diff options
| author | Sven Eckelmann <sven@narfation.org> | 2016-01-05 06:06:20 -0500 |
|---|---|---|
| committer | Antonio Quartulli <a@unstable.cc> | 2016-01-16 09:50:00 -0500 |
| commit | 42eff6a617e23b691f8e4467f4687ed7245a92db (patch) | |
| tree | 6d7d64bc6e77a67f067c87b1cc1c58d364738790 /net | |
| parent | b4d922cfc9c08318eeb77d53b7633740e6b0efb0 (diff) | |
batman-adv: Drop immediate orig_node free function
It is not allowed to free the memory of an object which is part of a list
which is protected by rcu-read-side-critical sections without making sure
that no other context is accessing the object anymore. This usually happens
by removing the references to this object and then waiting until the rcu
grace period is over and no one (allowedly) accesses it anymore.
But the _now functions ignore this completely. They free the object
directly even when a different context still tries to access it. This has
to be avoided and thus these functions must be removed and all functions
have to use batadv_orig_node_free_ref.
Fixes: 72822225bd41 ("batman-adv: Fix rcu_barrier() miss due to double call_rcu() in TT code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Diffstat (limited to 'net')
| -rw-r--r-- | net/batman-adv/originator.c | 11 | ||||
| -rw-r--r-- | net/batman-adv/originator.h | 1 | ||||
| -rw-r--r-- | net/batman-adv/translation-table.c | 28 |
3 files changed, 13 insertions, 27 deletions
diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c index 6fdef842ba2a..fe578f75c391 100644 --- a/net/batman-adv/originator.c +++ b/net/batman-adv/originator.c | |||
| @@ -781,17 +781,6 @@ void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node) | |||
| 781 | batadv_orig_node_release(orig_node); | 781 | batadv_orig_node_release(orig_node); |
| 782 | } | 782 | } |
| 783 | 783 | ||
| 784 | /** | ||
| 785 | * batadv_orig_node_free_ref_now - decrement the orig node refcounter and | ||
| 786 | * possibly free it (without rcu callback) | ||
| 787 | * @orig_node: the orig node to free | ||
| 788 | */ | ||
| 789 | void batadv_orig_node_free_ref_now(struct batadv_orig_node *orig_node) | ||
| 790 | { | ||
| 791 | if (atomic_dec_and_test(&orig_node->refcount)) | ||
| 792 | batadv_orig_node_free_rcu(&orig_node->rcu); | ||
| 793 | } | ||
| 794 | |||
| 795 | void batadv_originator_free(struct batadv_priv *bat_priv) | 784 | void batadv_originator_free(struct batadv_priv *bat_priv) |
| 796 | { | 785 | { |
| 797 | struct batadv_hashtable *hash = bat_priv->orig_hash; | 786 | struct batadv_hashtable *hash = bat_priv->orig_hash; |
diff --git a/net/batman-adv/originator.h b/net/batman-adv/originator.h index 29557753d552..cf0730414ed2 100644 --- a/net/batman-adv/originator.h +++ b/net/batman-adv/originator.h | |||
| @@ -38,7 +38,6 @@ int batadv_originator_init(struct batadv_priv *bat_priv); | |||
| 38 | void batadv_originator_free(struct batadv_priv *bat_priv); | 38 | void batadv_originator_free(struct batadv_priv *bat_priv); |
| 39 | void batadv_purge_orig_ref(struct batadv_priv *bat_priv); | 39 | void batadv_purge_orig_ref(struct batadv_priv *bat_priv); |
| 40 | void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node); | 40 | void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node); |
| 41 | void batadv_orig_node_free_ref_now(struct batadv_orig_node *orig_node); | ||
| 42 | struct batadv_orig_node *batadv_orig_node_new(struct batadv_priv *bat_priv, | 41 | struct batadv_orig_node *batadv_orig_node_new(struct batadv_priv *bat_priv, |
| 43 | const u8 *addr); | 42 | const u8 *addr); |
| 44 | struct batadv_hardif_neigh_node * | 43 | struct batadv_hardif_neigh_node * |
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index a22080c53401..cdfc85fa2743 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c | |||
| @@ -240,20 +240,6 @@ int batadv_tt_global_hash_count(struct batadv_priv *bat_priv, | |||
| 240 | return count; | 240 | return count; |
| 241 | } | 241 | } |
| 242 | 242 | ||
| 243 | static void batadv_tt_orig_list_entry_free_rcu(struct rcu_head *rcu) | ||
| 244 | { | ||
| 245 | struct batadv_tt_orig_list_entry *orig_entry; | ||
| 246 | |||
| 247 | orig_entry = container_of(rcu, struct batadv_tt_orig_list_entry, rcu); | ||
| 248 | |||
| 249 | /* We are in an rcu callback here, therefore we cannot use | ||
| 250 | * batadv_orig_node_free_ref() and its call_rcu(): | ||
| 251 | * An rcu_barrier() wouldn't wait for that to finish | ||
| 252 | */ | ||
| 253 | batadv_orig_node_free_ref_now(orig_entry->orig_node); | ||
| 254 | kfree(orig_entry); | ||
| 255 | } | ||
| 256 | |||
| 257 | /** | 243 | /** |
| 258 | * batadv_tt_local_size_mod - change the size by v of the local table identified | 244 | * batadv_tt_local_size_mod - change the size by v of the local table identified |
| 259 | * by vid | 245 | * by vid |
| @@ -349,13 +335,25 @@ static void batadv_tt_global_size_dec(struct batadv_orig_node *orig_node, | |||
| 349 | batadv_tt_global_size_mod(orig_node, vid, -1); | 335 | batadv_tt_global_size_mod(orig_node, vid, -1); |
| 350 | } | 336 | } |
| 351 | 337 | ||
| 338 | /** | ||
| 339 | * batadv_tt_orig_list_entry_release - release tt orig entry from lists and | ||
| 340 | * queue for free after rcu grace period | ||
| 341 | * @orig_entry: tt orig entry to be free'd | ||
| 342 | */ | ||
| 343 | static void | ||
| 344 | batadv_tt_orig_list_entry_release(struct batadv_tt_orig_list_entry *orig_entry) | ||
| 345 | { | ||
| 346 | batadv_orig_node_free_ref(orig_entry->orig_node); | ||
| 347 | kfree_rcu(orig_entry, rcu); | ||
| 348 | } | ||
| 349 | |||
| 352 | static void | 350 | static void |
| 353 | batadv_tt_orig_list_entry_free_ref(struct batadv_tt_orig_list_entry *orig_entry) | 351 | batadv_tt_orig_list_entry_free_ref(struct batadv_tt_orig_list_entry *orig_entry) |
| 354 | { | 352 | { |
| 355 | if (!atomic_dec_and_test(&orig_entry->refcount)) | 353 | if (!atomic_dec_and_test(&orig_entry->refcount)) |
| 356 | return; | 354 | return; |
| 357 | 355 | ||
| 358 | call_rcu(&orig_entry->rcu, batadv_tt_orig_list_entry_free_rcu); | 356 | batadv_tt_orig_list_entry_release(orig_entry); |
| 359 | } | 357 | } |
| 360 | 358 | ||
| 361 | /** | 359 | /** |