From: Tejun Heo <htejun@gmail.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Jonathan Corbet <corbet@lwn.net>,
ebiederm@xmission.com, cornelia.huck@de.ibm.com, greg@kroah.com,
stern@rowland.harvard.edu, kay.sievers@vrfy.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/4] module: implement module_inhibit_unload()
Date: Tue, 25 Sep 2007 17:25:17 +0900 [thread overview]
Message-ID: <46F8C5ED.6060101@gmail.com> (raw)
In-Reply-To: <1190695118.27805.307.camel@localhost.localdomain>
Rusty Russell wrote:
> On Tue, 2007-09-25 at 12:36 +0900, Tejun Heo wrote:
>> Rusty Russell wrote:
>>> As stated you cannot protect arbitrary code this way, as you are trying
>>> to do. I do not think you've broken any of the current code, but I
>>> cannot tell. You're certainly going to surprise unsuspecting future
>>> authors.
>> Can you elaborate a bit? Why can't it protect the code?
>
> Because you don't know what that code does. After all, it's assumed
> that module code doesn't get called after exit and you're deliberately
> violating that assumption.
What I meant by protecting 'code' was the 'code' itself. Those pages
containing instructions that cpu executes. It of course can't protect
against all the things they do.
>>> Can you really not figure out the module owner of the sysfs entry to inc
>>> its use count during this procedure? (__module_get()).
>> I can but I don't think it's worth the effort. It will involve passing
>> @owner parameter down through kobject to sysfs but the path is pretty
>> obscure and thus difficult to test.
>
> Have you tested that *this* path works? Let's take your first change as
> an example:
>
> + mutex_lock(&gdev->reg_mutex);
> + __ccwgroup_remove_symlinks(gdev);
> + device_unregister(dev);
> + mutex_unlock(&gdev->reg_mutex);
>
> Now, are you sure that calling cleanup_ccwgroup just after
> device_unregister() works?
>
> static void __exit
> cleanup_ccwgroup (void)
> {
> bus_unregister (&ccwgroup_bus_type);
> }
It should. After ->exit() is called, there can't be any object left
behind. If a module is hosting objects which can't be destroyed from
->exit(), its module ref count shouldn't be zero. So, either 1.
refcount != 0 or 2. ->exit() can destroy all objects. As Cornelia
explains, for ccwgroup, it's #1. Note that unload inhibition doesn't
change anything about this.
>> I think it's too much work for the
>> users of the API and it will be easy to pass the wrong @owner and go
>> unnoticed.
>
> But your shortcut insists that all module authors be aware that
> functions can be running after exit() is called. That's a recipe for
> instability and disaster.
No, it doesn't change that at all. All unload inhibition does is
postponing removal of code (and data too of course) section a bit so
that a module can host code which issues unloading of itself. Object
synchronization rules remain exactly the same. Formerly broken code is
still broken and I don't even think unload inhibition would mask them
too much either.
I think the naming is too ambiguous. Maybe it should be named something
like "hold_module_for_suicide".
Thanks.
--
tejun
next prev parent reply other threads:[~2007-09-25 8:27 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-20 7:26 [PATCHSET 2/4] sysfs: allow suicide Tejun Heo
2007-09-20 7:26 ` [PATCH 4/4] sysfs: make suicidal nodes just do it directly Tejun Heo
2007-09-20 9:24 ` Cornelia Huck
2007-09-20 9:43 ` Tejun Heo
2007-09-28 13:54 ` Cornelia Huck
2007-09-28 14:27 ` Tejun Heo
2007-09-20 7:26 ` [PATCH 1/4] module: implement module_inhibit_unload() Tejun Heo
2007-09-24 22:00 ` Jonathan Corbet
2007-09-24 23:18 ` Tejun Heo
2007-09-24 23:42 ` Rusty Russell
2007-09-25 1:40 ` Tejun Heo
2007-09-25 2:12 ` Rusty Russell
2007-09-25 2:39 ` Tejun Heo
2007-09-25 3:21 ` Rusty Russell
2007-09-25 3:36 ` Tejun Heo
2007-09-25 4:38 ` Rusty Russell
2007-09-25 8:01 ` Cornelia Huck
2007-09-25 8:25 ` Tejun Heo [this message]
2007-09-25 8:36 ` Tejun Heo
2007-09-25 8:50 ` Rusty Russell
2007-09-25 14:05 ` Tejun Heo
2007-09-25 14:24 ` Alan Stern
2007-09-25 14:30 ` Tejun Heo
2007-09-25 15:09 ` Alan Stern
2007-09-25 23:15 ` Tejun Heo
2007-09-25 23:41 ` Rusty Russell
2007-09-26 1:42 ` Tejun Heo
2007-09-26 14:39 ` Alan Stern
2007-09-20 7:26 ` [PATCH 3/4] sysfs: care-free suicide for sysfs files Tejun Heo
2007-09-20 7:26 ` [PATCH 2/4] sysfs: make the sysfs_addrm_cxt->removed list FIFO Tejun Heo
2007-09-25 22:02 ` [PATCHSET 2/4] sysfs: allow suicide Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46F8C5ED.6060101@gmail.com \
--to=htejun@gmail.com \
--cc=corbet@lwn.net \
--cc=cornelia.huck@de.ibm.com \
--cc=ebiederm@xmission.com \
--cc=greg@kroah.com \
--cc=kay.sievers@vrfy.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.