Locking strategy for device deletion (also see PR kern/48536)

[Paul Goyette <paul%whooppee.com@localhost>]

Can anyone suggest a reliable way to ensure that a device-driver module 
can be _really_ safely detached?

The module could theoretically maintain an open/ref counter, but making 
this MP-safe is "difficult"!  Even if the module were to provide a mutex 
to control increment/decrement of it's counter, there's still a problem:

Thread 1 initiates a module-unload, which takes the mutex

Thread 2 attempts to open the device (or one of its units), attempts to
grab the mutex, and waits

Back in thread 1, the driver's module unload code determines that it is 
safe to unload (no current activites queued, no current opens), so it
goes forward and unmaps the module - including the mutex!

If the unload code releases the mutex, then thread 2 resumes, at an 
address which has been unmapped, leading to all sorts of bad-stuff(tm).
(And, if the unload code doesn't bother to release the mutex before 
destroying it, then thread 2 stalls indefinitely.)

There currently doesn't seem to be a safe way to unload driver modules.


Any good MP-safe suggestions?


+------------------+--------------------------+------------------------+
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:      |
| (Retired)        | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd.org |
+------------------+--------------------------+------------------------+