-
Vitaly Kuznetsov authored
The crash is observed when a service is being disabled host side while userspace daemon is connected to the device: [ 90.244859] general protection fault: 0000 [#1] SMP ... [ 90.800082] Call Trace: [ 90.800082] [<ffffffff81187008>] __fput+0xc8/0x1f0 [ 90.800082] [<ffffffff8118716e>] ____fput+0xe/0x10 ... [ 90.800082] [<ffffffff81015278>] do_signal+0x28/0x580 [ 90.800082] [<ffffffff81086656>] ? finish_task_switch+0xa6/0x180 [ 90.800082] [<ffffffff81443ebf>] ? __schedule+0x28f/0x870 [ 90.800082] [<ffffffffa01ebbaa>] ? hvt_op_read+0x12a/0x140 [hv_utils] ... The problem is that hvutil_transport_destroy() which does misc_deregister() freeing the appropriate device is reachable by two paths: module unload and from util_remove(). While module unload path is protected by .owner in struct file_operations util_remove() path is not. Freeing the device while someone holds an open fd for it is a show stopper. In general, it is not possible to revoke an fd from all users so the only way to solve the issue is to defer freeing the hvutil_transport structure. Signed-off-by:
Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by:
K. Y. Srinivasan <kys@microsoft.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9420098a
