[PATCH 2/2] kobject: wait until kobject is cleaned up before freeing module

From: Ming Lei
Date: Fri Nov 05 2021 - 02:38:55 EST

Next message: Leonard Crestez: "Re: [PATCH v2 06/25] tcp: authopt: Compute packet signatures"
Previous message: Ming Lei: "[PATCH 1/2] kobject: don't delay to cleanup module kobject"
In reply to: Ming Lei: "[PATCH 1/2] kobject: don't delay to cleanup module kobject"
Next in thread: kernel test robot: "Re: [PATCH 2/2] kobject: wait until kobject is cleaned up before freeing module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

kobject_put() may become asynchronously because of
CONFIG_DEBUG_KOBJECT_RELEASE, so once kobject_put() returns, the caller may
expect the kobject is released after the last refcnt is dropped, however
CONFIG_DEBUG_KOBJECT_RELEASE just schedules one delayed work function
for cleaning up the kobject. Inside the cleanup handler, kobj->ktype and
kobj->ktype->release are required.

It is supposed that no activity is on kobject itself any more since
module_exit() is started, so it is reasonable for the kobject user or
driver to expect that kobject can be really released in the last run of
kobject_put() in module_exit() code path. Otherwise, it can be thought as
one driver's bug since the module is going away.

When the ->ktype and ->ktype->release are allocated as module static
variable, it can cause trouble because the delayed cleanup handler may
be run after the module is unloaded.

Fixes the issue by flushing scheduled kobject cleanup work before
freeing module.

Reported-by: Petr Mladek <pmladek@xxxxxxxx>
Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
---
include/linux/kobject.h | 1 +
lib/kobject.c | 62 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 63 insertions(+)

diff --git a/include/linux/kobject.h b/include/linux/kobject.h
index ea30529fba08..e5e3419cf36b 100644
--- a/include/linux/kobject.h
+++ b/include/linux/kobject.h
@@ -70,6 +70,7 @@ struct kobject {
struct kernfs_node *sd; /* sysfs directory entry */
struct kref kref;
#ifdef CONFIG_DEBUG_KOBJECT_RELEASE
+ struct list_head node;
struct delayed_work release;
#endif
unsigned int state_initialized:1;
diff --git a/lib/kobject.c b/lib/kobject.c
index 4c0dbe11be3d..f5fd6017d8ce 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -17,6 +17,12 @@
#include <linux/slab.h>
#include <linux/random.h>
#include <linux/module.h>
+#include <linux/delay.h>
+
+#ifdef CONFIG_DEBUG_KOBJECT_RELEASE
+static LIST_HEAD(kobj_cleanup_list);
+static DEFINE_SPINLOCK(kobj_cleanup_lock);
+#endif

/**
* kobject_namespace() - Return @kobj's namespace tag.
@@ -682,6 +688,13 @@ static void kobject_cleanup(struct kobject *kobj)
struct kobject *parent = kobj->parent;
struct kobj_type *t = get_ktype(kobj);
const char *name = kobj->name;
+#ifdef CONFIG_DEBUG_KOBJECT_RELEASE
+ unsigned long flags;
+
+ spin_lock_irqsave(&kobj_cleanup_lock, flags);
+ list_del(&kobj->node);
+ spin_unlock_irqrestore(&kobj_cleanup_lock, flags);
+#endif

pr_debug("kobject: '%s' (%p): %s, parent %p\n",
kobject_name(kobj), kobj, __func__, kobj->parent);
@@ -716,11 +729,49 @@ static void kobject_cleanup(struct kobject *kobj)
}

#ifdef CONFIG_DEBUG_KOBJECT_RELEASE
+/*
+ * Module notifier call back, flushing scheduled kobject cleanup work
+ * before freeing module
+ */
+static int kobj_module_callback(struct notifier_block *nb,
+ unsigned long val, void *data)
+{
+ LIST_HEAD(pending);
+
+ if (val != MODULE_STATE_GOING)
+ return NOTIFY_DONE;
+
+ spin_lock_irq(&kobj_cleanup_lock);
+ list_splice_init(&kobj_cleanup_list, &pending);
+ spin_unlock_irq(&kobj_cleanup_lock);
+
+ while (!list_empty_careful(&pending))
+ msleep(jiffies_to_msecs(HZ / 10));
+
+ flush_scheduled_work();
+ return NOTIFY_DONE;
+}
+
+static struct notifier_block kobj_module_nb = {
+ .notifier_call = kobj_module_callback,
+};
+
static void kobject_delayed_cleanup(struct work_struct *work)
{
kobject_cleanup(container_of(to_delayed_work(work),
struct kobject, release));
}
+
+static int __init kobj_delayed_cleanup_init(void)
+{
+ WARN_ON(register_module_notifier(&kobj_module_nb));
+ return 0;
+}
+#else
+static int __init kobj_delayed_cleanup_init(void)
+{
+ return 0;
+}
#endif

static void kobject_release(struct kref *kref)
@@ -728,6 +779,7 @@ static void kobject_release(struct kref *kref)
struct kobject *kobj = container_of(kref, struct kobject, kref);
#ifdef CONFIG_DEBUG_KOBJECT_RELEASE
unsigned long delay = HZ + HZ * (get_random_int() & 0x3);
+ unsigned long flags;

if (kobj->ktype == &module_ktype)
delay = 0;
@@ -736,6 +788,10 @@ static void kobject_release(struct kref *kref)
kobject_name(kobj), kobj, __func__, kobj->parent, delay);
INIT_DELAYED_WORK(&kobj->release, kobject_delayed_cleanup);

+ spin_lock_irqsave(&kobj_cleanup_lock, flags);
+ list_add(&kobj->node, &kobj_cleanup_list);
+ spin_unlock_irqrestore(&kobj_cleanup_lock, flags);
+
schedule_delayed_work(&kobj->release, delay);
#else
kobject_cleanup(kobj);
@@ -1146,3 +1202,9 @@ void kobj_ns_drop(enum kobj_ns_type type, void *ns)
spin_unlock(&kobj_ns_type_lock);
}
EXPORT_SYMBOL_GPL(kobj_ns_drop);
+
+static int __init kobj_subsys_init(void)
+{
+ return kobj_delayed_cleanup_init();
+}
+core_initcall(kobj_subsys_init)
--
2.31.1

Next message: Leonard Crestez: "Re: [PATCH v2 06/25] tcp: authopt: Compute packet signatures"
Previous message: Ming Lei: "[PATCH 1/2] kobject: don't delay to cleanup module kobject"
In reply to: Ming Lei: "[PATCH 1/2] kobject: don't delay to cleanup module kobject"
Next in thread: kernel test robot: "Re: [PATCH 2/2] kobject: wait until kobject is cleaned up before freeing module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]