lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.1101080811400.29089@hs20-bc2-1.build.redhat.com>
Date:	Sat, 8 Jan 2011 08:19:19 -0500 (EST)
From:	Mikulas Patocka <mpatocka@...hat.com>
To:	Greg KH <gregkh@...e.de>
cc:	linux-kernel@...r.kernel.org, dm-devel@...hat.com
Subject: Re: kobject_put vs module unload

On Fri, 7 Jan 2011, Greg KH wrote:

> On Fri, Jan 07, 2011 at 10:42:22PM -0500, Mikulas Patocka wrote:
> > Hi
> > 
> > I'm looking at some kobject problem in device mapper and I came across 
> > this problem:
> > 
> > According to kobject interface specification, If we embed a kobject into 
> > the device structure, we shouldn't free the device structure when the 
> > device is unloaded, but we should register a "release" callback in 
> > kobj_type that will actually free the device structure.
> 
> That is correct.
> 
> What does "device is unloaded" mean?  That really doesn't mean anything
> in reference to the driver model/kobject code.
> 
> > What happens in this scenario?:
> > 
> > 1) someone references a device kobject
> > 2) the device is unloaded (but the device structure is still in memory 
> > because of that reference)
> 
> What do you mean here?  How can a device be "unloaded"?  Is it just
> unregistered?

Device mapper devices can be unloaded by the user with "dmsetup remove" 
command. Other drivers (like md), offer other commands to unload devices, 
but the principle is the same.

> > 3) the driver module is unloaded
> 
> Oops, you just lost.

If you unload all device mappers's devices, the module reference count 
drops to zero and you can unload the device mapper module.

> > 4) the reference obtained at point 1) is dropped, kobject reference count 
> > reaches zero and the release callback is called. But that callback points 
> > to an unloaded module and causes a crash.
> > 
> > How is it solved? Am I missing something?
> 
> You have the code that creates and frees the object, to not be in the
> module that could have been unloaded.  It's really just that simple.

If the whole device mapper subsystem can be a module, where can I put the 
code?

I think a similar bug exists in md, it can also be unloaded as a module 
and it has "release" method in its module code.

> Hope this helps,
> 
> greg k-h

Mikulas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