All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules
@ 2012-12-14 11:02 Konstantin Khlebnikov
  2012-12-14 11:02 ` [PATCH 02/12] driver core: add debug-objects debug for device-drivers Konstantin Khlebnikov
                   ` (10 more replies)
  0 siblings, 11 replies; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, linux-modules, Jon Masters

This test tries to expose bugs and races in modules' init/exit code blocks.

Loading and unloading random modules shouldn't lead to the kernel crash.
Kernel cannot load all modules at once due to limitations in per-cpu allocator.
By default this script runs 4 iterations of two-phased test: on first phase it
loads/unloads all modules one by one in random order. On the second phase it
loads modules until it got 10 fail in a row, after that it unloads all modules
and goes on. Script excludes from test all modules which are already loaded.

usage sample:

 make -C tools/testing/modules/ test_all test_normal test_staging

script modprobe-remove-test.sh takes configuration from the environment:

#  environment var      example         default
#
#  MODULES              "foo bar"       all, except loaded and excluded
#  INCLUDE_MODULES      "foo bar"       ""
#  EXCLUDE_MODULES      "foo bar"       ""
#  INCLUDE_DIRS         "net/ sound/"   ""
#  EXCLUDE_DIRS         "drivers/ foo/" ""
#  ITERATIONS           "0"             "4"
#  MAX_FAILS            "0"             "10"
#  MODULES_ROOT         "/foo"          ""
#  MODULES_DIR          "/foo/bar"      "$MODULES_ROOT/lib/modules/`uname -r`/kernel"
#  MODPROBE_ARGS        ""              "--verbose --ignore-remove --ignore-install"
#
#  overriding priority: MODULES > EXCLUDE_* = LOADED > INCLUDE_*

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jon Masters <jcm@redhat.com>
Cc: linux-modules@vger.kernel.org
---
 tools/testing/modules/Makefile                |    8 +
 tools/testing/modules/modprobe-remove-test.sh |  167 +++++++++++++++++++++++++
 2 files changed, 175 insertions(+)
 create mode 100644 tools/testing/modules/Makefile
 create mode 100755 tools/testing/modules/modprobe-remove-test.sh

diff --git a/tools/testing/modules/Makefile b/tools/testing/modules/Makefile
new file mode 100644
index 0000000..7adc4b5
--- /dev/null
+++ b/tools/testing/modules/Makefile
@@ -0,0 +1,8 @@
+test_all:
+	./modprobe-remove-test.sh
+
+test_normal:
+	EXCLUDE_DIRS="drivers/staging/" ./modprobe-remove-test.sh
+
+test_staging:
+	INCLUDE_DIRS="drivers/staging/" ./modprobe-remove-test.sh
diff --git a/tools/testing/modules/modprobe-remove-test.sh b/tools/testing/modules/modprobe-remove-test.sh
new file mode 100755
index 0000000..1d30f64
--- /dev/null
+++ b/tools/testing/modules/modprobe-remove-test.sh
@@ -0,0 +1,167 @@
+#!/bin/bash
+#
+#  modprobe-remove-test.sh - load/unload modules in random order
+#
+#   - first phase  : load/unload all possible modules one by one
+#   - second phase : load multiple modules, remove all after $MAX_FAILS in a row
+#
+#  environment var	example		default
+#
+#  MODULES		"foo bar"	all, except loaded and excluded
+#  INCLUDE_MODULES	"foo bar"	""
+#  EXCLUDE_MODULES	"foo bar"	""
+#  INCLUDE_DIRS		"net/ sound/"	""
+#  EXCLUDE_DIRS		"drivers/ foo/"	""
+#  ITERATIONS		"0"		"4"
+#  MAX_FAILS		"100"		"10"
+#  MODULES_ROOT		"/foo"		""
+#  MODULES_DIR		"/foo/bar"	"$MODULES_ROOT/lib/modules/`uname -r`/kernel"
+#  MODPROBE_ARGS	""		"--verbose --ignore-remove --ignore-install"
+#
+#  overriding priority: MODULES > EXCLUDE_* = LOADED > INCLUDE_*
+#
+
+: ${MAX_FAILS=10}
+: ${ITERATIONS=4}
+
+: ${MODULES_ROOT=}
+: ${MODULES_DIR=$MODULES_ROOT/lib/modules/`uname -r`/kernel}
+
+: ${MODPROBE_ARGS=--verbose --ignore-remove --ignore-install}
+[ -n "$MODULES_ROOT" ] && MODULES_ARGS="--dirname=$MODULES_ROOT $MODULES_ARGS"
+
+set -o pipefail
+
+line_modules() {
+	for M in $@ ; do echo $M ; done
+}
+
+subtract_modules() {
+	comm -2 -3 <(echo "$1" | sort -u) <(echo "$2" | sort -u)
+}
+
+loaded_modules() {
+	lsmod | awk 'FNR != 1 { print $1 }' | sort -u
+}
+
+list_modules() {
+	(
+		cd "$MODULES_DIR" &&
+		find $@ -type f -name '*.ko' -printf '%f\n' |
+		sed 's/.ko$//;s/-/_/g'
+	)
+}
+
+load_module() {
+	modprobe ${MODPROBE_ARGS} "$1"
+}
+
+unload_module() {
+	modprobe ${MODPROBE_ARGS} --remove "$1"
+}
+
+topological_sort() {
+	local M
+	for M in $@ ; do
+		echo `modprobe ${MODPROBE_ARGS} --show-depends $M | wc -l` $M
+	done | sort -n -r | cut -d ' ' -f 2
+}
+
+unload_all_modules() {
+	local M
+
+	# try to unload in random order
+	LOADED_MODULES=`loaded_modules`
+	UNLOAD_MODULES=`subtract_modules "$LOADED_MODULES" "$EXCLUDE_MODULES"`
+	UNLOAD_MODULES=`echo "$UNLOAD_MODULES" | sort -R`
+	for M in $UNLOAD_MODULES ; do
+		unload_module $M
+	done
+
+	# unload the rest in topological order
+	LOADED_MODULES=`loaded_modules`
+	UNLOAD_MODULES=`subtract_modules "$LOADED_MODULES" "$EXCLUDE_MODULES"`
+	UNLOAD_MODULES=`topological_sort $UNLOAD_MODULES`
+	for M in $UNLOAD_MODULES ; do
+		unload_module $M
+	done
+}
+
+do_exit() {
+	unload_all_modules
+	echo "--- interrupted "
+	exit 2
+}
+
+trap do_exit INT TERM
+
+INITIAL_MODULES=`loaded_modules` || exit
+
+if [ -n "$EXCLUDE_DIRS" ] ; then
+	EXCLUDE_MODULES="$EXCLUDE_MODULES `list_modules $EXCLUDE_DIRS`" || exit
+fi
+
+EXCLUDE_MODULES=`line_modules $EXCLUDE_MODULES $INITIAL_MODULES`
+
+MODULES=`line_modules $MODULES`
+EXCLUDE_MODULES=`subtract_modules "$EXCLUDE_MODULES" "$MODULES"`
+
+if [ -n "$INCLUDE_DIRS" ] ; then
+	MODULES="$MODULES `list_modules $INCLUDE_DIRS`" || exit
+fi
+
+MODULES=`line_modules $MODULES $INCLUDE_MODULES`
+
+if [ -z "$MODULES" ] ; then
+	MODULES=`list_modules "."` || exit
+fi
+
+POSSIBLE_MODULES="$MODULES"
+
+MODULES=`subtract_modules "$MODULES" "$EXCLUDE_MODULES"`
+
+EXCLUDED_MODULES=`subtract_modules "$POSSIBLE_MODULES" "$MODULES"`
+
+echo "--- loaded modules:" $INITIAL_MODULES
+
+echo "--- modules under test:" $MODULES
+
+echo "--- excluded modules:" $EXCLUDED_MODULES
+
+for (( I=1 ; I <= $ITERATIONS ; I++ )) ; do
+	echo "--- iteration $I in $ITERATIONS"
+
+	echo "--- load/unload modules one by one"
+	for M in `echo "$MODULES" | sort -R` ; do
+		load_module "$M"
+		unload_module "$M"
+		unload_all_modules
+	done
+
+	echo "--- load multiple modules at once"
+	FAILS=0
+	for M in `echo "$MODULES" | sort -R` ; do
+		if load_module "$M" ; then
+			FAILS=0
+			continue
+		fi
+		if ((++FAILS >= MAX_FAILS)) ; then
+			echo "--- $FAILS fails in a row: unload all modules"
+			unload_all_modules
+			FAILS=0
+		fi
+	done
+	unload_all_modules
+	unload_all_modules
+done
+
+LOADED_MODULES=`loaded_modules`
+STUCK_MODULES=`subtract_modules "$LOADED_MODULES" "$INITIAL_MODULES"`
+MISSING_MODULES=`subtract_modules "$INITIAL_MODULES" "$LOADED_MODULES"`
+
+echo "--- stuck modules:" $STUCK_MODULES
+
+echo "--- missing modules:" $MISSING_MODULES
+
+echo "--- done"
+exit 0


