Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp892548pxv; Thu, 22 Jul 2021 15:18:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzKdLZCLYFx2NI/Z63UR0A8EiGPUFO4ct65cHFPbtrSsYQko5hN4jpqmDzXPcPbqk0qHcQN X-Received: by 2002:a92:c5c5:: with SMTP id s5mr1317578ilt.271.1626992290072; Thu, 22 Jul 2021 15:18:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626992290; cv=none; d=google.com; s=arc-20160816; b=B4fT/2C6DXyksgV7ZDHcPOuoHqSwPgMXm3qr5tiaVqhaDQ7NqjMLZarkRhSUech63s lDcvYixe7d5qXZQvGFqclLwPQEnOnquofPbrEvaTBvcnpFCKxUAbQPAwevflnl1q+c+t 0GKEK1U+4PqRNCl1Jqo3Qv89ArveCUBnctD9U4pdCRnoeYNuvxflL4NExV1S7luX2h6F YlrSM2n5oRlRx82gndmngpQ/q3acwpme6QTOr8UyV0IcPAeEIoDFrME+d/DGFXaPLfNF E2krxcXYcQ8G4v97+vgR7cEBzSGmLTifssS1E9bh7wjT+x/ByBUFChoXSLv8Em2GJ8hu dW5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=KjDm2tntM7APsKw0ldKBybDQvh8O5xALMiXoPEkyZTI=; b=oIhCPwTTffZh7sT8JO7arzBVHBSBSFBlTfmwWSPLv2k5z5/XdoKXGJ0sc3oJdfHveB RCAxHKtpRhyrFk/mFJk3GwOfkc1Z1pgPxHWQ63bQZka5nwF3HJeVmKAiXRXaspaP8x0E hNsQ4H0mMzM8AbyxIUxf7Aro5ZOZHjM+CclaRlo51JOb+V0dRh47vF42ZVrZPJvR3803 bYxcViToczQvzpG/2XKOKN+Vd6uIVSguQzSGT97eSBUMFPhIf9F51/JHjOysc7c5awvV 7UQHimgYcGlljor5F0esUODUkB4Ey++r74ZLtl+y9Q9ItStZbNL2BQ5o3SeIU2346XnB 0LMQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n200si3939562iod.51.2021.07.22.15.17.57; Thu, 22 Jul 2021 15:18:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232072AbhGVVgh (ORCPT + 99 others); Thu, 22 Jul 2021 17:36:37 -0400 Received: from mail-pl1-f180.google.com ([209.85.214.180]:41800 "EHLO mail-pl1-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231533AbhGVVgg (ORCPT ); Thu, 22 Jul 2021 17:36:36 -0400 Received: by mail-pl1-f180.google.com with SMTP id e14so942827plh.8; Thu, 22 Jul 2021 15:17:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=KjDm2tntM7APsKw0ldKBybDQvh8O5xALMiXoPEkyZTI=; b=aK9jPCxRz/gghaXzA/b2/yqVvgkg7N/H/XJceMUA3rKvUNlqwwNWoUIrbslPLCMFH2 LmTGbBI1tcMHs4HAgLMW6tmR+FvIvZMrLfPpQwcAWEgB5ORJV1HzH0a1LNWBglp7SdOM BXEroyCdOjEzYj/EEQho2MdKYj3eapXaVUVmYVTTniKXnnTj0D/TgsRd3Pj5+821jycV 2C2l6d5Y28N8jyLfwsfJqK/DDbVEdJmI40+tyWKglwVE75jqTnrhNG2MhA49k2bgruF1 sA6LdhHWWTc19/mPtu06Fc3/1LSfz84dEdbOhHL+lM2oBsq+XTvgp7tsP+dZMclr3H1Z 3phw== X-Gm-Message-State: AOAM533fEMg96qPV1pOSrJvBqvlctwW1Uxjhl71teKF0+yq96CaFXfUc 30raG1w4nyVuIRWVxie9ct4= X-Received: by 2002:a63:3243:: with SMTP id y64mr2033130pgy.244.1626992229655; Thu, 22 Jul 2021 15:17:09 -0700 (PDT) Received: from garbanzo ([191.96.121.239]) by smtp.gmail.com with ESMTPSA id bv22sm23528815pjb.21.2021.07.22.15.17.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jul 2021 15:17:08 -0700 (PDT) Date: Thu, 22 Jul 2021 15:17:05 -0700 From: Luis Chamberlain To: Greg KH Cc: akpm@linux-foundation.org, minchan@kernel.org, jeyu@kernel.org, ngupta@vflare.org, sergey.senozhatsky.work@gmail.com, rafael@kernel.org, axboe@kernel.dk, tj@kernel.org, mbenes@suse.com, jpoimboe@redhat.com, tglx@linutronix.de, keescook@chromium.org, jikos@kernel.org, rostedt@goodmis.org, peterz@infradead.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v6 2/3] zram: fix deadlock with sysfs attribute usage and module removal Message-ID: <20210722221705.kyrdkpt6fwf5k56o@garbanzo> References: <20210703001958.620899-1-mcgrof@kernel.org> <20210703001958.620899-3-mcgrof@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 21, 2021 at 01:29:29PM +0200, Greg KH wrote: > On Fri, Jul 02, 2021 at 05:19:57PM -0700, Luis Chamberlain wrote: > > +#define MODULE_DEVICE_ATTR_FUNC_STORE(_name) \ > > +static ssize_t module_ ## _name ## _store(struct device *dev, \ > > + struct device_attribute *attr, \ > > + const char *buf, size_t len) \ > > +{ \ > > + ssize_t __ret; \ > > + if (!try_module_get(THIS_MODULE)) \ > > + return -ENODEV; \ > > I feel like this needs to be written down somewhere as I see it come up > all the time. I'll go ahead and cook up a patch to do just this after I send this email out. > Again, this is racy and broken code. You can NEVER try to increment > your own module reference count unless it has already been incremented > by someone external first. In the zram driver's case the sysfs files are still pegged on, because as we noted before the kernfs active reference will ensure the store operation still exists. If the driver removes the operation prior to getting the active reference, the write will just fail. kernfs ensures once a file is opened the op is not removed until the operation completes. If a file is opened then, the module cannot possibly be removed. The piece of information we realy care about is the use of module_is_live() inside try_module_get() which does: static inline bool module_is_live(struct module *mod) { return mod->state != MODULE_STATE_GOING; } The try allows module removal to trump use of the sysfs file. If userspace wants the module removed, it gives up in favor for that operation. > As "proof", what happens if this module is unloaded right _before_ this > call happens? The module will be unloaded, memory zeroed out (or > overridden), and then the processor will resume here and try to call (or > return into) this code path. The use of try_module_get() is protected to be correct by the kernfs active reference, which in turn ensures the module is not gone. That is, when a sysfs file read / write op is issued, if the file was opened we *know* the module is not gone yet. It cannot possibly be removed. But once inside the operation, try_module_get() can check to see if userspace did want to remove the module, and if so it would immediately bail out and yield to that operation. Userspace cannot open a sysfs file with the module being gone. The kernfs active prevents that. > Boom. I think it would be good we add a self test for this particular case. I'll go ahead and extend my sysfs tests with one test for this case. I could do this by adding a new sysfs file to the test driver and where all it does is this try_module_get() thing. This can then be raced with module removals attempts. But it does not mean all you say is wrong. I think the value of what you are saying requires documenting as it was not clear to me either. I'll send a patch now. > Just say no to "try_module_get(THIS_MODULE)" as it is totally wrong. Context is required and documented. I'll end a patch. Luis