tipc: involve reference counter for node structure

TIPC node hash node table is protected with rcu lock on read side. tipc_node_find() is used to look for a node object with node address through iterating the hash node table. As the entire process of what tipc_node_find() traverses the table is guarded with rcu read lock, it's safe for us. However, when callers use the node object returned by tipc_node_find(), there is no rcu read lock applied. Therefore, this is absolutely unsafe for callers of tipc_node_find(). Now we introduce a reference counter for node structure. Before tipc_node_find() returns node object to its caller, it first increases the reference counter. Accordingly, after its caller used it up, it decreases the counter again. This can prevent a node being used by one thread from being freed by another thread. Reviewed-by: Erik Hugne <erik.hugne@ericsson.com> Reviewed-by: Jon Maloy <jon.maloy@ericson.com> Signed-off-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Ying Xue <ying.xue@windriver.com> 2015-03-26 06:10:24 -0400
committer: David S. Miller <davem@davemloft.net> 2015-03-29 15:40:28 -0400
commit: 8a0f6ebe8494c5c6ccfe12264385b64c280e3241 (patch)
tree: 2f106a95ffda73b8e8f1596cc95152398cd5379b /net/tipc/link.c
parent: b952b2befb6f6b009e91f087285b9a0a6beb1cc8 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c
index f5e086c5f724..514466efc25c 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -854,6 +854,7 @@ int tipc_link_xmit(struct net *net, struct sk_buff_head *list, u32 dnode,
                if (link)
                        rc = __tipc_link_xmit(net, link, list);
                tipc_node_unlock(node);
+                tipc_node_put(node);
        }
        if (link)
                return rc;
@@ -1116,8 +1117,8 @@ void tipc_rcv(struct net *net, struct sk_buff *skb, struct tipc_bearer *b_ptr)
                n_ptr = tipc_node_find(net, msg_prevnode(msg));
                if (unlikely(!n_ptr))
                        goto discard;
-                tipc_node_lock(n_ptr);
+                tipc_node_lock(n_ptr);
                /* Locate unicast link endpoint that should handle message */
                l_ptr = n_ptr->links[b_ptr->identity];
                if (unlikely(!l_ptr))
@@ -1205,6 +1206,7 @@ void tipc_rcv(struct net *net, struct sk_buff *skb, struct tipc_bearer *b_ptr)
                skb = NULL;
 unlock:
                tipc_node_unlock(n_ptr);
+                tipc_node_put(n_ptr);
 discard:
                if (unlikely(skb))
                        kfree_skb(skb);
@@ -2236,7 +2238,6 @@ int tipc_nl_link_dump(struct sk_buff *skb, struct netlink_callback *cb)
        msg.seq = cb->nlh->nlmsg_seq;
        rcu_read_lock();
        if (prev_node) {
                node = tipc_node_find(net, prev_node);
                if (!node) {
@@ -2249,6 +2250,7 @@ int tipc_nl_link_dump(struct sk_buff *skb, struct netlink_callback *cb)
                        cb->prev_seq = 1;
                        goto out;
                }
+                tipc_node_put(node);
                list_for_each_entry_continue_rcu(node, &tn->node_list,
                                                 list) {
@@ -2256,6 +2258,7 @@ int tipc_nl_link_dump(struct sk_buff *skb, struct netlink_callback *cb)
                        err = __tipc_nl_add_node_links(net, &msg, node,
                                                       &prev_link);
                        tipc_node_unlock(node);
+                        tipc_node_put(node);
                        if (err)
                                goto out;
author	Ying Xue <ying.xue@windriver.com>	2015-03-26 06:10:24 -0400
committer	David S. Miller <davem@davemloft.net>	2015-03-29 15:40:28 -0400
commit	8a0f6ebe8494c5c6ccfe12264385b64c280e3241 (patch)
tree	2f106a95ffda73b8e8f1596cc95152398cd5379b /net/tipc/link.c
parent	b952b2befb6f6b009e91f087285b9a0a6beb1cc8 (diff)