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 02/12] driver core: add debug-objects debug for device-drivers
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
@ 2012-12-14 11:02 ` Konstantin Khlebnikov
  2012-12-14 11:02 ` [PATCH 03/12] mISDN: fix race in timer canceling on module unloading Konstantin Khlebnikov
                   ` (9 subsequent siblings)
  10 siblings, 0 replies; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, Thomas Gleixner

CONFIG_DEBUG_OBJECTS_DRIVERS together with CONFIG_DEBUG_OBJECTS_FREE can catch
unloading device driver modules without proper unregistering.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
---
 drivers/base/driver.c |   34 ++++++++++++++++++++++++++++++++++
 lib/Kconfig.debug     |    7 +++++++
 2 files changed, 41 insertions(+)

diff --git a/drivers/base/driver.c b/drivers/base/driver.c
index 974e301..7eec027 100644
--- a/drivers/base/driver.c
+++ b/drivers/base/driver.c
@@ -15,8 +15,40 @@
 #include <linux/errno.h>
 #include <linux/slab.h>
 #include <linux/string.h>
+#include <linux/debugobjects.h>
 #include "base.h"
 
+#ifdef CONFIG_DEBUG_OBJECTS_DRIVERS
+
+static void * debug_driver_hint(void *addr)
+{
+	struct device_driver *drv = addr;
+
+	return drv->probe;
+}
+
+struct debug_obj_descr driver_debug_descr = {
+	.name = "device_driver",
+	.debug_hint = debug_driver_hint,
+};
+
+static inline void debug_driver_register(struct device_driver *drv)
+{
+	debug_object_init(drv, &driver_debug_descr);
+	debug_object_activate(drv, &driver_debug_descr);
+}
+
+static inline void debug_driver_unregister(struct device_driver *drv)
+{
+	debug_object_deactivate(drv, &driver_debug_descr);
+	debug_object_free(drv, &driver_debug_descr);
+}
+
+#else /* CONFIG_DEBUG_OBJECTS_DRIVERS */
+static inline void debug_driver_register(struct device_driver *drv) { }
+static inline void debug_driver_unregister(struct device_driver *drv) { }
+#endif /* CONFIG_DEBUG_OBJECTS_DRIVERS */
+
 static struct device *next_device(struct klist_iter *i)
 {
 	struct klist_node *n = klist_next(i);
@@ -190,6 +222,7 @@ int driver_register(struct device_driver *drv)
 		return ret;
 	}
 	kobject_uevent(&drv->p->kobj, KOBJ_ADD);
+	debug_driver_register(drv);
 
 	return ret;
 }
@@ -209,6 +242,7 @@ void driver_unregister(struct device_driver *drv)
 	}
 	driver_remove_groups(drv, drv->groups);
 	bus_remove_driver(drv);
+	debug_driver_unregister(drv);
 }
 EXPORT_SYMBOL_GPL(driver_unregister);
 
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 3a35309..f5aee2d 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -404,6 +404,13 @@ config DEBUG_OBJECTS_PERCPU_COUNTER
 	  percpu counter routines to track the life time of percpu counter
 	  objects and validate the percpu counter operations.
 
+config DEBUG_OBJECTS_DRIVERS
+	bool "Debug device driver objects"
+	depends on DEBUG_OBJECTS
+	help
+	  Enable this to turn on debugging device drivers structures. Together
+	  with DEBUG_OBJECTS_FREE this can catch freeing registered drivers.
+
 config DEBUG_OBJECTS_ENABLE_DEFAULT
 	int "debug_objects bootup default value (0-1)"
         range 0 1


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 03/12] mISDN: fix race in timer canceling on module unloading
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
  2012-12-14 11:02 ` [PATCH 02/12] driver core: add debug-objects debug for device-drivers Konstantin Khlebnikov
@ 2012-12-14 11:02 ` Konstantin Khlebnikov
  2012-12-14 18:16   ` David Miller
  2012-12-14 11:02 ` [PATCH 04/12] pps: pps_parport: fix oops " Konstantin Khlebnikov
                   ` (8 subsequent siblings)
  10 siblings, 1 reply; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: netdev, Karsten Keil, David S. Miller

Using timer_pending() without additional syncronization is racy,
del_timer_sync() must be used here for waiting in-flight handler.
Bug caught with help from "debug-objects" during random insmod/rmmod.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: David S. Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>

