• Nick Piggin's avatar
    Fix up possibly racy module refcounting · 5fbfb18d
    Nick Piggin authored
    Module refcounting is implemented with a per-cpu counter for speed.
    However there is a race when tallying the counter where a reference may
    be taken by one CPU and released by another.  Reference count summation
    may then see the decrement without having seen the previous increment,
    leading to lower than expected count.  A module which never has its
    actual reference drop below 1 may return a reference count of 0 due to
    this race.
    
    Module removal generally runs under stop_machine, which prevents this
    race causing bugs due to removal of in-use modules.  However there are
    other real bugs in module.c code and driver code (module_refcount is
    exported) where the callers do not run under stop_machine.
    
    Fix this by maintaining running per-cpu counters for the number of
    module refcount increments and the number of refcount decrements.  The
    increments are tallied after the decrements, so any decrement seen will
    always have its corresponding increment counted.  The final refcount is
    the difference of the total increments and decrements, preventing a
    low-refcount from being returned.
    Signed-off-by: default avatarNick Piggin <npiggin@suse.de>
    Acked-by: default avatarRusty Russell <rusty@rustcorp.com.au>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    5fbfb18d
module.c 79 KB