linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: Linus Torvalds <torvalds@osdl.org>, Andrew Morton <akpm@osdl.org>
Cc: linux-kernel@vger.kernel.org,
	linux-usb-devel@lists.sourceforge.net,
	Daniel Ritz <daniel.ritz@gmx.ch>
Subject: [patch 01/18] Driver Core: fis bus rescan devices race
Date: Thu, 22 Sep 2005 00:47:11 -0700	[thread overview]
Message-ID: <20050922074711.GB15053@kroah.com> (raw)
In-Reply-To: <20050922074643.GA15053@kroah.com>

[-- Attachment #1: driver-fix-bus_rescan_devices.patch --]
[-- Type: text/plain, Size: 2088 bytes --]

From: Daniel Ritz <daniel.ritz@gmx.ch>

bus_rescan_devices_helper() does not hold the dev->sem when it checks for
!dev->driver().  device_attach() holds the sem, but calls again
device_bind_driver() even when dev->driver is set.

What happens is that a first device_attach() call (module insertion time)
is on the way binding the device to a driver.  Another thread calls
bus_rescan_devices().  Now when bus_rescan_devices_helper() checks for
dev->driver it is still NULL 'cos the the prior device_attach() is not yet
finished.  But as soon as the first one releases the dev->sem the second
device_attach() tries to rebind the already bound device again. 
device_bind_driver() does this blindly which leads to a corrupt
driver->klist_devices list (the device links itself, the head points to the
device).  Later a call to device_release_driver() sets dev->driver to NULL
and breaks the link it has to itself on knode_driver.  Rmmoding the driver
later calls driver_detach() which leads to an endless loop 'cos the list
head in klist_devices still points to the device.  And since dev->driver is
NULL it's stuck with the same device forever.  Boom.  And rmmod hangs.

Very easy to reproduce with new-style pcmcia and a 16bit card.  Just loop
modprobe <pcmcia-modules> ;cardctl eject; rmmod <card driver, pcmcia
modules>.

Easiest fix is to check if the device is already bound to a driver in
device_bind_driver().  This avoids the double binding.

Signed-off-by: Daniel Ritz <daniel.ritz@gmx.ch>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


---
drivers/base/dd.c |    3 +++
 1 file changed, 3 insertions(+)

--- scsi-2.6.orig/drivers/base/dd.c	2005-09-20 05:59:41.000000000 -0700
+++ scsi-2.6/drivers/base/dd.c	2005-09-21 17:29:03.000000000 -0700
@@ -40,6 +40,9 @@
  */
 void device_bind_driver(struct device * dev)
 {
+	if (klist_node_attached(&dev->knode_driver))
+		return;
+
 	pr_debug("bound device '%s' to driver '%s'\n",
 		 dev->bus_id, dev->driver->name);
 	klist_add_tail(&dev->knode_driver, &dev->driver->klist_devices);

--

  reply	other threads:[~2005-09-22  7:48 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20050922003901.814147000@echidna.kroah.org>
2005-09-22  7:46 ` [patch 00/18] USB and PCI Fixes for 2.6.14-rc2 Greg KH
2005-09-22  7:47   ` Greg KH [this message]
2005-09-22  7:47   ` [patch 02/18] Driver Core: add helper device_is_registered() Greg KH
2005-09-22  7:47   ` [patch 03/18] fix class symlinks in sysfs Greg KH
2005-09-22  7:47   ` [patch 04/18] I2C: remove me from the MAINTAINERS file for i2c Greg Kroah-Hartman
2005-09-22  7:48   ` [patch 05/18] PCI: remove unused "scratch" Greg KH
2005-09-22  7:48   ` [patch 06/18] PCI: convert kcalloc to kzalloc Greg KH
2005-09-22  7:48   ` [patch 07/18] fix drivers/pci/probe.c warning Greg KH
2005-09-22  7:48   ` [patch 08/18] PCI Hotplug: Fix buffer overrun in rpadlpar_sysfs.c Greg KH
2005-09-22  7:48   ` [patch 09/18] ub: fix burning cds Greg KH
2005-09-22  7:48   ` [patch 10/18] USB: more device IDs for Option card driver Greg KH
2005-09-22  7:48   ` [patch 11/18] USB: ftdi_sio: allow baud rate to be changed without raising RTS and DTR Greg KH
2005-09-22  7:48   ` [patch 12/18] USB: fix pxa2xx_udc compile warnings Greg KH
2005-09-22  7:49   ` [patch 13/18] USB: sl811-hcd minor fixes Greg KH
2005-09-22  7:49   ` [patch 14/18] USB: fix pegasus driver Greg KH
2005-09-22  7:49   ` [patch 15/18] usb/serial/option.c: Increase input buffer size Greg KH
2005-09-22  7:49   ` [patch 16/18] USB: Add Novatel CDMA Wireless PC card IDs to airprime Greg KH
2005-09-22  7:49   ` [patch 17/18] ub: Comment out unconditional stall clear Greg KH
2005-09-22  7:49   ` [patch 18/18] USB: Update Documentation/usb/URB.txt Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050922074711.GB15053@kroah.com \
    --to=gregkh@suse.de \
    --cc=akpm@osdl.org \
    --cc=daniel.ritz@gmx.ch \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb-devel@lists.sourceforge.net \
    --cc=torvalds@osdl.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).