Re: [filemon] CVS commit: htdocs/support/security

[David Holland <dholland-tech%netbsd.org@localhost>]

On Tue, Dec 17, 2019 at 02:19:01PM +0100, Maxime Villard wrote:
 > Typically with a character device, the kmod can get unloaded while an ioctl
 > is being executed on it. When it comes to syscalls, I haven't looked
 > closely, but the issue is likely the same.
 > 
 > You can use tricks to "narrow down" the races; eg in NVMM, I use a global
 > 'nmachines' variable, which prevents unloading in ~most cases. But I see
 > no way to fix these races, except using atomic refcounts and mutexes on
 > the ioctls and syscalls; obviously, this won't scale.

It can be done; there was at one point an old thread called "kicking
everybody out of the softc", and maybe others, but i don't remember
what came of it.

Also, passive serialization can be used to deal with this - block
further access by atomically overwriting the pointer(s), wake up
anyone sleeping in the driver, then wait for everybody to report back
that they aren't in the driver any more, or never were.

The last is expensive, but it doesn't happen often.

 > Putting stuff in kmods AND having the kernel load them automatically serves
 > no purpose; it just adds bugs, and sometimes creates the wrong feeling that
 > a driver is disabled while it isn't (like filemon).

Indeed.

-- 
David A. Holland
dholland%netbsd.org@localhost