[NET]: Fix module reference counts for loadable protocol modules

I have been experimenting with loadable protocol modules, and ran into several issues with module reference counting. The first issue was that __module_get failed at the BUG_ON check at the top of the routine (checking that my module reference count was not zero) when I created the first socket. When sk_alloc() is called, my module reference count was still 0. When I looked at why sctp didn't have this problem, I discovered that sctp creates a control socket during module init (when the module ref count is not 0), which keeps the reference count non-zero. This section has been updated to address the point Stephen raised about checking the return value of try_module_get(). The next problem arose when my socket init routine returned an error. This resulted in my module reference count being decremented below 0. My socket ops->release routine was also being called. The issue here is that sock_release() calls the ops->release routine and decrements the ref count if sock->ops is not NULL. Since the socket probably didn't get correctly initialized, this should not be done, so we will set sock->ops to NULL because we will not call try_module_get(). While searching for another bug, I also noticed that sys_accept() has a possibility of doing a module_put() when it did not do an __module_get so I re-ordered the call to security_socket_accept(). Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Frank Filz <ffilzlnx@us.ibm.com> 2005-09-27 18:23:38 -0400
committer: David S. Miller <davem@davemloft.net> 2005-09-27 18:23:38 -0400
commit: a79af59efd20990473d579b1d8d70bb120f0920c (patch)
tree: 763cc7f083cf922e30537c89d92765415ada78e4
parent: 9356b8fc07dc126cd91d2b12f314d760ab48996e (diff)
2 files changed, 20 insertions, 13 deletions
diff --git a/net/core/sock.c b/net/core/sock.c
index ac63b56e23b2..928d2a1d6d8e 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -660,16 +660,20 @@ struct sock *sk_alloc(int family, unsigned int __nocast priority,
                        sock_lock_init(sk);
                }
                
-                if (security_sk_alloc(sk, family, priority)) {
+                if (security_sk_alloc(sk, family, priority))
-                        if (slab != NULL)
+                        goto out_free;
-                                kmem_cache_free(slab, sk);
-                        else
+                if (!try_module_get(prot->owner))
-                                kfree(sk);
+                        goto out_free;
-                        sk = NULL;
-                } else
-                        __module_get(prot->owner);
        }
        return sk;
+out_free:
+        if (slab != NULL)
+                kmem_cache_free(slab, sk);
+        else
+                kfree(sk);
+        return NULL;
 }
 void sk_free(struct sock *sk)
diff --git a/net/socket.c b/net/socket.c
index dbd1a6851edd..3145103cdf54 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1145,8 +1145,11 @@ static int __sock_create(int family, int type, int protocol, struct socket **res
        if (!try_module_get(net_families[family]->owner))
                goto out_release;
-        if ((err = net_families[family]->create(sock, protocol)) < 0)
+        if ((err = net_families[family]->create(sock, protocol)) < 0) {
+                sock->ops = NULL;
                goto out_module_put;
+        }
        /*
         * Now to bump the refcnt of the [loadable] module that owns this
         * socket at sock_release time we decrement its refcnt.
@@ -1360,16 +1363,16 @@ asmlinkage long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr, int _
        newsock->type = sock->type;
        newsock->ops = sock->ops;
-        err = security_socket_accept(sock, newsock);
-        if (err)
-                goto out_release;
        /*
         * We don't need try_module_get here, as the listening socket (sock)
         * has the protocol module (sock->ops->owner) held.
         */
        __module_get(newsock->ops->owner);
+        err = security_socket_accept(sock, newsock);
+        if (err)
+                goto out_release;
        err = sock->ops->accept(sock, newsock, sock->file->f_flags);
        if (err < 0)
                goto out_release;
author	Frank Filz <ffilzlnx@us.ibm.com>	2005-09-27 18:23:38 -0400
committer	David S. Miller <davem@davemloft.net>	2005-09-27 18:23:38 -0400
commit	a79af59efd20990473d579b1d8d70bb120f0920c (patch)
tree	763cc7f083cf922e30537c89d92765415ada78e4
parent	9356b8fc07dc126cd91d2b12f314d760ab48996e (diff)

diff --git a/net/core/sock.c b/net/core/sock.c index ac63b56e23b2..928d2a1d6d8e 100644 --- a/net/core/sock.c +++ b/net/core/sock.c
@@ -660,16 +660,20 @@ struct sock *sk_alloc(int family, unsigned int __nocast priority,
660	sock_lock_init(sk);	660	sock_lock_init(sk);
661	}	661	}
662		662
663	if (security_sk_alloc(sk, family, priority)) {	663	if (security_sk_alloc(sk, family, priority))
664	if (slab != NULL)	664	goto out_free;
665	kmem_cache_free(slab, sk);	665
666	else	666	if (!try_module_get(prot->owner))
667	kfree(sk);	667	goto out_free;
668	sk = NULL;
669	} else
670	__module_get(prot->owner);
671	}	668	}
672	return sk;	669	return sk;
		670
		671	out_free:
		672	if (slab != NULL)
		673	kmem_cache_free(slab, sk);
		674	else
		675	kfree(sk);
		676	return NULL;
673	}	677	}
674		678
675	void sk_free(struct sock *sk)	679	void sk_free(struct sock *sk)


diff --git a/net/socket.c b/net/socket.c index dbd1a6851edd..3145103cdf54 100644 --- a/net/socket.c +++ b/net/socket.c
@@ -1145,8 +1145,11 @@ static int __sock_create(int family, int type, int protocol, struct socket **res
1145	if (!try_module_get(net_families[family]->owner))	1145	if (!try_module_get(net_families[family]->owner))
1146	goto out_release;	1146	goto out_release;
1147		1147
1148	if ((err = net_families[family]->create(sock, protocol)) < 0)	1148	if ((err = net_families[family]->create(sock, protocol)) < 0) {
		1149	sock->ops = NULL;
1149	goto out_module_put;	1150	goto out_module_put;
		1151	}
		1152
1150	/*	1153	/*
1151	* Now to bump the refcnt of the [loadable] module that owns this	1154	* Now to bump the refcnt of the [loadable] module that owns this
1152	* socket at sock_release time we decrement its refcnt.	1155	* socket at sock_release time we decrement its refcnt.
@@ -1360,16 +1363,16 @@ asmlinkage long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr, int _
1360	newsock->type = sock->type;	1363	newsock->type = sock->type;
1361	newsock->ops = sock->ops;	1364	newsock->ops = sock->ops;
1362		1365
1363	err = security_socket_accept(sock, newsock);
1364	if (err)
1365	goto out_release;
1366
1367	/*	1366	/*
1368	* We don't need try_module_get here, as the listening socket (sock)	1367	* We don't need try_module_get here, as the listening socket (sock)
1369	* has the protocol module (sock->ops->owner) held.	1368	* has the protocol module (sock->ops->owner) held.
1370	*/	1369	*/
1371	__module_get(newsock->ops->owner);	1370	__module_get(newsock->ops->owner);
1372		1371
		1372	err = security_socket_accept(sock, newsock);
		1373	if (err)
		1374	goto out_release;
		1375
1373	err = sock->ops->accept(sock, newsock, sock->file->f_flags);	1376	err = sock->ops->accept(sock, newsock, sock->file->f_flags);
1374	if (err < 0)	1377	if (err < 0)
1375	goto out_release;	1378	goto out_release;