diff options
| author | Silas Boyd-Wickizer <sbw@mit.edu> | 2012-08-03 15:33:27 -0400 |
|---|---|---|
| committer | Paul E. McKenney <paulmck@linux.vnet.ibm.com> | 2012-09-23 10:43:56 -0400 |
| commit | a2db672aa305a045404615e5222ba681bab6cf58 (patch) | |
| tree | 49ac9a38d87e42695f212b730751dfa78cf3a0d4 /arch/x86/kernel/msr.c | |
| parent | 5d18023294abc22984886bd7185344e0c2be0daf (diff) | |
Use get_online_cpus to avoid races involving CPU hotplug
If arch/x86/kernel/msr.c is a module, a CPU might offline or online
between the for_each_online_cpu(i) loop and the call to
register_hotcpu_notifier in msr_init or the call to
unregister_hotcpu_notifier in msr_exit. The potential races can lead
to leaks/duplicates, attempts to destroy non-existant devices, or
random pointer dereferences.
For example, in msr_init if:
for_each_online_cpu(i) {
err = msr_device_create(i);
if (err != 0)
goto out_class;
}
<----- CPU offlines
register_hotcpu_notifier(&msr_class_cpu_notifier);
and the CPU never onlines before msr_exit, then the module will never
call msr_device_destroy for the associated CPU.
This fix surrounds for_each_online_cpu and register_hotcpu_notifier or
unregister_hotcpu_notifier with get_online_cpus+put_online_cpus.
Tested on a VM.
Signed-off-by: Silas Boyd-Wickizer <sbw@mit.edu>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Diffstat (limited to 'arch/x86/kernel/msr.c')
| -rw-r--r-- | arch/x86/kernel/msr.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index eb113693f043..a7c5661f8496 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c | |||
| @@ -257,12 +257,14 @@ static int __init msr_init(void) | |||
| 257 | goto out_chrdev; | 257 | goto out_chrdev; |
| 258 | } | 258 | } |
| 259 | msr_class->devnode = msr_devnode; | 259 | msr_class->devnode = msr_devnode; |
| 260 | get_online_cpus(); | ||
| 260 | for_each_online_cpu(i) { | 261 | for_each_online_cpu(i) { |
| 261 | err = msr_device_create(i); | 262 | err = msr_device_create(i); |
| 262 | if (err != 0) | 263 | if (err != 0) |
| 263 | goto out_class; | 264 | goto out_class; |
| 264 | } | 265 | } |
| 265 | register_hotcpu_notifier(&msr_class_cpu_notifier); | 266 | register_hotcpu_notifier(&msr_class_cpu_notifier); |
| 267 | put_online_cpus(); | ||
| 266 | 268 | ||
| 267 | err = 0; | 269 | err = 0; |
| 268 | goto out; | 270 | goto out; |
| @@ -271,6 +273,7 @@ out_class: | |||
| 271 | i = 0; | 273 | i = 0; |
| 272 | for_each_online_cpu(i) | 274 | for_each_online_cpu(i) |
| 273 | msr_device_destroy(i); | 275 | msr_device_destroy(i); |
| 276 | put_online_cpus(); | ||
| 274 | class_destroy(msr_class); | 277 | class_destroy(msr_class); |
| 275 | out_chrdev: | 278 | out_chrdev: |
| 276 | __unregister_chrdev(MSR_MAJOR, 0, NR_CPUS, "cpu/msr"); | 279 | __unregister_chrdev(MSR_MAJOR, 0, NR_CPUS, "cpu/msr"); |
| @@ -281,11 +284,13 @@ out: | |||
| 281 | static void __exit msr_exit(void) | 284 | static void __exit msr_exit(void) |
| 282 | { | 285 | { |
| 283 | int cpu = 0; | 286 | int cpu = 0; |
| 287 | get_online_cpus(); | ||
| 284 | for_each_online_cpu(cpu) | 288 | for_each_online_cpu(cpu) |
| 285 | msr_device_destroy(cpu); | 289 | msr_device_destroy(cpu); |
| 286 | class_destroy(msr_class); | 290 | class_destroy(msr_class); |
| 287 | __unregister_chrdev(MSR_MAJOR, 0, NR_CPUS, "cpu/msr"); | 291 | __unregister_chrdev(MSR_MAJOR, 0, NR_CPUS, "cpu/msr"); |
| 288 | unregister_hotcpu_notifier(&msr_class_cpu_notifier); | 292 | unregister_hotcpu_notifier(&msr_class_cpu_notifier); |
| 293 | put_online_cpus(); | ||
| 289 | } | 294 | } |
| 290 | 295 | ||
| 291 | module_init(msr_init); | 296 | module_init(msr_init); |