Re: [linux-usb-devel] [PATCH] back out sysfs reference count change

[Alan Stern]

On Wed, 31 Mar 2004, Maneesh Soni wrote:

> For convenience I will explain the race here..
> 
> cpu 0							cpu 1
> kobject_unregister()				   sysfs_open_file()
>   kobject_del()					     check_perm()
>     sysfs_remove_dir()					   :
>      (dentry remains alive due to ref. taken 		   :
>       on the way to sysfs_open_file)			   :
>   kobject_put()					   	   :
>     kobject_cleanup()					kobject_get(->d_fsdata)
> 
> cpu 1 could end up referring to a freed kobject through dentry->d_fsdata or
> starts spitting Badness in kobject_get at lib/kobject.c:429. For triggering 
> this race try running these two loops simultaneously on SMP 
> 
> # while true; do insmod drivers/net/dummy.ko; rmmod dummy; done
> # while true; do find /sys/class/net | xargs cat; done
> 
> Probably it can be solved by making sure that when sysfs file is 
> opened/read/written some _race_ free check is done and fail if kobject if gone. 
> 
> Maneesh

Here's a suggestion.  At the start of check_perm() grab the dentry 
semaphore, then check whether d_fsdata is NULL, if it isn't then do the 
kobject_get(), then unlock the semaphore.

Alan Stern

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/