---

<4>[  459.470685] ------------[ cut here ]------------
<4>[  459.471144] WARNING: at lib/debugobjects.c:255 debug_print_object+0x50/0x60() (Tainted: P        WC ---------------  T)
<4>[  459.471144] Hardware name: System Product Name
<3>[  459.471144] ODEBUG: free active object type: timer_list
<4>[  459.471144] Modules linked in: [a lot] [last unloaded: mISDN_dsp]
<4>[  459.471144] Pid: 86812, comm: rmmod veid: 0 Tainted: P        WC ---------------  T 2.6.32-279.5.1.el6-042stab061.7-vz #112
<4>[  459.471144] Call Trace:
<4>[  459.471144]  [<ffffffff81073407>] ? warn_slowpath_common+0x87/0xc0
<4>[  459.471144]  [<ffffffff810734f6>] ? warn_slowpath_fmt+0x46/0x50
<4>[  459.471144]  [<ffffffff81541b71>] ? _spin_lock_irqsave+0x91/0xb0
<4>[  459.471144]  [<ffffffff812b59b8>] ? debug_check_no_obj_freed+0x88/0x210
<4>[  459.471144]  [<ffffffff812b54d0>] ? debug_print_object+0x50/0x60
<4>[  459.471144]  [<ffffffff812b5a55>] ? debug_check_no_obj_freed+0x125/0x210
<4>[  459.471144]  [<ffffffff81188d66>] ? __vunmap+0x56/0x130
<4>[  459.471144]  [<ffffffff81188edf>] ? vfree+0x3f/0x50
<4>[  459.471144]  [<ffffffff81035a71>] ? module_free+0x11/0x20
<4>[  459.471144]  [<ffffffff810d1eea>] ? free_module+0x12a/0x180
<4>[  459.471144]  [<ffffffff810d216b>] ? sys_delete_module+0x1db/0x260
<4>[  459.471144]  [<ffffffff81541102>] ? trace_hardirqs_on_thunk+0x3a/0x3f
<4>[  459.471144]  [<ffffffff8100b1c2>] ? system_call_fastpath+0x16/0x1b
<4>[  459.471144] ---[ end trace e17743cc12462133 ]---
---
 drivers/isdn/mISDN/dsp_core.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/isdn/mISDN/dsp_core.c b/drivers/isdn/mISDN/dsp_core.c
index 28c99c6..22b720e 100644
--- a/drivers/isdn/mISDN/dsp_core.c
+++ b/drivers/isdn/mISDN/dsp_core.c
@@ -1217,8 +1217,7 @@ static void __exit dsp_cleanup(void)
 {
 	mISDN_unregister_Bprotocol(&DSP);
 
-	if (timer_pending(&dsp_spl_tl))
-		del_timer(&dsp_spl_tl);
+	del_timer_sync(&dsp_spl_tl);
 
 	if (!list_empty(&dsp_ilist)) {
 		printk(KERN_ERR "mISDN_dsp: Audio DSP object inst list not "


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 04/12] pps: pps_parport: fix oops on module unloading
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
  2012-12-14 11:02 ` [PATCH 02/12] driver core: add debug-objects debug for device-drivers Konstantin Khlebnikov
  2012-12-14 11:02 ` [PATCH 03/12] mISDN: fix race in timer canceling on module unloading Konstantin Khlebnikov
@ 2012-12-14 11:02 ` Konstantin Khlebnikov
  2012-12-14 11:02 ` [PATCH 05/12] staging: vme_pio2: " Konstantin Khlebnikov
                   ` (7 subsequent siblings)
  10 siblings, 0 replies; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Rodolfo Giometti

Seems like port->cad is NULL for unused ports

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Rodolfo Giometti <giometti@enneenne.com>

---

[    0.151192] BUG: unable to handle kernel NULL pointer dereference at           (null)
[    0.151759] IP: [<ffffffffa2de3048>] parport_detach+0x24/0x95 [pps_parport]
[    0.153875] Process rmmod (pid: 22117, threadinfo ffff880061174000, task ffff8800613db000)
[    0.153875] Call Trace:
[    0.153875]  [<ffffffffa064c49c>] parport_unregister_driver+0x51/0x8b [parport]
[    0.153875]  [<ffffffffa2de364f>] pps_parport_exit+0x17/0x20 [pps_parport]
[    0.153875]  [<ffffffff8110e976>] sys_delete_module+0x328/0x3d2
[    0.153875]  [<ffffffff8168e7e8>] tracesys+0xe1/0xe6
---
 drivers/pps/clients/pps_parport.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pps/clients/pps_parport.c b/drivers/pps/clients/pps_parport.c
index e1b4705..7e9bcd4 100644
--- a/drivers/pps/clients/pps_parport.c
+++ b/drivers/pps/clients/pps_parport.c
@@ -194,7 +194,7 @@ static void parport_detach(struct parport *port)
 	struct pps_client_pp *device;
 
 	/* FIXME: oooh, this is ugly! */
-	if (strcmp(pardev->name, KBUILD_MODNAME))
+	if (!pardev || strcmp(pardev->name, KBUILD_MODNAME))
 		/* not our port */
 		return;
 


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 05/12] staging: vme_pio2: fix oops on module unloading
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
                   ` (2 preceding siblings ...)
  2012-12-14 11:02 ` [PATCH 04/12] pps: pps_parport: fix oops " Konstantin Khlebnikov
@ 2012-12-14 11:02 ` Konstantin Khlebnikov
  2012-12-17 12:01   ` Martyn Welch
  2012-12-14 11:02 ` [PATCH 06/12] media/rc: fix oops on unloading module rc-core Konstantin Khlebnikov
                   ` (6 subsequent siblings)
  10 siblings, 1 reply; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Martyn Welch, Greg Kroah-Hartman, devel, Manohar Vanga

This patch forbids loading vme_pio2 module without specifing "num_bus" parameter.
Otherwise on module unloading pio2_exit() calls vme_unregister_driver() for not
registered pio2_driver.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Martyn Welch <martyn.welch@ge.com>
Cc: Manohar Vanga <manohar.vanga@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: devel@driverdev.osuosl.org
---
 drivers/staging/vme/devices/vme_pio2_core.c |   14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/drivers/staging/vme/devices/vme_pio2_core.c b/drivers/staging/vme/devices/vme_pio2_core.c
index 0331178..bf73ba2 100644
--- a/drivers/staging/vme/devices/vme_pio2_core.c
+++ b/drivers/staging/vme/devices/vme_pio2_core.c
@@ -162,11 +162,9 @@ static struct vme_driver pio2_driver = {
 
 static int __init pio2_init(void)
 {
-	int retval = 0;
-
 	if (bus_num == 0) {
 		pr_err("No cards, skipping registration\n");
-		goto err_nocard;
+		return -ENODEV;
 	}
 
 	if (bus_num > PIO2_CARDS_MAX) {
@@ -176,15 +174,7 @@ static int __init pio2_init(void)
 	}
 
 	/* Register the PIO2 driver */
-	retval = vme_register_driver(&pio2_driver, bus_num);
-	if (retval != 0)
-		goto err_reg;
-
-	return retval;
-
-err_reg:
-err_nocard:
-	return retval;
+	return  vme_register_driver(&pio2_driver, bus_num);
 }
 
 static int pio2_match(struct vme_dev *vdev)


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 06/12] media/rc: fix oops on unloading module rc-core
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
                   ` (3 preceding siblings ...)
  2012-12-14 11:02 ` [PATCH 05/12] staging: vme_pio2: " Konstantin Khlebnikov
@ 2012-12-14 11:02 ` Konstantin Khlebnikov
  2012-12-14 11:02 ` [PATCH 07/12] stmmac: fix platform driver unregistering Konstantin Khlebnikov
                   ` (5 subsequent siblings)
  10 siblings, 0 replies; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Mauro Carvalho Chehab, linux-media

During modiles initialization rc-core schedules work which calls
request_module() several times to load ir-*-decoder modules, but
it does not wait or cancel this work on module unloading.

