diff options
author | Allan Stephens <allan.stephens@windriver.com> | 2008-05-12 18:42:28 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-05-12 18:42:28 -0400 |
commit | 7ef43ebaa538e0cc9063cbf84593a05091bcace2 (patch) | |
tree | d2bac748f6620cc2f217672105918b2116f6c958 /net/tipc/ref.c | |
parent | 4e3e6dcb43c3669a8817cb3d0f920f91661afd98 (diff) |
tipc: Fix race condition when creating socket or native port
This patch eliminates the (very remote) chance of a crash resulting
from a partially initialized socket or native port unexpectedly
receiving a message. Now, during the creation of a socket or native
port, the underlying generic port's lock is not released until all
initialization required to handle incoming messages has been done.
Signed-off-by: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc/ref.c')
-rw-r--r-- | net/tipc/ref.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/net/tipc/ref.c b/net/tipc/ref.c index 89cbab24d08f..a101de86824d 100644 --- a/net/tipc/ref.c +++ b/net/tipc/ref.c | |||
@@ -142,9 +142,13 @@ void tipc_ref_table_stop(void) | |||
142 | /** | 142 | /** |
143 | * tipc_ref_acquire - create reference to an object | 143 | * tipc_ref_acquire - create reference to an object |
144 | * | 144 | * |
145 | * Return a unique reference value which can be translated back to the pointer | 145 | * Register an object pointer in reference table and lock the object. |
146 | * 'object' at a later time. Also, pass back a pointer to the lock protecting | 146 | * Returns a unique reference value that is used from then on to retrieve the |
147 | * the object, but without locking it. | 147 | * object pointer, or to determine that the object has been deregistered. |
148 | * | ||
149 | * Note: The object is returned in the locked state so that the caller can | ||
150 | * register a partially initialized object, without running the risk that | ||
151 | * the object will be accessed before initialization is complete. | ||
148 | */ | 152 | */ |
149 | 153 | ||
150 | u32 tipc_ref_acquire(void *object, spinlock_t **lock) | 154 | u32 tipc_ref_acquire(void *object, spinlock_t **lock) |
@@ -178,13 +182,13 @@ u32 tipc_ref_acquire(void *object, spinlock_t **lock) | |||
178 | ref = (next_plus_upper & ~index_mask) + index; | 182 | ref = (next_plus_upper & ~index_mask) + index; |
179 | entry->ref = ref; | 183 | entry->ref = ref; |
180 | entry->object = object; | 184 | entry->object = object; |
181 | spin_unlock_bh(&entry->lock); | ||
182 | *lock = &entry->lock; | 185 | *lock = &entry->lock; |
183 | } | 186 | } |
184 | else if (tipc_ref_table.init_point < tipc_ref_table.capacity) { | 187 | else if (tipc_ref_table.init_point < tipc_ref_table.capacity) { |
185 | index = tipc_ref_table.init_point++; | 188 | index = tipc_ref_table.init_point++; |
186 | entry = &(tipc_ref_table.entries[index]); | 189 | entry = &(tipc_ref_table.entries[index]); |
187 | spin_lock_init(&entry->lock); | 190 | spin_lock_init(&entry->lock); |
191 | spin_lock_bh(&entry->lock); | ||
188 | ref = tipc_ref_table.start_mask + index; | 192 | ref = tipc_ref_table.start_mask + index; |
189 | entry->ref = ref; | 193 | entry->ref = ref; |
190 | entry->object = object; | 194 | entry->object = object; |