From: Sven Eckelmann <sven.eckelmann@gmx.de>
To: b.a.t.m.a.n@lists.open-mesh.org
Subject: [B.A.T.M.A.N.] [PATCH 2/2] batman-adv: Use refcnt to track usage count of batman_if
Date: Thu, 16 Sep 2010 23:32:01 +0200 [thread overview]
Message-ID: <1284672721-28527-1-git-send-email-sven.eckelmann@gmx.de> (raw)
In-Reply-To: <1284672174-27464-3-git-send-email-sven.eckelmann@gmx.de>
get_batman_if_by_netdev and get_active_batman_if may leak data from the
rcu protected list of interfaces. The rcu protected list of all gateway
nodes leaks the actual data outside the read-side critical area. This is
not valid as we may free the data using a call_rcu created callback
after we unlock using rcu_read_unlock. A workaround is to provide a
reference count to be sure that the memory isn't freed to early.
It is currently only to implement the already existing functionality and
doesn't provide the full tracking of all usage cases.
Additionally, we must hardif_hold inside the
rcu_read_lock()..rcu_read_unlock() before we attach to the structure
which "leaks" it. When another function now removed it from its usage
context (primary_if, usage on stack, ...) then we must hardif_put it. If
it is decremented to zero then we can issue the call_rcu to the freeing
function. So "put" is not allowed inside an rcu_read_lock.
Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
---
Hmpf, small copy and paste failure (used hardif_hold instead of hardif_put).
batman-adv/hard-interface.c | 6 ++++--
batman-adv/hard-interface.h | 13 +++++++++++++
batman-adv/types.h | 1 +
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/batman-adv/hard-interface.c b/batman-adv/hard-interface.c
index 3cd7cb1..4513856 100644
--- a/batman-adv/hard-interface.c
+++ b/batman-adv/hard-interface.c
@@ -403,6 +403,8 @@ static struct batman_if *hardif_add_interface(struct net_device *net_dev)
batman_if->soft_iface = NULL;
batman_if->if_status = IF_NOT_IN_USE;
INIT_LIST_HEAD(&batman_if->list);
+ atomic_set(&batman_if->refcnt, 0);
+ hardif_hold(batman_if);
check_known_mac_addr(batman_if->net_dev->dev_addr);
@@ -420,7 +422,7 @@ out:
return NULL;
}
-static void hardif_free_interface(struct rcu_head *rcu)
+void hardif_free_interface(struct rcu_head *rcu)
{
struct batman_if *batman_if = container_of(rcu, struct batman_if, rcu);
@@ -442,7 +444,7 @@ static void hardif_remove_interface(struct batman_if *batman_if)
list_del_rcu(&batman_if->list);
sysfs_del_hardif(&batman_if->hardif_obj);
dev_put(batman_if->net_dev);
- call_rcu(&batman_if->rcu, hardif_free_interface);
+ hardif_put(batman_if);
}
void hardif_remove_interfaces(void)
diff --git a/batman-adv/hard-interface.h b/batman-adv/hard-interface.h
index 4b49527..0f72b17 100644
--- a/batman-adv/hard-interface.h
+++ b/batman-adv/hard-interface.h
@@ -41,5 +41,18 @@ int batman_skb_recv(struct sk_buff *skb,
struct net_device *orig_dev);
int hardif_min_mtu(struct net_device *soft_iface);
void update_min_mtu(struct net_device *soft_iface);
+void hardif_free_interface(struct rcu_head *rcu);
+
+static inline void hardif_hold(struct batman_if *batman_if)
+{
+ atomic_inc(&batman_if->refcnt);
+}
+
+static inline void hardif_put(struct batman_if *batman_if)
+{
+ if (atomic_dec_and_test(&batman_if->refcnt))
+ call_rcu(&batman_if->rcu, hardif_free_interface);
+}
+
#endif /* _NET_BATMAN_ADV_HARD_INTERFACE_H_ */
diff --git a/batman-adv/types.h b/batman-adv/types.h
index a088064..80880cf 100644
--- a/batman-adv/types.h
+++ b/batman-adv/types.h
@@ -44,6 +44,7 @@ struct batman_if {
unsigned char *packet_buff;
int packet_len;
struct kobject *hardif_obj;
+ atomic_t refcnt;
struct rcu_head rcu;
struct packet_type batman_adv_ptype;
struct net_device *soft_iface;
--
1.7.2.3
prev parent reply other threads:[~2010-09-16 21:32 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-16 20:18 [B.A.T.M.A.N.] Initial rcu locking patchset Sven Eckelmann
2010-09-16 20:18 ` [B.A.T.M.A.N.] [PATCH 1/4] batman-adv: Introduce if_list_lock to protect if_list Sven Eckelmann
2010-09-16 20:18 ` [B.A.T.M.A.N.] [PATCH 2/4] batman-adv: Protect update side of gw_list Sven Eckelmann
2010-09-16 20:18 ` [B.A.T.M.A.N.] [PATCH 3/4] batman-adv: Always protect list_for_each_entry_rcu with RCU Sven Eckelmann
2010-09-16 20:18 ` [B.A.T.M.A.N.] [PATCH 4/4] batman-adv: Remove unneeded rcu_read_lock Sven Eckelmann
2010-09-16 21:22 ` [B.A.T.M.A.N.] Adding of basic gw_node/batman_if refcnt Sven Eckelmann
2010-09-17 1:17 ` Sven Eckelmann
2010-09-16 21:22 ` [B.A.T.M.A.N.] [PATCH 1/2] batman-adv: Use refcnt to track usage count of gw_node Sven Eckelmann
2010-09-16 21:22 ` [B.A.T.M.A.N.] [PATCH 2/2] batman-adv: Use refcnt to track usage count of batman_if Sven Eckelmann
2010-09-16 21:32 ` Sven Eckelmann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1284672721-28527-1-git-send-email-sven.eckelmann@gmx.de \
--to=sven.eckelmann@gmx.de \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).