rc-core should use request_module_nowait() instead, because it
anyway cannot load modules synchronously or cancel/wait pending
work on unloading, because this leads to deadlock on modules_mutex
between several "modprobe" processes.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
Cc: linux-media@vger.kernel.org
---
 drivers/media/rc/ir-raw.c       |   17 +----------------
 drivers/media/rc/rc-core-priv.h |   16 ++++++++--------
 2 files changed, 9 insertions(+), 24 deletions(-)

diff --git a/drivers/media/rc/ir-raw.c b/drivers/media/rc/ir-raw.c
index 97dc8d1..17c94be 100644
--- a/drivers/media/rc/ir-raw.c
+++ b/drivers/media/rc/ir-raw.c
@@ -31,11 +31,6 @@ static DEFINE_MUTEX(ir_raw_handler_lock);
 static LIST_HEAD(ir_raw_handler_list);
 static u64 available_protocols;
 
-#ifdef MODULE
-/* Used to load the decoders */
-static struct work_struct wq_load;
-#endif
-
 static int ir_raw_event_thread(void *data)
 {
 	struct ir_raw_event ev;
@@ -347,8 +342,7 @@ void ir_raw_handler_unregister(struct ir_raw_handler *ir_raw_handler)
 }
 EXPORT_SYMBOL(ir_raw_handler_unregister);
 
-#ifdef MODULE
-static void init_decoders(struct work_struct *work)
+void ir_raw_init(void)
 {
 	/* Load the decoder modules */
 
@@ -365,12 +359,3 @@ static void init_decoders(struct work_struct *work)
 	   it is needed to change the CONFIG_MODULE test at rc-core.h
 	 */
 }
-#endif
-
-void ir_raw_init(void)
-{
-#ifdef MODULE
-	INIT_WORK(&wq_load, init_decoders);
-	schedule_work(&wq_load);
-#endif
-}
diff --git a/drivers/media/rc/rc-core-priv.h b/drivers/media/rc/rc-core-priv.h
index 96f0a8b..5d87287 100644
--- a/drivers/media/rc/rc-core-priv.h
+++ b/drivers/media/rc/rc-core-priv.h
@@ -165,56 +165,56 @@ void ir_raw_init(void);
 
 /* from ir-nec-decoder.c */
 #ifdef CONFIG_IR_NEC_DECODER_MODULE
-#define load_nec_decode()	request_module("ir-nec-decoder")
+#define load_nec_decode()	request_module_nowait("ir-nec-decoder")
 #else
 static inline void load_nec_decode(void) { }
 #endif
 
 /* from ir-rc5-decoder.c */
 #ifdef CONFIG_IR_RC5_DECODER_MODULE
-#define load_rc5_decode()	request_module("ir-rc5-decoder")
+#define load_rc5_decode()	request_module_nowait("ir-rc5-decoder")
 #else
 static inline void load_rc5_decode(void) { }
 #endif
 
 /* from ir-rc6-decoder.c */
 #ifdef CONFIG_IR_RC6_DECODER_MODULE
-#define load_rc6_decode()	request_module("ir-rc6-decoder")
+#define load_rc6_decode()	request_module_nowait("ir-rc6-decoder")
 #else
 static inline void load_rc6_decode(void) { }
 #endif
 
 /* from ir-jvc-decoder.c */
 #ifdef CONFIG_IR_JVC_DECODER_MODULE
-#define load_jvc_decode()	request_module("ir-jvc-decoder")
+#define load_jvc_decode()	request_module_nowait("ir-jvc-decoder")
 #else
 static inline void load_jvc_decode(void) { }
 #endif
 
 /* from ir-sony-decoder.c */
 #ifdef CONFIG_IR_SONY_DECODER_MODULE
-#define load_sony_decode()	request_module("ir-sony-decoder")
+#define load_sony_decode()	request_module_nowait("ir-sony-decoder")
 #else
 static inline void load_sony_decode(void) { }
 #endif
 
 /* from ir-sanyo-decoder.c */
 #ifdef CONFIG_IR_SANYO_DECODER_MODULE
-#define load_sanyo_decode()	request_module("ir-sanyo-decoder")
+#define load_sanyo_decode()	request_module_nowait("ir-sanyo-decoder")
 #else
 static inline void load_sanyo_decode(void) { }
 #endif
 
 /* from ir-mce_kbd-decoder.c */
 #ifdef CONFIG_IR_MCE_KBD_DECODER_MODULE
-#define load_mce_kbd_decode()	request_module("ir-mce_kbd-decoder")
+#define load_mce_kbd_decode()	request_module_nowait("ir-mce_kbd-decoder")
 #else
 static inline void load_mce_kbd_decode(void) { }
 #endif
 
 /* from ir-lirc-codec.c */
 #ifdef CONFIG_IR_LIRC_CODEC_MODULE
-#define load_lirc_codec()	request_module("ir-lirc-codec")
+#define load_lirc_codec()	request_module_nowait("ir-lirc-codec")
 #else
 static inline void load_lirc_codec(void) { }
 #endif


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 07/12] stmmac: fix platform driver unregistering
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
                   ` (4 preceding siblings ...)
  2012-12-14 11:02 ` [PATCH 06/12] media/rc: fix oops on unloading module rc-core Konstantin Khlebnikov
@ 2012-12-14 11:02 ` Konstantin Khlebnikov
  2012-12-14 18:16   ` David Miller
  2012-12-14 11:02 ` [PATCH 08/12] bonding: do not cancel works in bond_uninit() Konstantin Khlebnikov
                   ` (4 subsequent siblings)
  10 siblings, 1 reply; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Giuseppe Cavallaro, netdev

This patch fixes platform device drivers unregistering and adds proper error
handing on module loading.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Cc: netdev@vger.kernel.org
---
 drivers/net/ethernet/stmicro/stmmac/stmmac.h      |    6 +++---
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c |   22 +++++++++++----------
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
index 023a4fb..b05df89 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
@@ -127,14 +127,14 @@ static inline int stmmac_register_platform(void)
 }
 static inline void stmmac_unregister_platform(void)
 {
-	platform_driver_register(&stmmac_pltfr_driver);
+	platform_driver_unregister(&stmmac_pltfr_driver);
 }
 #else
 static inline int stmmac_register_platform(void)
 {
 	pr_debug("stmmac: do not register the platf driver\n");
 
-	return -EINVAL;
+	return 0;
 }
 static inline void stmmac_unregister_platform(void)
 {
@@ -162,7 +162,7 @@ static inline int stmmac_register_pci(void)
 {
 	pr_debug("stmmac: do not register the PCI driver\n");
 
-	return -EINVAL;
+	return 0;
 }
 static inline void stmmac_unregister_pci(void)
 {
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 542edbc..f07c061 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2194,18 +2194,20 @@ int stmmac_restore(struct net_device *ndev)
  */
 static int __init stmmac_init(void)
 {
-	int err_plt = 0;
-	int err_pci = 0;
-
-	err_plt = stmmac_register_platform();
-	err_pci = stmmac_register_pci();
-
-	if ((err_pci) && (err_plt)) {
-		pr_err("stmmac: driver registration failed\n");
-		return -EINVAL;
-	}
+	int ret;
 
+	ret = stmmac_register_platform();
+	if (ret)
+		goto err;
+	ret = stmmac_register_pci();
+	if (ret)
+		goto err_pci;
 	return 0;
+err_pci:
+	stmmac_unregister_platform();
+err:
+	pr_err("stmmac: driver registration failed\n");
+	return ret;
 }
 
 static void __exit stmmac_exit(void)


