diff options
| author | Taehee Yoo <ap420073@gmail.com> | 2019-10-21 14:47:55 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-10-24 17:53:48 -0400 |
| commit | 2bce1ebed17da54c65042ec2b962e3234bad5b47 (patch) | |
| tree | c72c76fcb1da9f1cc6e9af99599083cee38af725 | |
| parent | 369f61bee0f584aee09f0736431eb9b330c98571 (diff) | |
macsec: fix refcnt leak in module exit routine
When a macsec interface is created, it increases a refcnt to a lower
device(real device). when macsec interface is deleted, the refcnt is
decreased in macsec_free_netdev(), which is ->priv_destructor() of
macsec interface.
The problem scenario is this.
When nested macsec interfaces are exiting, the exit routine of the
macsec module makes refcnt leaks.
Test commands:
ip link add dummy0 type dummy
ip link add macsec0 link dummy0 type macsec
ip link add macsec1 link macsec0 type macsec
modprobe -rv macsec
[ 208.629433] unregister_netdevice: waiting for macsec0 to become free. Usage count = 1
Steps of exit routine of macsec module are below.
1. Calls ->dellink() in __rtnl_link_unregister().
2. Checks refcnt and wait refcnt to be 0 if refcnt is not 0 in
netdev_run_todo().
3. Calls ->priv_destruvtor() in netdev_run_todo().
Step2 checks refcnt, but step3 decreases refcnt.
So, step2 waits forever.
This patch makes the macsec module do not hold a refcnt of the lower
device because it already holds a refcnt of the lower device with
netdev_upper_dev_link().
Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | drivers/net/macsec.c | 4 |
1 files changed, 0 insertions, 4 deletions
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c index e2a3d1d5795f..9e97b66b26d3 100644 --- a/drivers/net/macsec.c +++ b/drivers/net/macsec.c | |||
| @@ -3000,12 +3000,10 @@ static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = { | |||
| 3000 | static void macsec_free_netdev(struct net_device *dev) | 3000 | static void macsec_free_netdev(struct net_device *dev) |
| 3001 | { | 3001 | { |
| 3002 | struct macsec_dev *macsec = macsec_priv(dev); | 3002 | struct macsec_dev *macsec = macsec_priv(dev); |
| 3003 | struct net_device *real_dev = macsec->real_dev; | ||
| 3004 | 3003 | ||
| 3005 | free_percpu(macsec->stats); | 3004 | free_percpu(macsec->stats); |
| 3006 | free_percpu(macsec->secy.tx_sc.stats); | 3005 | free_percpu(macsec->secy.tx_sc.stats); |
| 3007 | 3006 | ||
| 3008 | dev_put(real_dev); | ||
| 3009 | } | 3007 | } |
| 3010 | 3008 | ||
| 3011 | static void macsec_setup(struct net_device *dev) | 3009 | static void macsec_setup(struct net_device *dev) |
| @@ -3260,8 +3258,6 @@ static int macsec_newlink(struct net *net, struct net_device *dev, | |||
| 3260 | if (err < 0) | 3258 | if (err < 0) |
| 3261 | return err; | 3259 | return err; |
| 3262 | 3260 | ||
| 3263 | dev_hold(real_dev); | ||
| 3264 | |||
| 3265 | macsec->nest_level = dev_get_nest_level(real_dev) + 1; | 3261 | macsec->nest_level = dev_get_nest_level(real_dev) + 1; |
| 3266 | 3262 | ||
| 3267 | err = netdev_upper_dev_link(real_dev, dev, extack); | 3263 | err = netdev_upper_dev_link(real_dev, dev, extack); |