[PATCH 03/12] mISDN: fix race in timer canceling on module unloading

From: Konstantin Khlebnikov
Date: Fri Dec 14 2012 - 06:02:34 EST

Next message: Konstantin Khlebnikov: "[PATCH 05/12] staging: vme_pio2: fix oops on module unloading"
Previous message: Konstantin Khlebnikov: "[PATCH 02/12] driver core: add debug-objects debug for device-drivers"
In reply to: Konstantin Khlebnikov: "[PATCH 02/12] driver core: add debug-objects debug for device-drivers"
Next in thread: David Miller: "Re: [PATCH 03/12] mISDN: fix race in timer canceling on moduleunloading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Using timer_pending() without additional syncronization is racy,
del_timer_sync() must be used here for waiting in-flight handler.
Bug caught with help from "debug-objects" during random insmod/rmmod.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxx>
Cc: Karsten Keil <isdn@xxxxxxxxxxxxxx>
Cc: David S. Miller <davem@xxxxxxxxxxxxx>
Cc: netdev <netdev@xxxxxxxxxxxxxxx>

---

<4>[ 459.470685] ------------[ cut here ]------------
<4>[ 459.471144] WARNING: at lib/debugobjects.c:255 debug_print_object+0x50/0x60() (Tainted: P WC --------------- T)
<4>[ 459.471144] Hardware name: System Product Name
<3>[ 459.471144] ODEBUG: free active object type: timer_list
<4>[ 459.471144] Modules linked in: [a lot] [last unloaded: mISDN_dsp]
<4>[ 459.471144] Pid: 86812, comm: rmmod veid: 0 Tainted: P WC --------------- T 2.6.32-279.5.1.el6-042stab061.7-vz #112
<4>[ 459.471144] Call Trace:
<4>[ 459.471144] [<ffffffff81073407>] ? warn_slowpath_common+0x87/0xc0
<4>[ 459.471144] [<ffffffff810734f6>] ? warn_slowpath_fmt+0x46/0x50
<4>[ 459.471144] [<ffffffff81541b71>] ? _spin_lock_irqsave+0x91/0xb0
<4>[ 459.471144] [<ffffffff812b59b8>] ? debug_check_no_obj_freed+0x88/0x210
<4>[ 459.471144] [<ffffffff812b54d0>] ? debug_print_object+0x50/0x60
<4>[ 459.471144] [<ffffffff812b5a55>] ? debug_check_no_obj_freed+0x125/0x210
<4>[ 459.471144] [<ffffffff81188d66>] ? __vunmap+0x56/0x130
<4>[ 459.471144] [<ffffffff81188edf>] ? vfree+0x3f/0x50
<4>[ 459.471144] [<ffffffff81035a71>] ? module_free+0x11/0x20
<4>[ 459.471144] [<ffffffff810d1eea>] ? free_module+0x12a/0x180
<4>[ 459.471144] [<ffffffff810d216b>] ? sys_delete_module+0x1db/0x260
<4>[ 459.471144] [<ffffffff81541102>] ? trace_hardirqs_on_thunk+0x3a/0x3f
<4>[ 459.471144] [<ffffffff8100b1c2>] ? system_call_fastpath+0x16/0x1b
<4>[ 459.471144] ---[ end trace e17743cc12462133 ]---
---
drivers/isdn/mISDN/dsp_core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/isdn/mISDN/dsp_core.c b/drivers/isdn/mISDN/dsp_core.c
index 28c99c6..22b720e 100644
--- a/drivers/isdn/mISDN/dsp_core.c
+++ b/drivers/isdn/mISDN/dsp_core.c
@@ -1217,8 +1217,7 @@ static void __exit dsp_cleanup(void)
{
mISDN_unregister_Bprotocol(&DSP);

- if (timer_pending(&dsp_spl_tl))
- del_timer(&dsp_spl_tl);
+ del_timer_sync(&dsp_spl_tl);

if (!list_empty(&dsp_ilist)) {
printk(KERN_ERR "mISDN_dsp: Audio DSP object inst list not "

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Konstantin Khlebnikov: "[PATCH 05/12] staging: vme_pio2: fix oops on module unloading"
Previous message: Konstantin Khlebnikov: "[PATCH 02/12] driver core: add debug-objects debug for device-drivers"
In reply to: Konstantin Khlebnikov: "[PATCH 02/12] driver core: add debug-objects debug for device-drivers"
Next in thread: David Miller: "Re: [PATCH 03/12] mISDN: fix race in timer canceling on moduleunloading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]