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 08/12] bonding: do not cancel works in bond_uninit()
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
                   ` (5 preceding siblings ...)
  2012-12-14 11:02 ` [PATCH 07/12] stmmac: fix platform driver unregistering Konstantin Khlebnikov
@ 2012-12-14 11:02 ` Konstantin Khlebnikov
  2012-12-14 18:16   ` David Miller
  2012-12-14 11:02 ` [PATCH 09/12] pps: fix device destruction ordering Konstantin Khlebnikov
                   ` (3 subsequent siblings)
  10 siblings, 1 reply; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Nikolay Aleksandrov, netdev, Jay Vosburgh, Andy Gospodarek

Bonding initializes these works in bond_open() and cancels in bond_close(),
thus in bond_uninit() they are already canceled but may be unitialized yet.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Nikolay Aleksandrov <nikolay@redhat.com>
Cc: Jay Vosburgh <fubar@us.ibm.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Cc: netdev@vger.kernel.org
---
 drivers/net/bonding/bond_main.c |    2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index ef2cb24..b7d45f3 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -4431,8 +4431,6 @@ static void bond_uninit(struct net_device *bond_dev)
 
 	list_del(&bond->bond_list);
 
-	bond_work_cancel_all(bond);
-
 	bond_debug_unregister(bond);
 
 	__hw_addr_flush(&bond->mc_list);


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 09/12] pps: fix device destruction ordering
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
                   ` (6 preceding siblings ...)
  2012-12-14 11:02 ` [PATCH 08/12] bonding: do not cancel works in bond_uninit() Konstantin Khlebnikov
@ 2012-12-14 11:02 ` Konstantin Khlebnikov
  2012-12-14 11:03 ` [PATCH 10/12] mac802154: fix destructon ordering for ieee802154 devices Konstantin Khlebnikov
                   ` (2 subsequent siblings)
  10 siblings, 0 replies; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Rodolfo Giometti

device_destroy() calls final kfree(), thus cdev_del() must be called before it.
Catched as overwritten poison in kmalloc-512.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Rodolfo Giometti <giometti@enneenne.com>
---
 drivers/pps/pps.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c
index 2420d5a..769bb84 100644
--- a/drivers/pps/pps.c
+++ b/drivers/pps/pps.c
@@ -352,8 +352,8 @@ free_idr:
 
 void pps_unregister_cdev(struct pps_device *pps)
 {
-	device_destroy(pps_class, pps->dev->devt);
 	cdev_del(&pps->cdev);
+	device_destroy(pps_class, pps->dev->devt);
 }
 
 /*


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 10/12] mac802154: fix destructon ordering for ieee802154 devices
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
                   ` (7 preceding siblings ...)
  2012-12-14 11:02 ` [PATCH 09/12] pps: fix device destruction ordering Konstantin Khlebnikov
@ 2012-12-14 11:03 ` Konstantin Khlebnikov
  2012-12-14 18:16     ` David Miller
  2012-12-14 11:03 ` [PATCH 11/12] firmware/dmi-sysfs: fix sysfs warning on module unload Konstantin Khlebnikov
  2012-12-14 11:03 ` [PATCH 12/12] edac: fix kernel panic on module unloading Konstantin Khlebnikov
  10 siblings, 1 reply; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Dmitry Eremin-Solenikov, netdev, Alexander Smirnov,
	David S. Miller, linux-zigbee-devel

mutex_destroy() must be called before wpan_phy_free(), because it puts the last
reference and frees memory. Catched as overwritten poison in kmalloc-2048.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Alexander Smirnov <alex.bluesman.smirnov@gmail.com>
Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: linux-zigbee-devel@lists.sourceforge.net
Cc: netdev@vger.kernel.org
---
 net/mac802154/ieee802154_dev.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/mac802154/ieee802154_dev.c b/net/mac802154/ieee802154_dev.c
index e748aed..b7c7f81 100644
--- a/net/mac802154/ieee802154_dev.c
+++ b/net/mac802154/ieee802154_dev.c
@@ -224,9 +224,9 @@ void ieee802154_free_device(struct ieee802154_dev *hw)
 
 	BUG_ON(!list_empty(&priv->slaves));
 
-	wpan_phy_free(priv->phy);
-
 	mutex_destroy(&priv->slaves_mtx);
+
+	wpan_phy_free(priv->phy);
 }
 EXPORT_SYMBOL(ieee802154_free_device);
 


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 11/12] firmware/dmi-sysfs: fix sysfs warning on module unload
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
                   ` (8 preceding siblings ...)
  2012-12-14 11:03 ` [PATCH 10/12] mac802154: fix destructon ordering for ieee802154 devices Konstantin Khlebnikov
@ 2012-12-14 11:03 ` Konstantin Khlebnikov
  2012-12-14 11:03 ` [PATCH 12/12] edac: fix kernel panic on module unloading Konstantin Khlebnikov
  10 siblings, 0 replies; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, Mike Waychison

This removes redundant sysfs_remove_bin_file(), kobject_cleanup() already did this.

[ 1189.278210] ------------[ cut here ]------------
[ 1189.278293] WARNING: at fs/sysfs/inode.c:324 sysfs_hash_and_remove+0xa9/0xb0()
[ 1189.278414] Hardware name: M52S-S3P
[ 1189.278489] sysfs: can not remove 'raw', no directory
[ 1189.278566] Modules linked in: dmi_sysfs(-) mce_inject ar7part mtd decnet cs5535_mfgpt cs5520 eni suni atm cmd640 ide_generic dccp_ipv6 dccp_ipv4 dccp sctp bnep rfcomm bluetooth fuse nfsd exportfs powernow_k8 kvm_amd kvm k8temp parport_pc parport edac_core i2c_nforce2 evbug pcspkr btrfs zlib_deflate libcrc32c ide_core ata_generic pata_acpi sata_nv [last unloaded: dmi_sysfs]
[ 1189.280071] Pid: 5773, comm: rmmod Tainted: P        W    3.7.0-rc8-next-20121207+ #594
[ 1189.280200] Call Trace:
[ 1189.280276]  [<ffffffff8103bc2a>] warn_slowpath_common+0x7a/0xb0
[ 1189.280355]  [<ffffffff8103bd01>] warn_slowpath_fmt+0x41/0x50
[ 1189.280434]  [<ffffffff811b9a49>] sysfs_hash_and_remove+0xa9/0xb0
[ 1189.280513]  [<ffffffff817f8a16>] ? _raw_spin_unlock+0x26/0x40
[ 1189.280592]  [<ffffffff811bd222>] sysfs_remove_bin_file+0x12/0x20
[ 1189.280671]  [<ffffffffa0d40a83>] dmi_sysfs_entry_release+0x23/0x58 [dmi_sysfs]
[ 1189.280794]  [<ffffffff812d2f13>] kobject_cleanup+0x43/0x80
[ 1189.280872]  [<ffffffff812d2f8b>] kobject_put+0x2b/0x60
[ 1189.280951]  [<ffffffffa0d40ae8>] cleanup_entry_list+0x30/0x4a [dmi_sysfs]
[ 1189.281043]  [<ffffffffa0d40b0b>] dmi_sysfs_exit+0x9/0x23 [dmi_sysfs]
[ 1189.281130]  [<ffffffff810a0f43>] sys_delete_module+0x163/0x280
[ 1189.281211]  [<ffffffff812ddd84>] ? lockdep_sys_exit_thunk+0x35/0x67
[ 1189.281296]  [<ffffffff812ddd0e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 1189.281375]  [<ffffffff818009d2>] system_call_fastpath+0x16/0x1b
[ 1189.281453] ---[ end trace e9fbdfe9449ac55f ]---

