Re: Notifier chains are unsafe

[Pete Zaitcev <zaitcev@redhat.com>]

On Fri, 28 Oct 2005 10:48:00 +1000, Keith Owens <kaos@ocs.com.au> wrote:

> We should be able to call notifier_call_chain() from any context.  That
> includes oops, panic, NMI and other unmaskable machine check events.
> If you can call notifier_call_chain() from an unmaskable context then
> it follows that the callbacks cannot take any locks.  Locks are not
> safe in NMI context.

I understand your need, Keith, but this is impossible, as long as we
meet demands of people who want to unregister notifiers from their
own call-out functions (or other notifiers). Remember that these
functions might sleep. Obviously, those functions which your code calls
from an NMI context are written with that in mind and do not try to
allocate memory with GFP_KERNEL. However, this is not the case for
all notifier call-out functions.

I am inclined to think that we have to split the notifier interface
in two: with locked chain walk and with unlocked chain walk.
The "unlocked" version can be returned to its Linux 2.2 state,
where no locks of any sort were taken at all, even during the
registration. Keith would be using that one. The locked version
would be in use by USB and others.

The claim that unregister_reboot_notifier has not be called from the
notifier call-out was made by Leonard, who is, unfortunately, dead,
so we cannot ask if he changed his mind:
 http://www.ussg.iu.edu/hypermail/linux/kernel/0007.3/0548.html
Perhaps it's not true anymore. Also ANK appeared to observe that the
practice was unsafe anyway.

-- Pete