Registering the same notifier to a hook repeatedly can cause the hook
list to form a ring or lose other members of the list.
case1: An infinite loop in notifier_chain_register can cause soft lockup
atomic_notifier_chain_register(&test_notifier_list, &test_notifier1);
atomic_notifier_chain_register(&test_notifier_list, &test_notifier1);
atomic_notifier_chain_register(&test_notifier_list, &test_notifier2);
case2: An infinite loop in notifier_chain_register can cause soft lockup
atomic_notifier_chain_register(&test_notifier_list, &test_notifier1);
atomic_notifier_chain_register(&test_notifier_list, &test_notifier1);
atomic_notifier_call_chain(&test_notifier_list, 0, NULL);
case3: lose other hook "test_notifier2"
atomic_notifier_chain_register(&test_notifier_list, &test_notifier1);
atomic_notifier_chain_register(&test_notifier_list, &test_notifier2);
atomic_notifier_chain_register(&test_notifier_list, &test_notifier1);
case4: Unregister returns 0, but the hook is still in the linked list,
and it is not really registered. If you call notifier_call_chain
after ko is unloaded, it will trigger oops.
If the system is configured with softlockup_panic and the same
hook is repeatedly registered on the panic_notifier_list, it
will cause a loop panic.
The only difference between notifier_chain_cond_register and
notifier_chain_register is that a check is added in order to
avoid registering the same notifier multiple times to the same hook.
So consider removing notifier_chain_register and replacing it
with notifier_chain_cond_register.
Signed-off-by: Xiaoming Ni <[email protected]>
---
kernel/notifier.c | 26 ++++++--------------------
1 file changed, 6 insertions(+), 20 deletions(-)
diff --git a/kernel/notifier.c b/kernel/notifier.c
index d9f5081..56efd54 100644
--- a/kernel/notifier.c
+++ b/kernel/notifier.c
@@ -19,20 +19,6 @@
* are layered on top of these, with appropriate locking added.
*/
-static int notifier_chain_register(struct notifier_block **nl,
- struct notifier_block *n)
-{
- while ((*nl) != NULL) {
- WARN_ONCE(((*nl) == n), "double register detected");
- if (n->priority > (*nl)->priority)
- break;
- nl = &((*nl)->next);
- }
- n->next = *nl;
- rcu_assign_pointer(*nl, n);
- return 0;
-}
-
static int notifier_chain_cond_register(struct notifier_block **nl,
struct notifier_block *n)
{
@@ -127,7 +113,7 @@ int atomic_notifier_chain_register(struct
atomic_notifier_head *nh,
int ret;
spin_lock_irqsave(&nh->lock, flags);
- ret = notifier_chain_register(&nh->head, n);
+ ret = notifier_chain_cond_register(&nh->head, n);
spin_unlock_irqrestore(&nh->lock, flags);
return ret;
}
@@ -223,10 +209,10 @@ int blocking_notifier_chain_register(struct
blocking_notifier_head *nh,
* such times we must not call down_write().
*/
if (unlikely(system_state == SYSTEM_BOOTING))
- return notifier_chain_register(&nh->head, n);
+ return notifier_chain_cond_register(&nh->head, n);
down_write(&nh->rwsem);
- ret = notifier_chain_register(&nh->head, n);
+ ret = notifier_chain_cond_register(&nh->head, n);
up_write(&nh->rwsem);
return ret;
}
@@ -349,7 +335,7 @@ int blocking_notifier_call_chain(struct
blocking_notifier_head *nh,
int raw_notifier_chain_register(struct raw_notifier_head *nh,
struct notifier_block *n)
{
- return notifier_chain_register(&nh->head, n);
+ return notifier_chain_cond_register(&nh->head, n);
}
EXPORT_SYMBOL_GPL(raw_notifier_chain_register);
@@ -431,10 +417,10 @@ int srcu_notifier_chain_register(struct
srcu_notifier_head *nh,
* such times we must not call mutex_lock().
*/
if (unlikely(system_state == SYSTEM_BOOTING))
- return notifier_chain_register(&nh->head, n);
+ return notifier_chain_cond_register(&nh->head, n);
mutex_lock(&nh->mutex);
- ret = notifier_chain_register(&nh->head, n);
+ ret = notifier_chain_cond_register(&nh->head, n);
mutex_unlock(&nh->mutex);
return ret;
}
--
1.8.5.6