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Mike Waychison <mikew@google.com>
---
 drivers/firmware/dmi-sysfs.c |    1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/firmware/dmi-sysfs.c b/drivers/firmware/dmi-sysfs.c
index eb26d62..4185f09 100644
--- a/drivers/firmware/dmi-sysfs.c
+++ b/drivers/firmware/dmi-sysfs.c
@@ -553,7 +553,6 @@ static const struct bin_attribute dmi_entry_raw_attr = {
 static void dmi_sysfs_entry_release(struct kobject *kobj)
 {
 	struct dmi_sysfs_entry *entry = to_entry(kobj);
-	sysfs_remove_bin_file(&entry->kobj, &dmi_entry_raw_attr);
 	spin_lock(&entry_list_lock);
 	list_del(&entry->list);
 	spin_unlock(&entry_list_lock);


^ permalink raw reply	[flat|nested] 23+ messages in thread

* [PATCH 12/12] edac: fix kernel panic on module unloading
  2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
                   ` (9 preceding siblings ...)
  2012-12-14 11:03 ` [PATCH 11/12] firmware/dmi-sysfs: fix sysfs warning on module unload Konstantin Khlebnikov
@ 2012-12-14 11:03 ` Konstantin Khlebnikov
  2012-12-14 11:26   ` Alan Cox
  2012-12-15 17:53   ` Borislav Petkov
  10 siblings, 2 replies; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Denis Kirjanov, Borislav Petkov

This patch fixes use-after-free and double-free bugs in edac_mc_sysfs_exit().
mci_pdev has single reference and put_device() calls mc_attr_release() which
calls kfree(), thus following device_del() works with already released memory.
An another kfree() in edac_mc_sysfs_exit() releses the same memory again. Great.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Denis Kirjanov <kirjanov@gmail.com>
Cc: Borislav Petkov <bp@alien8.de>

---

[    2.707667] general protection fault: 0000 [#1] SMP
[    2.707809] Modules linked in: sctp rfcomm bnep bluetooth fuse nfsd exportfs parport_pc parport powernow_k8 i2c_nforce2 pcspkr k8temp evbug edac_cor
e(-) kvm_amd kvm btrfs zlib_deflate libcrc32c ide_pci_generic ide_core ata_generic pata_acpi sata_nv [last unloaded: leds_pca9532]
[    2.708369] CPU 0
[    2.708369] Pid: 15179, comm: rmmod Tainted: P             3.7.0-rc8-next-20121211+ #595 Gigabyte Technology Co., Ltd. M52S-S3P/M52S-S3P
[    2.708369] RIP: 0010:[<ffffffff812e58e6>]  [<ffffffff812e58e6>] __list_add+0x26/0xd0
[    2.708369] RSP: 0018:ffff88007a609da8  EFLAGS: 00010046
[    2.708369] RAX: ffff880079883570 RBX: ffff88007a609df8 RCX: 0000000000000000
[    2.708369] RDX: ffff880079883570 RSI: 6b6b6b6b6b6b6b6b RDI: ffff88007a609df8
[    2.708369] RBP: ffff88007a609dc8 R08: 6b6b6b6b6b6b6b6b R09: 0000000000000000
[    2.708369] R10: ffff8800798934b0 R11: 0000000000000000 R12: ffff880079883570
[    2.708369] R13: 6b6b6b6b6b6b6b6b R14: 00007fc92d0d1090 R15: ffff880079883530
[    2.708369] FS:  00007fc92b533700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
[    2.708369] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[    2.708369] CR2: 00007f1da5d61000 CR3: 000000007b28e000 CR4: 00000000000007f0
[    2.708369] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    2.708369] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[    2.708369] Process rmmod (pid: 15179, threadinfo ffff88007a608000, task ffff8800798934b0)
[    2.710227] Stack:
[    2.710227]  0000000000000000 ffff880079883538 0000000000000246 ffff8800798934b0
[    2.710227]  ffff88007a609e48 ffffffff817f711b ffffffff8141fde1 ffffffff8141e180
[    2.710227]  ffff880079883570 ffffffff812d2e3b ffff88007a609df8 ffff88007a609df8
[    2.710227] Call Trace:
[    2.710227]  [<ffffffff817f711b>] mutex_lock_nested+0xfb/0x320
[    2.710227]  [<ffffffff8141fde1>] ? device_release_driver+0x21/0x40
[    2.710227]  [<ffffffff8141e180>] ? bus_get_device_klist+0x10/0x10
[    2.710227]  [<ffffffff812d2e3b>] ? kobject_put+0x2b/0x60
[    2.710227]  [<ffffffff8141fde1>] device_release_driver+0x21/0x40
[    2.710227]  [<ffffffff8141f621>] bus_remove_device+0xf1/0x140
[    2.710227]  [<ffffffff8141cdd7>] device_del+0x127/0x1b0
[    2.710227]  [<ffffffffa0276794>] edac_mc_sysfs_exit+0x1c/0x2f [edac_core]
[    2.710227]  [<ffffffffa02767d8>] edac_exit+0x31/0x33 [edac_core]
[    2.710227]  [<ffffffff810a0ce3>] sys_delete_module+0x163/0x280
[    2.710227]  [<ffffffff812ddc34>] ? lockdep_sys_exit_thunk+0x35/0x67
[    2.710227]  [<ffffffff812ddbbe>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[    2.710227]  [<ffffffff81801a12>] system_call_fastpath+0x16/0x1b
[    2.710227] Code: 00 00 00 00 00 55 48 89 e5 48 83 ec 20 48 89 5d e8 4c 89 65 f0 48 89 fb 4c 89 6d f8 4c 8b 42 08 49 89 f5 49 89 d4 49 39 f0 75 31 <4d> 8b 45 00 4d 39 c4 75 6f 4c 39 e3 74 45 4c 39 eb 74 40 49 89
[    2.710227] RIP  [<ffffffff812e58e6>] __list_add+0x26/0xd0
[    2.710227]  RSP <ffff88007a609da8>
---
 drivers/edac/edac_mc_sysfs.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
index de2df92..a3b0119 100644
--- a/drivers/edac/edac_mc_sysfs.c
+++ b/drivers/edac/edac_mc_sysfs.c
@@ -1159,8 +1159,7 @@ int __init edac_mc_sysfs_init(void)
 
 void __exit edac_mc_sysfs_exit(void)
 {
-	put_device(mci_pdev);
 	device_del(mci_pdev);
+	put_device(mci_pdev);
 	edac_put_sysfs_subsys();
-	kfree(mci_pdev);
 }


^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 12/12] edac: fix kernel panic on module unloading
  2012-12-14 11:03 ` [PATCH 12/12] edac: fix kernel panic on module unloading Konstantin Khlebnikov
@ 2012-12-14 11:26   ` Alan Cox
  2012-12-14 11:50     ` Borislav Petkov
  2012-12-14 11:55     ` Konstantin Khlebnikov
  2012-12-15 17:53   ` Borislav Petkov
  1 sibling, 2 replies; 23+ messages in thread
From: Alan Cox @ 2012-12-14 11:26 UTC (permalink / raw)
  To: Konstantin Khlebnikov; +Cc: linux-kernel, Denis Kirjanov, Borislav Petkov

On Fri, 14 Dec 2012 15:03:10 +0400
Konstantin Khlebnikov <khlebnikov@openvz.org> wrote:

> This patch fixes use-after-free and double-free bugs in edac_mc_sysfs_exit().
> mci_pdev has single reference and put_device() calls mc_attr_release() which
> calls kfree(), thus following device_del() works with already released memory.
> An another kfree() in edac_mc_sysfs_exit() releses the same memory again. Great.

