From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936430AbcLUPzS (ORCPT ); Wed, 21 Dec 2016 10:55:18 -0500 Received: from mx1.redhat.com ([209.132.183.28]:58328 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752715AbcLUPzP (ORCPT ); Wed, 21 Dec 2016 10:55:15 -0500 Subject: Re: Unregistering extcon providers while they are in use leads to kernel crashes To: Chanwoo Choi References: <0c877df4-c5d7-1eae-bff9-469df9651d09@redhat.com> Cc: myungjoo.ham@samsung.com, Linux Kernel Mailing List From: Hans de Goede Message-ID: <6f4a329f-d128-a317-513b-1f2aa1690152@redhat.com> Date: Wed, 21 Dec 2016 16:55:13 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <0c877df4-c5d7-1eae-bff9-469df9651d09@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 21 Dec 2016 15:55:15 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 21-12-16 16:54, Hans de Goede wrote: > Hi, > > With the recent extcon work I've been doing I noticed that > if I want to rmmod and then insmod say extcon_axp288 I can > do so without problems even if axp288_charger is holding > a reference to the extcon device returned by extcon_get_extcon_dev. > > The problem is that extcon_get_extcon_dev simply looks up > the extcon-device in the list of current registered extcon-s > and then returns a pointer to it, without any reference > counting. > > The rmmod scenario can be fixed by doing a module_get from > extcon_get_extcon_dev, but that still leaves the same problem > when root manually unbinds the driver through sysfs. > > A possible way fix this would be: > > 1) Make all extcon providers use devm_extcon_dev_allocate and document > using this to allocate an extcon_dev mandatory > > 2) Add a refcount to struct extcon_dev and introduce extcon_dev_get > and extcon_dev_put helpers which modify the refcount and only free > the memory on the final put (and make the evm_extcon_dev_allocate > cleanup function call extcon_dev_put) > > 3) On extcon_dev_unregister set a flag in the extcon_dev that it > has been free-ed, make all extcon consumer functions which take > an extcon_dev (extcon_get_state, extcon_register_notifier, etc.) > check this flag and return -ENODEV when the extcon has been unregistered > > 4) Make extcon_get_extcon_dev call extcon_dev_get on the returned edev > before returning it > > From here on we've fixed the crash, but we now leak the extcon_dev > when the consumer gets unbound. > > 5) Add a devm_extcon_get_extcon_dev which calls extcon_dev_put as the devm > cleanup function > > 6) Convert all extcon consumers to use devm_extcon_get_extcon_dev p.s. In case it was not clear, I noticed this, but I don't have the time to fix it, which is why I wrote the above plan with the hope that someone can use it as a base to actual fix this. Regards, Hans