diff options
| author | Ying Xue <ying.xue@windriver.com> | 2015-03-26 06:10:24 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-03-29 15:40:28 -0400 |
| commit | 8a0f6ebe8494c5c6ccfe12264385b64c280e3241 (patch) | |
| tree | 2f106a95ffda73b8e8f1596cc95152398cd5379b /net/tipc/bcast.c | |
| parent | b952b2befb6f6b009e91f087285b9a0a6beb1cc8 (diff) | |
tipc: involve reference counter for node structure
TIPC node hash node table is protected with rcu lock on read side.
tipc_node_find() is used to look for a node object with node address
through iterating the hash node table. As the entire process of what
tipc_node_find() traverses the table is guarded with rcu read lock,
it's safe for us. However, when callers use the node object returned
by tipc_node_find(), there is no rcu read lock applied. Therefore,
this is absolutely unsafe for callers of tipc_node_find().
Now we introduce a reference counter for node structure. Before
tipc_node_find() returns node object to its caller, it first increases
the reference counter. Accordingly, after its caller used it up,
it decreases the counter again. This can prevent a node being used by
one thread from being freed by another thread.
Reviewed-by: Erik Hugne <erik.hugne@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericson.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc/bcast.c')
| -rw-r--r-- | net/tipc/bcast.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c index 4289dd62f589..ae558dd7f8ee 100644 --- a/net/tipc/bcast.c +++ b/net/tipc/bcast.c | |||
| @@ -329,13 +329,12 @@ static void bclink_peek_nack(struct net *net, struct tipc_msg *msg) | |||
| 329 | return; | 329 | return; |
| 330 | 330 | ||
| 331 | tipc_node_lock(n_ptr); | 331 | tipc_node_lock(n_ptr); |
| 332 | |||
| 333 | if (n_ptr->bclink.recv_permitted && | 332 | if (n_ptr->bclink.recv_permitted && |
| 334 | (n_ptr->bclink.last_in != n_ptr->bclink.last_sent) && | 333 | (n_ptr->bclink.last_in != n_ptr->bclink.last_sent) && |
| 335 | (n_ptr->bclink.last_in == msg_bcgap_after(msg))) | 334 | (n_ptr->bclink.last_in == msg_bcgap_after(msg))) |
| 336 | n_ptr->bclink.oos_state = 2; | 335 | n_ptr->bclink.oos_state = 2; |
| 337 | |||
| 338 | tipc_node_unlock(n_ptr); | 336 | tipc_node_unlock(n_ptr); |
| 337 | tipc_node_put(n_ptr); | ||
| 339 | } | 338 | } |
| 340 | 339 | ||
| 341 | /* tipc_bclink_xmit - deliver buffer chain to all nodes in cluster | 340 | /* tipc_bclink_xmit - deliver buffer chain to all nodes in cluster |
| @@ -466,6 +465,7 @@ void tipc_bclink_rcv(struct net *net, struct sk_buff *buf) | |||
| 466 | tipc_node_unlock(node); | 465 | tipc_node_unlock(node); |
| 467 | bclink_peek_nack(net, msg); | 466 | bclink_peek_nack(net, msg); |
| 468 | } | 467 | } |
| 468 | tipc_node_put(node); | ||
| 469 | goto exit; | 469 | goto exit; |
| 470 | } | 470 | } |
| 471 | 471 | ||
| @@ -570,6 +570,7 @@ receive: | |||
| 570 | 570 | ||
| 571 | unlock: | 571 | unlock: |
| 572 | tipc_node_unlock(node); | 572 | tipc_node_unlock(node); |
| 573 | tipc_node_put(node); | ||
| 573 | exit: | 574 | exit: |
| 574 | kfree_skb(buf); | 575 | kfree_skb(buf); |
| 575 | } | 576 | } |