Patches for this were posted a while ago by Jean Delvare. See bugzilla
50491 as well for this.



^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 12/12] edac: fix kernel panic on module unloading
  2012-12-14 11:26   ` Alan Cox
@ 2012-12-14 11:50     ` Borislav Petkov
  2012-12-14 11:55     ` Konstantin Khlebnikov
  1 sibling, 0 replies; 23+ messages in thread
From: Borislav Petkov @ 2012-12-14 11:50 UTC (permalink / raw)
  To: Alan Cox; +Cc: Konstantin Khlebnikov, linux-kernel, Denis Kirjanov

On Fri, Dec 14, 2012 at 11:26:57AM +0000, Alan Cox wrote:
> On Fri, 14 Dec 2012 15:03:10 +0400
> Konstantin Khlebnikov <khlebnikov@openvz.org> wrote:
> 
> > This patch fixes use-after-free and double-free bugs in edac_mc_sysfs_exit().
> > mci_pdev has single reference and put_device() calls mc_attr_release() which
> > calls kfree(), thus following device_del() works with already released memory.
> > An another kfree() in edac_mc_sysfs_exit() releses the same memory again. Great.
> 
> Patches for this were posted a while ago by Jean Delvare. See bugzilla
> 50491 as well for this.

Jean's patch is for i7core_edac but Konstantin's fixes the edac_core
which is another module. And AFAICT the correct order of destroying
devices in the driver core is

1. _del
2. _put

so I'll pick up Konstantin's patch with a tag for 3.7-stable unless
someone has objections?

Thanks.

-- 
Regards/Gruss,
    Boris.

Sent from a fat crate under my desk. Formatting is fine.
--

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 12/12] edac: fix kernel panic on module unloading
  2012-12-14 11:26   ` Alan Cox
  2012-12-14 11:50     ` Borislav Petkov
@ 2012-12-14 11:55     ` Konstantin Khlebnikov
  2012-12-14 13:26       ` Alan Cox
  1 sibling, 1 reply; 23+ messages in thread
From: Konstantin Khlebnikov @ 2012-12-14 11:55 UTC (permalink / raw)
  To: Alan Cox; +Cc: linux-kernel, Denis Kirjanov, Borislav Petkov

Alan Cox wrote:
> On Fri, 14 Dec 2012 15:03:10 +0400
> Konstantin Khlebnikov<khlebnikov@openvz.org>  wrote:
>
>> This patch fixes use-after-free and double-free bugs in edac_mc_sysfs_exit().
>> mci_pdev has single reference and put_device() calls mc_attr_release() which
>> calls kfree(), thus following device_del() works with already released memory.
>> An another kfree() in edac_mc_sysfs_exit() releses the same memory again. Great.
>
> Patches for this were posted a while ago by Jean Delvare. See bugzilla
> 50491 as well for this.
>

Seems like this is different bugs, that was in "i7core_edac", this one in "edac_core"


^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 12/12] edac: fix kernel panic on module unloading
  2012-12-14 11:55     ` Konstantin Khlebnikov
@ 2012-12-14 13:26       ` Alan Cox
  0 siblings, 0 replies; 23+ messages in thread
From: Alan Cox @ 2012-12-14 13:26 UTC (permalink / raw)
  To: Konstantin Khlebnikov; +Cc: linux-kernel, Denis Kirjanov, Borislav Petkov

On Fri, 14 Dec 2012 15:55:33 +0400

> Seems like this is different bugs, that was in "i7core_edac", this one in "edac_core"

Agreed

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 03/12] mISDN: fix race in timer canceling on module unloading
  2012-12-14 11:02 ` [PATCH 03/12] mISDN: fix race in timer canceling on module unloading Konstantin Khlebnikov
@ 2012-12-14 18:16   ` David Miller
  0 siblings, 0 replies; 23+ messages in thread
From: David Miller @ 2012-12-14 18:16 UTC (permalink / raw)
  To: khlebnikov; +Cc: linux-kernel, netdev, isdn

From: Konstantin Khlebnikov <khlebnikov@openvz.org>
Date: Fri, 14 Dec 2012 15:02:36 +0400

> Using timer_pending() without additional syncronization is racy,
> del_timer_sync() must be used here for waiting in-flight handler.
> Bug caught with help from "debug-objects" during random insmod/rmmod.
> 
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>

Applied.

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 10/12] mac802154: fix destructon ordering for ieee802154 devices
  2012-12-14 11:03 ` [PATCH 10/12] mac802154: fix destructon ordering for ieee802154 devices Konstantin Khlebnikov
@ 2012-12-14 18:16     ` David Miller
  0 siblings, 0 replies; 23+ messages in thread
From: David Miller @ 2012-12-14 18:16 UTC (permalink / raw)
  To: khlebnikov
  Cc: linux-kernel, dbaryshkov, netdev, alex.bluesman.smirnov,
	linux-zigbee-devel

From: Konstantin Khlebnikov <khlebnikov@openvz.org>
Date: Fri, 14 Dec 2012 15:03:03 +0400

> mutex_destroy() must be called before wpan_phy_free(), because it puts the last
> reference and frees memory. Catched as overwritten poison in kmalloc-2048.
> 
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>

Applied.

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 10/12] mac802154: fix destructon ordering for ieee802154 devices
@ 2012-12-14 18:16     ` David Miller
  0 siblings, 0 replies; 23+ messages in thread
From: David Miller @ 2012-12-14 18:16 UTC (permalink / raw)
  To: khlebnikov-GEFAQzZX7r8dnm+yROfE0A
  Cc: netdev-u79uwXL29TY76Z2rM5mHXA,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-zigbee-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f

From: Konstantin Khlebnikov <khlebnikov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
Date: Fri, 14 Dec 2012 15:03:03 +0400

> mutex_destroy() must be called before wpan_phy_free(), because it puts the last
> reference and frees memory. Catched as overwritten poison in kmalloc-2048.
> 
> Signed-off-by: Konstantin Khlebnikov <khlebnikov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>

Applied.

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 08/12] bonding: do not cancel works in bond_uninit()
  2012-12-14 11:02 ` [PATCH 08/12] bonding: do not cancel works in bond_uninit() Konstantin Khlebnikov
@ 2012-12-14 18:16   ` David Miller
  0 siblings, 0 replies; 23+ messages in thread
From: David Miller @ 2012-12-14 18:16 UTC (permalink / raw)
  To: khlebnikov; +Cc: linux-kernel, nikolay, netdev, fubar, andy

From: Konstantin Khlebnikov <khlebnikov@openvz.org>
Date: Fri, 14 Dec 2012 15:02:55 +0400

> Bonding initializes these works in bond_open() and cancels in bond_close(),
> thus in bond_uninit() they are already canceled but may be unitialized yet.
> 
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>

Applied.

