From: Keith Owens <kaos@ocs.com.au>
To: Andrew Morton <akpm@zip.com.au>
Cc: Linux-Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: simple handling of module removals Re: [OKS] Module removal
Date: Thu, 04 Jul 2002 14:00:21 +1000 [thread overview]
Message-ID: <12188.1025755221@kao2.melbourne.sgi.com> (raw)
In-Reply-To: Your message of "Wed, 03 Jul 2002 18:53:55 MST." <3D23AAB3.1AF2F897@zip.com.au>
On Wed, 03 Jul 2002 18:53:55 -0700,
Andrew Morton <akpm@zip.com.au> wrote:
>Keith Owens wrote:
>> Rusty and I agree that if (and it's a big if) we want to support module
>> unloading safely then this is the only sane way to do it.
>
>Dumb question: what's wrong with the current code as-is? I don't think
>I've ever seen a module removal bug report which wasn't attributable to
>some straightforward driver-failed-to-clean-something-up bug.
>
>What problem are you trying to solve here?
Uncounted references to module code and/or data.
To be race safe, the reference count must be bumped before calling
any function that might be in a module. With the current unload
method, MOD_INC_USE_COUNT inside the module is too late.
Al Viro closed some of these races by adding the owner field and
using try_inc_mod_count. That assumes that every bit of code that
dereferences a function pointer will handle the module locking.
Code to externally bump the use count must itself be race safe.
drivers/char/busmouse.c::busmouse_open() has
if (mse->ops->owner && !try_inc_mod_count(mse->ops->owner))
This is safe because it first does
down(&mouse_sem)
which locks mse and its operations. At least I assume it is safe, I
hope that mse operations cannot be deregistered without mouse_sem.
Although this appears to be safe, it is not obvious that it is safe,
you have to trace the interaction between mouse_sem, the module
unload_lock, the MOD_DELETED flag for the module and the individual
module clean up routines to be sure that there are no races.
OTOH, HiSax_mod_inc_use_count appears to be unsafe. It has no
locking of its own before calling try_inc_mod_count(). AFAICT this
race exists :-
HiSax_command() -> HiSax_mod_inc_use_count()
mod = cs->hw.hisax_d_if->owner;
// race here
if (mod)
try_inc_mod_count(mod);
Without any (obvious) locking to prevent hisax unregistration on
another cpu, mod can be deleted in the middle of that code. To add
insult to injury, HiSax_mod_inc_use_count does not check if it locked
the module or not, it blindly assumes it worked and continues to use
the module structures!
I cannot be sure if get_mtd_device() (calls try_inc_mod_count) is
safe or not. There is no locking around calls to get_mtd_device()
which makes it look unsafe. OTOH it is invoked from mtdblock_open()
via mtd_fops.open, which may mean that a higher routine is locking
the module down. But it is not obvious that the code is safe.
If get_mtd_device() is being protected by a higher routine such as
get_fops() then the module use count is already non-zero and
try_inc_mod_count will always succeed. In that case,
try_inc_mod_count is overkill, an unconditional __MOD_INC_USE_COUNT
will do the job just as well. In either case, there is a question
mark over this code.
Similar comments for net/core/dev.c::dev_open(). No obvious locks to
protect the parameters passed to try_inc_mod_count, they may or may
not be protected by a lock in a higher routine. try_inc_mod_count
may or may not be overkill here.
The main objections to the existing reference counting model are :-
* Complex and fragile. The interactions between try_inc_mod_count,
some other lock that protects the parameters to try_inc_mod_count and
the module clean up routines are not obvious. Every module writer
has to get the interaction exactly right.
* Difficult to audit. Is get_mtd_device() safe or not? If it is safe,
why is it safe and is try_inc_mod_count overkill?
* Easy to omit. The comments above only apply to the code that is
using try_inc_mod_count. How much code exists that should be doing
module locking but is not?
* All the external locking is scattered around the kernel, anywhere
that might call a function in a module.
