From: Sven Eckelmann <sven.eckelmann@gmx.de>
To: b.a.t.m.a.n@lists.open-mesh.org
Subject: [B.A.T.M.A.N.] [PATCH 6/9] batman-adv: Use refcnt to track usage count of gw_node
Date: Fri, 17 Sep 2010 17:41:02 +0200 [thread overview]
Message-ID: <1284738065-8715-7-git-send-email-sven.eckelmann@gmx.de> (raw)
In-Reply-To: <1284738065-8715-1-git-send-email-sven.eckelmann@gmx.de>
gw_election may leak data from the rcu protected list of all gateway
nodes outside the read-side critical area. This is not valid as we may
free the data using a call_rcu created callback after we unlock using
rcu_read_unlock. A workaround is to provide a reference count to be sure
that the memory isn't freed to early.
It is currently only to implement the already existing functionality and
doesn't provide the full tracking of all usage cases.
Additionally, we must gw_node_hold inside the
rcu_read_lock()..rcu_read_unlock() before we attach to the structure
which "leaks" it. When another function now removed it from its usage
context (curr_gw, usage on stack, ...) then we must gw_node_put it. If
it is decremented to zero then we can issue the call_rcu to the freeing
function. So "put" is not allowed inside an rcu_read_lock.
Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
---
batman-adv/gateway_client.c | 17 +++++++++++++++--
batman-adv/types.h | 1 +
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/batman-adv/gateway_client.c b/batman-adv/gateway_client.c
index 8bc1cb0..16f0757 100644
--- a/batman-adv/gateway_client.c
+++ b/batman-adv/gateway_client.c
@@ -28,6 +28,17 @@
#include <linux/udp.h>
#include <linux/if_vlan.h>
+static void gw_node_hold(struct gw_node *gw_node)
+{
+ atomic_inc(&gw_node->refcnt);
+}
+
+static void gw_node_put(struct gw_node *gw_node)
+{
+ if (atomic_dec_and_test(&gw_node->refcnt))
+ kfree(gw_node);
+}
+
void *gw_get_selected(struct bat_priv *bat_priv)
{
struct gw_node *curr_gateway_tmp = bat_priv->curr_gw;
@@ -205,6 +216,8 @@ static void gw_node_add(struct bat_priv *bat_priv,
memset(gw_node, 0, sizeof(struct gw_node));
INIT_HLIST_NODE(&gw_node->list);
gw_node->orig_node = orig_node;
+ atomic_set(&gw_node->refcnt, 0);
+ gw_node_hold(gw_node);
spin_lock_irqsave(&bat_priv->gw_list_lock, flags);
hlist_add_head_rcu(&gw_node->list, &bat_priv->gw_list);
@@ -281,7 +294,7 @@ void gw_node_purge_deleted(struct bat_priv *bat_priv)
hlist_del_rcu(&gw_node->list);
synchronize_rcu();
- kfree(gw_node);
+ gw_node_put(gw_node);
}
}
@@ -300,7 +313,7 @@ void gw_node_list_free(struct bat_priv *bat_priv)
&bat_priv->gw_list, list) {
hlist_del_rcu(&gw_node->list);
synchronize_rcu();
- kfree(gw_node);
+ gw_node_put(gw_node);
}
gw_deselect(bat_priv);
diff --git a/batman-adv/types.h b/batman-adv/types.h
index 1940404..ecc4365 100644
--- a/batman-adv/types.h
+++ b/batman-adv/types.h
@@ -95,6 +95,7 @@ struct gw_node {
struct hlist_node list;
struct orig_node *orig_node;
unsigned long deleted;
+ atomic_t refcnt;
};
/**
--
1.7.2.3
next prev parent reply other threads:[~2010-09-17 15:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-17 15:40 [B.A.T.M.A.N.] [PATCHv2 0/9] RCU locking patches Sven Eckelmann
2010-09-17 15:40 ` [B.A.T.M.A.N.] [PATCH 1/9] batman-adv: Introduce if_list_lock to protect if_list Sven Eckelmann
2010-09-17 15:40 ` [B.A.T.M.A.N.] [PATCH 2/9] batman-adv: Protect update side of gw_list Sven Eckelmann
2010-09-17 15:40 ` [B.A.T.M.A.N.] [PATCH 3/9] batman-adv: Always protect list_for_each_entry_rcu with RCU Sven Eckelmann
2010-09-17 15:41 ` [B.A.T.M.A.N.] [PATCH 4/9] batman-adv: Remove unneeded rcu_read_lock Sven Eckelmann
2010-09-17 15:41 ` [B.A.T.M.A.N.] [PATCH 5/9] batman-adv: Use synchronize_rcu instead of call_rcu Sven Eckelmann
2010-09-17 15:41 ` Sven Eckelmann [this message]
2010-09-17 15:41 ` [B.A.T.M.A.N.] [PATCH 7/9] batman-adv: Use refcnt to track usage count of batman_if Sven Eckelmann
2010-09-17 15:41 ` [B.A.T.M.A.N.] [PATCH 8/9] batman-adv: count election of gateway as reference Sven Eckelmann
2010-09-17 15:41 ` [B.A.T.M.A.N.] [PATCH 9/9] batman-adv: count batman_if list queries " Sven Eckelmann
2010-09-17 17:27 ` [B.A.T.M.A.N.] [PATCHv2 " Sven Eckelmann
2010-09-18 14:42 ` Marek Lindner
2010-09-18 14:42 ` [B.A.T.M.A.N.] [PATCH] " Marek Lindner
2010-09-18 15:21 ` [B.A.T.M.A.N.] [PATCHv2 9/9] " Sven Eckelmann
2010-09-18 15:23 ` [B.A.T.M.A.N.] [PATCH 1/2] batman-adv: Track references of batman_if in set_primary_if Sven Eckelmann
2010-09-18 15:23 ` [B.A.T.M.A.N.] [PATCH 2/2] Introduce update_primary_addr to update mac address Sven Eckelmann
2010-09-18 15:41 ` [B.A.T.M.A.N.] [PATCHv2 9/9] batman-adv: count batman_if list queries as reference Marek Lindner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1284738065-8715-7-git-send-email-sven.eckelmann@gmx.de \
--to=sven.eckelmann@gmx.de \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).