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 07/12] stmmac: fix platform driver unregistering
  2012-12-14 11:02 ` [PATCH 07/12] stmmac: fix platform driver unregistering Konstantin Khlebnikov
@ 2012-12-14 18:16   ` David Miller
  0 siblings, 0 replies; 23+ messages in thread
From: David Miller @ 2012-12-14 18:16 UTC (permalink / raw)
  To: khlebnikov; +Cc: linux-kernel, peppe.cavallaro, netdev

From: Konstantin Khlebnikov <khlebnikov@openvz.org>
Date: Fri, 14 Dec 2012 15:02:51 +0400

> This patch fixes platform device drivers unregistering and adds proper error
> handing on module loading.
> 
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>

Applied.

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 12/12] edac: fix kernel panic on module unloading
  2012-12-14 11:03 ` [PATCH 12/12] edac: fix kernel panic on module unloading Konstantin Khlebnikov
  2012-12-14 11:26   ` Alan Cox
@ 2012-12-15 17:53   ` Borislav Petkov
  1 sibling, 0 replies; 23+ messages in thread
From: Borislav Petkov @ 2012-12-15 17:53 UTC (permalink / raw)
  To: Konstantin Khlebnikov; +Cc: linux-kernel, Denis Kirjanov, linux-edac

On Fri, Dec 14, 2012 at 03:03:10PM +0400, Konstantin Khlebnikov wrote:
> This patch fixes use-after-free and double-free bugs in
> edac_mc_sysfs_exit(). mci_pdev has single reference and put_device()
> calls mc_attr_release() which calls kfree(), thus following
> device_del() works with already released memory. An another kfree() in
> edac_mc_sysfs_exit() releses the same memory again. Great.

Applied and tagged for 3.6 and 3.7 stable.

Thanks.

-- 
Regards/Gruss,
    Boris.

Sent from a fat crate under my desk. Formatting is fine.
--

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [PATCH 05/12] staging: vme_pio2: fix oops on module unloading
  2012-12-14 11:02 ` [PATCH 05/12] staging: vme_pio2: " Konstantin Khlebnikov
@ 2012-12-17 12:01   ` Martyn Welch
  0 siblings, 0 replies; 23+ messages in thread
From: Martyn Welch @ 2012-12-17 12:01 UTC (permalink / raw)
  To: Konstantin Khlebnikov
  Cc: linux-kernel, Greg Kroah-Hartman, devel, Manohar Vanga

On 14/12/12 11:02, Konstantin Khlebnikov wrote:
> This patch forbids loading vme_pio2 module without specifing "num_bus" parameter.
> Otherwise on module unloading pio2_exit() calls vme_unregister_driver() for not
> registered pio2_driver.
> 

Acked-by: Martyn Welch <martyn.welch@ge.com>

> Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
> Cc: Martyn Welch <martyn.welch@ge.com>
> Cc: Manohar Vanga <manohar.vanga@gmail.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: devel@driverdev.osuosl.org
> ---
>  drivers/staging/vme/devices/vme_pio2_core.c |   14 ++------------
>  1 file changed, 2 insertions(+), 12 deletions(-)
> 
> diff --git a/drivers/staging/vme/devices/vme_pio2_core.c b/drivers/staging/vme/devices/vme_pio2_core.c
> index 0331178..bf73ba2 100644
> --- a/drivers/staging/vme/devices/vme_pio2_core.c
> +++ b/drivers/staging/vme/devices/vme_pio2_core.c
> @@ -162,11 +162,9 @@ static struct vme_driver pio2_driver = {
>  
>  static int __init pio2_init(void)
>  {
> -	int retval = 0;
> -
>  	if (bus_num == 0) {
>  		pr_err("No cards, skipping registration\n");
> -		goto err_nocard;
> +		return -ENODEV;
>  	}
>  
>  	if (bus_num > PIO2_CARDS_MAX) {
> @@ -176,15 +174,7 @@ static int __init pio2_init(void)
>  	}
>  
>  	/* Register the PIO2 driver */
> -	retval = vme_register_driver(&pio2_driver, bus_num);
> -	if (retval != 0)
> -		goto err_reg;
> -
> -	return retval;
> -
> -err_reg:
> -err_nocard:
> -	return retval;
> +	return  vme_register_driver(&pio2_driver, bus_num);
>  }
>  
>  static int pio2_match(struct vme_dev *vdev)
> 


-- 
Martyn Welch (Lead Software Engineer)  | Registered in England and Wales
GE Intelligent Platforms               | (3828642) at 100 Barbirolli Square
T +44(0)1327322748                     | Manchester, M2 3AB
E martyn.welch@ge.com                  | VAT:GB 927559189

^ permalink raw reply	[flat|nested] 23+ messages in thread

end of thread, other threads:[~2012-12-17 12:06 UTC | newest]

Thread overview: 23+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-12-14 11:02 [PATCH 01/12] tools/testing/modules: introduce test which loads/unloads random modules Konstantin Khlebnikov
2012-12-14 11:02 ` [PATCH 02/12] driver core: add debug-objects debug for device-drivers Konstantin Khlebnikov
2012-12-14 11:02 ` [PATCH 03/12] mISDN: fix race in timer canceling on module unloading Konstantin Khlebnikov
2012-12-14 18:16   ` David Miller
2012-12-14 11:02 ` [PATCH 04/12] pps: pps_parport: fix oops " Konstantin Khlebnikov
2012-12-14 11:02 ` [PATCH 05/12] staging: vme_pio2: " Konstantin Khlebnikov
2012-12-17 12:01   ` Martyn Welch
2012-12-14 11:02 ` [PATCH 06/12] media/rc: fix oops on unloading module rc-core Konstantin Khlebnikov
2012-12-14 11:02 ` [PATCH 07/12] stmmac: fix platform driver unregistering Konstantin Khlebnikov
2012-12-14 18:16   ` David Miller
2012-12-14 11:02 ` [PATCH 08/12] bonding: do not cancel works in bond_uninit() Konstantin Khlebnikov
2012-12-14 18:16   ` David Miller
2012-12-14 11:02 ` [PATCH 09/12] pps: fix device destruction ordering Konstantin Khlebnikov
2012-12-14 11:03 ` [PATCH 10/12] mac802154: fix destructon ordering for ieee802154 devices Konstantin Khlebnikov
2012-12-14 18:16   ` David Miller
2012-12-14 18:16     ` David Miller
2012-12-14 11:03 ` [PATCH 11/12] firmware/dmi-sysfs: fix sysfs warning on module unload Konstantin Khlebnikov
2012-12-14 11:03 ` [PATCH 12/12] edac: fix kernel panic on module unloading Konstantin Khlebnikov
2012-12-14 11:26   ` Alan Cox
2012-12-14 11:50     ` Borislav Petkov
2012-12-14 11:55     ` Konstantin Khlebnikov
2012-12-14 13:26       ` Alan Cox
2012-12-15 17:53   ` Borislav Petkov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.