* The external locking is extra cpu overhead (and storage, but to a
lesser extent) all the time. Just to cope with a relatively rare
unload event.
Given those objections, Rusty is looking at alternative methods,
ranging from no unload at all to an unload method that moves all the
complexity into module.c instead of spreading it around the kernel.
next prev parent reply other threads:[~2002-07-04 3:58 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-01 17:48 [OKS] Module removal Bill Davidsen
2002-07-01 18:35 ` Richard B. Johnson
2002-07-01 18:42 ` Jose Luis Domingo Lopez
2002-07-01 18:45 ` Shawn
2002-07-01 19:57 ` Diego Calleja
2002-07-01 20:03 ` Diego Calleja
2002-07-01 22:20 ` Jose Luis Domingo Lopez
2002-07-01 22:56 ` Ryan Anderson
2002-07-02 11:37 ` Stephen C. Tweedie
2002-07-02 12:04 ` Richard B. Johnson
2002-07-02 13:13 ` jlnance
2002-07-03 3:48 ` simple handling of module removals " Pavel Machek
2002-07-03 17:25 ` Richard B. Johnson
2002-07-03 23:46 ` Daniel Phillips
2002-07-08 12:21 ` Richard B. Johnson
2002-07-08 12:41 ` Thunder from the hill
2002-07-08 12:57 ` Richard B. Johnson
2002-07-08 13:58 ` Thunder from the hill
2002-07-08 15:48 ` Daniel Gryniewicz
2002-07-08 17:23 ` Thunder from the hill
2002-07-08 13:06 ` Keith Owens
2002-07-08 13:15 ` Keith Owens
2002-07-03 23:48 ` Daniel Phillips
2002-07-05 9:40 ` Stephen Tweedie
2002-07-06 19:40 ` Daniel Phillips
2002-07-06 19:47 ` Pavel Machek
2002-07-04 1:18 ` Keith Owens
2002-07-04 1:53 ` Andrew Morton
2002-07-04 4:00 ` Keith Owens [this message]
2002-07-04 2:25 ` Brian Gerst
2002-07-04 3:54 ` David Gibson
2002-07-04 4:08 ` Keith Owens
2002-07-04 15:02 ` Brian Gerst
2002-07-04 19:18 ` Werner Almesberger
2002-07-05 13:48 ` Pavel Machek
2002-07-07 14:56 ` Keith Owens
2002-07-07 22:36 ` Roman Zippel
2002-07-08 1:09 ` Daniel Mose
2002-07-09 17:07 ` Daniel Mose
2002-07-08 18:13 ` Pavel Machek
2002-07-08 22:43 ` Keith Owens
2002-07-09 14:00 ` Pavel Machek
2002-07-02 15:20 ` Bill Davidsen
2002-07-02 15:53 ` Jonathan Corbet
2002-07-02 16:07 ` Oliver Neukum
2002-07-02 17:48 ` Tom Rini
2002-07-02 18:10 ` Oliver Neukum
2002-07-02 21:50 ` Ryan Anderson
2002-07-03 22:26 ` Diego Calleja
2002-07-04 0:00 ` Keith Owens
2002-07-04 8:04 ` Helge Hafting
2002-07-02 16:08 ` Werner Almesberger
[not found] ` <Pine.LNX.3.95.1020702075957.24872A-100000@chaos.analogic.c om>
2002-07-04 8:36 ` Mike Galbraith
2002-07-03 0:09 ` Vojtech Pavlik
2002-07-12 21:51 ` David Lang
[not found] <0C01A29FBAE24448A792F5C68F5EA47D2B0A8A@nasdaq.ms.ensim.com>
2002-07-04 0:29 ` simple handling of module removals " pmenage
2002-07-04 0:59 ` Daniel Phillips
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=12188.1025755221@kao2.melbourne.sgi.com \
--to=kaos@ocs.com.au \
--cc=akpm@zip.com.au \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox