Peter Zijlstra reported (referring to commit 019a316992ee0d983,
"rtnetlink: add reference counting to prevent module unload while dump is in
progress"):
1) it not in fact a refcount, so using refcount_t is silly
2) there is a distinct lack of memory barriers, so we can easily
observe the decrement while the msg_handler is still in progress.
3) waiting with a schedule()/yield() loop is complete crap and subject
life-locks, imagine doing that rtnl_unregister_all() from a RT task.
In ancient times rtnetlink exposed a statically-sized table with
preset doit/dumpit handlers to be called for a protocol/type pair.
Later the rtnl_register interface was added and the table was allocated
on demand. Eventually these were also used by modules.
Problem is that nothing prevents module unload while a netlink dump
is in progress. netlink dumps can be span multiple recv calls and
netlink core saves the to-be-repeated dumper address for later invocation.
To prevent rmmod the netlink core expects callers to pass in the owning
module so a reference can be taken.
So far rtnetlink wasn't doing this, add new interface to pass THIS_MODULE.
Moreover, when converting parts of the rtnetlink handling to rcu this code
gained way too many READ_ONCE spots, remove them and the extra refcounting.
Take a module reference when running dumpit and doit callbacks
and never alter content of rtnl_link structures after they have been
published via rcu_assign_pointer.
Based partially on earlier patch from Peter.
include/net/rtnetlink.h | 4
net/bridge/br_mdb.c | 6 -
net/can/gw.c | 14 +-
net/core/rtnetlink.c | 270 ++++++++++++++++++++++++++++++------------------
net/decnet/dn_dev.c | 9 +
net/decnet/dn_fib.c | 6 -
net/decnet/dn_route.c | 8 -
net/ipv6/addrconf.c | 44 +++++--
net/ipv6/addrlabel.c | 13 +-
net/ipv6/ip6_fib.c | 4
net/ipv6/route.c | 20 ++-
net/mpls/af_mpls.c | 15 +-
net/phonet/pn_netlink.c | 21 ++-
net/qrtr/qrtr.c | 8 +
14 files changed, 282 insertions(+), 160 deletions(-)
