linux/lib
Linus Torvalds a49b7e82ca kobject: fix kset_find_obj() race with concurrent last kobject_put()
Anatol Pomozov identified a race condition that hits module unloading
and re-loading.  To quote Anatol:

 "This is a race codition that exists between kset_find_obj() and
  kobject_put().  kset_find_obj() might return kobject that has refcount
  equal to 0 if this kobject is freeing by kobject_put() in other
  thread.

  Here is timeline for the crash in case if kset_find_obj() searches for
  an object tht nobody holds and other thread is doing kobject_put() on
  the same kobject:

    THREAD A (calls kset_find_obj())     THREAD B (calls kobject_put())
    splin_lock()
                                         atomic_dec_return(kobj->kref), counter gets zero here
                                         ... starts kobject cleanup ....
                                         spin_lock() // WAIT thread A in kobj_kset_leave()
    iterate over kset->list
    atomic_inc(kobj->kref) (counter becomes 1)
    spin_unlock()
                                         spin_lock() // taken
                                         // it does not know that thread A increased counter so it
                                         remove obj from list
                                         spin_unlock()
                                         vfree(module) // frees module object with containing kobj

    // kobj points to freed memory area!!
    kobject_put(kobj) // OOPS!!!!

  The race above happens because module.c tries to use kset_find_obj()
  when somebody unloads module.  The module.c code was introduced in
  commit 6494a93d55fa"

Anatol supplied a patch specific for module.c that worked around the
problem by simply not using kset_find_obj() at all, but rather than make
a local band-aid, this just fixes kset_find_obj() to be thread-safe
using the proper model of refusing the get a new reference if the
refcount has already dropped to zero.

See examples of this proper refcount handling not only in the kref
documentation, but in various other equivalent uses of this pattern by
grepping for atomic_inc_not_zero().

[ Side note: the module race does indicate that module loading and
  unloading is not properly serialized wrt sysfs information using the
  module mutex.  That may require further thought, but this is the
  correct fix at the kobject layer regardless. ]

Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-13 15:15:30 -07:00
..
lzo lib/lzo: Update LZO compression to current upstream version 2013-02-20 19:36:01 +01:00
mpi mpilib: use DIV_ROUND_UP and remove unused macros 2013-02-01 16:28:32 +11:00
raid6 lib/raid6: build proper files on corresponding arch 2012-12-13 19:51:04 +11:00
reed_solomon
xz decompressors: fix typo "POWERPC" 2013-03-13 15:21:48 -07:00
zlib_deflate
zlib_inflate
.gitignore X.509: Implement simple static OID registry 2012-10-08 13:50:18 +10:30
argv_split.c
asn1_decoder.c Nothing all that exciting; a new module-from-fd syscall for those who want 2012-12-19 07:55:08 -08:00
atomic64_test.c atomic64_test: simplify the #ifdef for atomic64_dec_if_positive() test 2012-07-30 17:25:16 -07:00
atomic64.c lib: atomic64: Initialize locks statically to fix early users 2012-12-20 13:50:16 -08:00
audit.c
average.c
bcd.c usb/core: use bin2bcd() for bcdDevice in RH 2012-09-10 11:13:16 -07:00
bch.c
bitmap.c propagate name change to comments in kernel source 2012-12-06 10:39:54 +01:00
bitrev.c
bsearch.c
btree.c btree: catch NULL value before it does harm 2012-06-07 14:43:55 -07:00
bug.c taint: add explicit flag to show whether lock dep is still OK. 2013-01-21 17:17:57 +10:30
build_OID_registry X.509: Implement simple static OID registry 2012-10-08 13:50:18 +10:30
bust_spinlocks.c printk: Provide a wake_up_klogd() off-case 2013-03-22 16:41:20 -07:00
check_signature.c
checksum.c asm-generic headers: Allow yet more arch overrides in checksum.h 2013-02-11 20:00:33 +05:30
clz_tab.c
cmdline.c
cordic.c
cpu_rmap.c lib: cpu_rmap: avoid flushing all workqueues 2013-01-11 14:54:54 -08:00
cpu-notifier-error-inject.c cpu: rewrite cpu-notifier-error-inject module 2012-07-30 17:25:22 -07:00
cpumask.c bootmem: fix wrong call parameter for free_bootmem() 2012-12-11 17:22:28 -08:00
crc7.c
crc8.c
crc16.c
crc32.c sections: fix const sections for crc32 table 2012-10-06 03:04:46 +09:00
crc32defs.h
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
ctype.c
debug_locks.c
debugobjects.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
dec_and_lock.c
decompress_bunzip2.c
decompress_inflate.c
decompress_unlzma.c
decompress_unlzo.c lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c 2013-02-20 19:36:00 +01:00
decompress_unxz.c
decompress.c lib/decompress.c add __init to decompress_method and data 2012-10-06 03:05:32 +09:00
devres.c lib/devres.c: fix misplaced #endif 2013-02-27 19:10:09 -08:00
digsig.c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2013-02-21 08:18:12 -08:00
div64.c lib: correct link to the original source for div64_u64 2012-06-28 11:51:39 +02:00
dma-debug.c dma-debug: update DMA debug API to better handle multiple mappings of a buffer 2013-03-22 16:41:20 -07:00
dump_stack.c
dynamic_debug.c dynamic_debug: add pr_errs before -EINVALs 2013-01-17 12:19:09 -08:00
dynamic_queue_limits.c bql: Avoid possible inconsistent calculation. 2012-05-31 18:18:17 -04:00
earlycpio.c lib: Add early cpio decoder 2012-09-30 18:02:20 -07:00
extable.c
fault-inject.c fault-inject: avoid call to random32() if fault injection is disabled 2012-06-20 14:39:36 -07:00
fdt_ro.c of/lib: Allow scripts/dtc/libfdt to be used from kernel code 2012-07-23 13:54:52 +01:00
fdt_rw.c of/lib: Allow scripts/dtc/libfdt to be used from kernel code 2012-07-23 13:54:52 +01:00
fdt_strerror.c of/lib: Allow scripts/dtc/libfdt to be used from kernel code 2012-07-23 13:54:52 +01:00
fdt_sw.c of/lib: Allow scripts/dtc/libfdt to be used from kernel code 2012-07-23 13:54:52 +01:00
fdt_wip.c of/lib: Allow scripts/dtc/libfdt to be used from kernel code 2012-07-23 13:54:52 +01:00
fdt.c of/lib: Allow scripts/dtc/libfdt to be used from kernel code 2012-07-23 13:54:52 +01:00
find_last_bit.c
find_next_bit.c
flex_array.c
flex_proportions.c lib/flex_proportions.c: fix corruption of denominator in flexible proportions 2012-09-25 08:59:21 -07:00
gcd.c lib/gcd.c: prevent possible div by 0 2012-10-06 03:04:57 +09:00
gen_crc32table.c sections: fix const sections for crc32 table 2012-10-06 03:04:46 +09:00
genalloc.c genalloc: stop crashing the system when destroying a pool 2012-10-25 14:37:52 -07:00
halfmd4.c
hexdump.c dynamic_debug: dynamic hex dump 2013-01-17 12:19:09 -08:00
hweight.c
idr.c idr: idr_alloc() shouldn't trigger lowmem warning when preloaded 2013-03-13 15:21:49 -07:00
inflate.c
int_sqrt.c
interval_tree_test_main.c random32: rename random32 to prandom 2012-12-17 17:15:26 -08:00
interval_tree.c mm: interval tree updates 2012-10-09 16:22:40 +09:00
iomap_copy.c
iomap.c
iommu-helper.c
ioremap.c
irq_regs.c
is_single_threaded.c
jedec_ddr_data.c ddr: add LPDDR2 data from JESD209-2 2012-05-02 00:04:06 -07:00
kasprintf.c lib/kasprintf.c: use kmalloc_track_caller() to get accurate traces for kvasprintf 2012-10-11 08:50:15 +09:00
Kconfig lib: remove depends on CONFIG_EXPERIMENTAL 2013-01-17 12:11:27 -08:00
Kconfig.debug ImgTec Meta architecture changes for v3.9-rc1 2013-03-03 12:06:09 -08:00
Kconfig.kgdb KGDB/KDB fixes and cleanups 2013-03-02 08:31:39 -08:00
Kconfig.kmemcheck
kfifo.c kfifo: fix kfifo_alloc() and kfifo_init() 2013-02-27 19:10:23 -08:00
klist.c Revert "driver core: check start node in klist_iter_init_node" 2012-04-19 19:17:30 -07:00
kobject_uevent.c netlink: hide struct module parameter in netlink_kernel_create 2012-09-08 18:46:30 -04:00
kobject.c kobject: fix kset_find_obj() race with concurrent last kobject_put() 2013-04-13 15:15:30 -07:00
kstrtox.c kstrto*: add documentation 2012-12-17 17:15:22 -08:00
kstrtox.h
lcm.c
libcrc32c.c
list_debug.c rcu: Fix broken strings in RCU's source code. 2012-07-06 06:01:49 -07:00
list_sort.c
llist.c Disintegrate and delete asm/system.h 2012-03-28 15:58:21 -07:00
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c lockdep: Selftest: convert spinlock to raw spinlock 2013-02-19 08:43:35 +01:00
lru_cache.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
Makefile kfifo: move kfifo.c from kernel/ to lib/ 2013-02-27 19:10:23 -08:00
md5.c
memory-notifier-error-inject.c memory: memory notifier error injection module 2012-07-30 17:25:22 -07:00
memweight.c string: introduce memweight() 2012-07-30 17:25:16 -07:00
nlattr.c netlink: add minlen validation for the new signed types 2012-08-30 13:11:46 -04:00
notifier-error-inject.c fault-injection: notifier error injection 2012-07-30 17:25:22 -07:00
notifier-error-inject.h fault-injection: notifier error injection 2012-07-30 17:25:22 -07:00
of-reconfig-notifier-error-inject.c powerpc+of: Rename and fix OF reconfig notifier error inject module 2012-12-14 10:32:52 +11:00
oid_registry.c X.509: Add utility functions to render OIDs as strings 2012-10-08 13:50:18 +10:30
parser.c lib/parser.c: fix up comments for valid return values from match_number 2013-02-21 17:22:25 -08:00
pci_iomap.c
percpu_counter.c switch the protection of percpu_counter list to spinlock 2012-07-31 09:28:31 +04:00
percpu-rwsem.c percpu_rw_semaphore: add lockdep annotations 2012-12-17 17:15:18 -08:00
plist.c lib/plist.c: make plist test announcements KERN_DEBUG 2012-10-06 03:04:58 +09:00
pm-notifier-error-inject.c PM: PM notifier error injection module 2012-07-30 17:25:22 -07:00
prio_heap.c
proportions.c
radix-tree.c radix-tree: fix contiguous iterator 2012-06-05 10:46:40 -07:00
random32.c prandom: introduce prandom_bytes() and prandom_bytes_state() 2012-12-17 17:15:26 -08:00
ratelimit.c
rational.c lib: Change mail address of Oskar Schirmer 2012-05-17 15:18:37 +02:00
rbtree_test.c random32: rename random32 to prandom 2012-12-17 17:15:26 -08:00
rbtree.c lib/rbtree.c: avoid the use of non-static __always_inline 2013-01-11 14:54:56 -08:00
reciprocal_div.c
rwsem-spinlock.c rwsem-spinlock: Implement writer lock-stealing for better scalability 2013-02-19 08:43:39 +01:00
rwsem.c rwsem: Implement writer lock-stealing for better scalability 2013-02-19 08:42:43 +01:00
scatterlist.c lib/scatterlist: use page iterator in the mapping iterator 2013-02-27 19:10:10 -08:00
sha1.c
show_mem.c
smp_processor_id.c
sort.c
spinlock_debug.c lib/spinlock_debug: avoid livelock in do_raw_spin_lock() 2012-10-06 03:04:57 +09:00
stmp_device.c lib: add support for stmp-style devices 2012-04-20 23:27:08 +02:00
string_helpers.c lib/string_helpers.c: make arrays static 2012-05-29 16:22:32 -07:00
string.c
strncpy_from_user.c word-at-a-time: make the interfaces truly generic 2012-05-26 11:33:40 -07:00
strnlen_user.c lib: Fix generic strnlen_user for 32-bit big-endian machines 2012-05-27 20:59:46 -07:00
swiotlb.c x86: Don't panic if can not alloc buffer for swiotlb 2013-01-29 19:36:53 -08:00
syscall.c
test-kstrtox.c lib/test-kstrtox.c: mark const init data with __initconst instead of __initdata 2012-05-29 16:22:32 -07:00
textsearch.c
timerqueue.c
ts_bm.c
ts_fsm.c
ts_kmp.c
uuid.c
vsprintf.c lib/vsprintf.c: add %pa format specifier for phys_addr_t types 2013-02-21 17:22:20 -08:00