diff options
author | Frank Filz <ffilzlnx@us.ibm.com> | 2005-09-27 18:23:38 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-09-27 18:23:38 -0400 |
commit | a79af59efd20990473d579b1d8d70bb120f0920c (patch) | |
tree | 763cc7f083cf922e30537c89d92765415ada78e4 | |
parent | 9356b8fc07dc126cd91d2b12f314d760ab48996e (diff) |
[NET]: Fix module reference counts for loadable protocol modules
I have been experimenting with loadable protocol modules, and ran into
several issues with module reference counting.
The first issue was that __module_get failed at the BUG_ON check at
the top of the routine (checking that my module reference count was
not zero) when I created the first socket. When sk_alloc() is called,
my module reference count was still 0. When I looked at why sctp
didn't have this problem, I discovered that sctp creates a control
socket during module init (when the module ref count is not 0), which
keeps the reference count non-zero. This section has been updated to
address the point Stephen raised about checking the return value of
try_module_get().
The next problem arose when my socket init routine returned an error.
This resulted in my module reference count being decremented below 0.
My socket ops->release routine was also being called. The issue here
is that sock_release() calls the ops->release routine and decrements
the ref count if sock->ops is not NULL. Since the socket probably
didn't get correctly initialized, this should not be done, so we will
set sock->ops to NULL because we will not call try_module_get().
While searching for another bug, I also noticed that sys_accept() has
a possibility of doing a module_put() when it did not do an
__module_get so I re-ordered the call to security_socket_accept().
Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/core/sock.c | 20 | ||||
-rw-r--r-- | net/socket.c | 13 |
2 files changed, 20 insertions, 13 deletions
diff --git a/net/core/sock.c b/net/core/sock.c index ac63b56e23b2..928d2a1d6d8e 100644 --- a/net/core/sock.c +++ b/net/core/sock.c | |||
@@ -660,16 +660,20 @@ struct sock *sk_alloc(int family, unsigned int __nocast priority, | |||
660 | sock_lock_init(sk); | 660 | sock_lock_init(sk); |
661 | } | 661 | } |
662 | 662 | ||
663 | if (security_sk_alloc(sk, family, priority)) { | 663 | if (security_sk_alloc(sk, family, priority)) |
664 | if (slab != NULL) | 664 | goto out_free; |
665 | kmem_cache_free(slab, sk); | 665 | |
666 | else | 666 | if (!try_module_get(prot->owner)) |
667 | kfree(sk); | 667 | goto out_free; |
668 | sk = NULL; | ||
669 | } else | ||
670 | __module_get(prot->owner); | ||
671 | } | 668 | } |
672 | return sk; | 669 | return sk; |
670 | |||
671 | out_free: | ||
672 | if (slab != NULL) | ||
673 | kmem_cache_free(slab, sk); | ||
674 | else | ||
675 | kfree(sk); | ||
676 | return NULL; | ||
673 | } | 677 | } |
674 | 678 | ||
675 | void sk_free(struct sock *sk) | 679 | void sk_free(struct sock *sk) |
diff --git a/net/socket.c b/net/socket.c index dbd1a6851edd..3145103cdf54 100644 --- a/net/socket.c +++ b/net/socket.c | |||
@@ -1145,8 +1145,11 @@ static int __sock_create(int family, int type, int protocol, struct socket **res | |||
1145 | if (!try_module_get(net_families[family]->owner)) | 1145 | if (!try_module_get(net_families[family]->owner)) |
1146 | goto out_release; | 1146 | goto out_release; |
1147 | 1147 | ||
1148 | if ((err = net_families[family]->create(sock, protocol)) < 0) | 1148 | if ((err = net_families[family]->create(sock, protocol)) < 0) { |
1149 | sock->ops = NULL; | ||
1149 | goto out_module_put; | 1150 | goto out_module_put; |
1151 | } | ||
1152 | |||
1150 | /* | 1153 | /* |
1151 | * Now to bump the refcnt of the [loadable] module that owns this | 1154 | * Now to bump the refcnt of the [loadable] module that owns this |
1152 | * socket at sock_release time we decrement its refcnt. | 1155 | * socket at sock_release time we decrement its refcnt. |
@@ -1360,16 +1363,16 @@ asmlinkage long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr, int _ | |||
1360 | newsock->type = sock->type; | 1363 | newsock->type = sock->type; |
1361 | newsock->ops = sock->ops; | 1364 | newsock->ops = sock->ops; |
1362 | 1365 | ||
1363 | err = security_socket_accept(sock, newsock); | ||
1364 | if (err) | ||
1365 | goto out_release; | ||
1366 | |||
1367 | /* | 1366 | /* |
1368 | * We don't need try_module_get here, as the listening socket (sock) | 1367 | * We don't need try_module_get here, as the listening socket (sock) |
1369 | * has the protocol module (sock->ops->owner) held. | 1368 | * has the protocol module (sock->ops->owner) held. |
1370 | */ | 1369 | */ |
1371 | __module_get(newsock->ops->owner); | 1370 | __module_get(newsock->ops->owner); |
1372 | 1371 | ||
1372 | err = security_socket_accept(sock, newsock); | ||
1373 | if (err) | ||
1374 | goto out_release; | ||
1375 | |||
1373 | err = sock->ops->accept(sock, newsock, sock->file->f_flags); | 1376 | err = sock->ops->accept(sock, newsock, sock->file->f_flags); |
1374 | if (err < 0) | 1377 | if (err < 0) |
1375 | goto out_release; | 1378 | goto out_release; |