainline

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <greg@kroah.com>
To: Andrew Morton <akpm@linux-foundation.org>,
	Mike Galbraith <efault@gmx.de>
Cc: Tejun Heo <htejun@gmail.com>, Kay Sievers <kay.sievers@vrfy.org>,
	linux-kernel@vger.kernel.org, Adrian Bunk <bunk@stusta.de>
Subject: Re: kref refcounting breakage in mainline
Date: Mon, 5 Mar 2007 16:25:21 -0800	[thread overview]
Message-ID: <20070306002521.GA12164@kroah.com> (raw)
In-Reply-To: <20070302005833.949be737.akpm@linux-foundation.org>

On Fri, Mar 02, 2007 at 12:58:33AM -0800, Andrew Morton wrote:
> 
> -mm has a debugging patch which warns when atomic_dec_and_test() takes an
> atomic_t negative
> (ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.20/2.6.20-mm2/broken-out/detect-atomic-counter-underflows.patch).
> 
> 
> When it is applied to current mainline, a simple `rmmod ipw2200' gives:
> 
> [   75.825072] BUG: atomic counter underflow at:
> [   75.825180]  [<c01c6eb4>] kref_put+0x66/0x82
> [   75.825278]  [<c022e4d4>] bus_remove_driver+0x66/0x75
> [   75.825383]  [<c022ee2c>] driver_unregister+0x8/0x13
> [   75.825484]  [<c01d7add>] pci_unregister_driver+0xc/0x45
> [   75.825593]  [<c0132147>] sys_delete_module+0x157/0x17c
> [   75.825703]  [<c013c663>] audit_syscall_entry+0x10d/0x137
> [   75.825818]  [<c0103b14>] syscall_call+0x7/0xb
> [   75.825913]  [<c02d0000>] xfrm4_dst_destroy+0xe/0xd5
> 
> This didn't happen in 2.6.20-mm2, so this bug was introduced by a patch
> which was not in the -mm lineup twelve days ago.
> 
> Presumably the effect of this is a memory leak or a use-after-free.

Ok, after a zillion bisects, I've tracked this down to:
	commit 63ce18cfe685115ff8d341bae4c9204a79043cf0
	Author: Mike Galbraith <efault@gmx.de>
	Date:   Wed Feb 21 12:45:35 2007 -0800

	    driver core: refcounting fix
	    
	    Fix a reference counting bug exposed by commit
	    725522b5453dd680412f2b6463a988e4fd148757.  If driver.mod_name exists, we
	    take a reference in module_add_driver(), and never release it.  Undo that
	    reference in module_remove_driver().
	    
	    Signed-off-by: Mike Galbraith <efault@gmx.de>
	    Cc: Kay Sievers <kay.sievers@vrfy.org>
	    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	

Mike, I've reverted this patch, and I don't see any references leaking.
And, as your patch released the reference on the driver, and the
module_add_driver() call would not grab a reference to the driver, only
the module kobject, I don't see what you were trying to fix with this
patch.

Do you have a test case that this fixes?

Otherwise, I'll just revert it.

thanks,

greg k-h

next prev parent reply	other threads:[~2007-03-06  0:26 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-03-02  8:58 kref refcounting breakage in mainline Andrew Morton
2007-03-03  5:48 ` Greg KH
2007-03-06  0:25 ` Greg KH [this message]
2007-03-06  5:43   ` Mike Galbraith
2007-03-06 21:04     ` Greg KH
2007-03-07  5:38       ` Mike Galbraith
2007-03-10 15:44         ` Mike Galbraith
2007-03-10 16:03           ` Mike Galbraith
2007-03-15  5:27           ` Greg KH
2007-03-15  7:53             ` Mike Galbraith
2007-03-15  8:06               ` Greg KH
2007-03-15  8:32                 ` Mike Galbraith
2007-03-15  9:39                   ` Mike Galbraith
     [not found]                   ` <1173953960.6624.45.camel@Homer.simpson.net>
2007-03-15 14:54                     ` Greg KH
2007-03-19 23:41                       ` Randy Dunlap
2007-03-06 12:11   ` Mel Gorman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070306002521.GA12164@kroah.com \
    --to=greg@kroah.com \
    --cc=akpm@linux-foundation.org \
    --cc=bunk@stusta.de \
    --cc=efault@gmx.de \
    --cc=htejun@gmail.com \
    --cc=kay.sievers@vrfy.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.