Re: [PATCH net-2.6.25] [IPV6] ADDRLABEL: Fix double free on label deletion.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
To: "YOSHIFUJI Hideaki / 吉藤英明" <yoshfuji@linux-ipv6.org>
Cc: davem@davemloft.net, mitch@linux.vnet.ibm.com, netdev@vger.kernel.org
Subject: Re: [PATCH net-2.6.25] [IPV6] ADDRLABEL: Fix double free on label deletion.
Date: Tue, 29 Jan 2008 12:59:13 -0800	[thread overview]
Message-ID: <20080129205913.GE10525@linux.vnet.ibm.com> (raw)
In-Reply-To: <20080128.210222.07062540.yoshfuji@linux-ipv6.org>

On Mon, Jan 28, 2008 at 09:02:22PM +0900, YOSHIFUJI Hideaki / 吉藤英明 wrote:
> If an entry is being deleted because it has only one reference, 
> we immediately delete it and blindly register the rcu handler for it,
> This results in oops by double freeing that object.
> 
> This patch fixes it by consolidating the code paths for the deletion;
> let its rcu handler delete the object if it has no more reference.
> 
> Bug was found by Mitsuru Chinen <mitch@linux.vnet.ibm.com>

Good catch!!!

Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>

> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
> ---
> 
> diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c
> index 6f1ca60..7a706c4 100644
> --- a/net/ipv6/addrlabel.c
> +++ b/net/ipv6/addrlabel.c
> @@ -106,6 +106,11 @@ static inline void ip6addrlbl_free(struct ip6addrlbl_entry *p)
>  	kfree(p);
>  }
> 
> +static void ip6addrlbl_free_rcu(struct rcu_head *h)
> +{
> +	ip6addrlbl_free(container_of(h, struct ip6addrlbl_entry, rcu));
> +}
> +
>  static inline int ip6addrlbl_hold(struct ip6addrlbl_entry *p)
>  {
>  	return atomic_inc_not_zero(&p->refcnt);
> @@ -114,12 +119,7 @@ static inline int ip6addrlbl_hold(struct ip6addrlbl_entry *p)
>  static inline void ip6addrlbl_put(struct ip6addrlbl_entry *p)
>  {
>  	if (atomic_dec_and_test(&p->refcnt))
> -		ip6addrlbl_free(p);
> -}
> -
> -static void ip6addrlbl_free_rcu(struct rcu_head *h)
> -{
> -	ip6addrlbl_free(container_of(h, struct ip6addrlbl_entry, rcu));
> +		call_rcu(&p->rcu, ip6addrlbl_free_rcu);
>  }
> 
>  /* Find label */
> @@ -240,7 +240,6 @@ int __ip6addrlbl_add(struct ip6addrlbl_entry *newp, int replace)
>  				}
>  				hlist_replace_rcu(&p->list, &newp->list);
>  				ip6addrlbl_put(p);
> -				call_rcu(&p->rcu, ip6addrlbl_free_rcu);
>  				goto out;
>  			} else if ((p->prefixlen == newp->prefixlen && !p->ifindex) ||
>  				   (p->prefixlen < newp->prefixlen)) {
> @@ -300,7 +299,6 @@ int __ip6addrlbl_del(const struct in6_addr *prefix, int prefixlen,
>  		    ipv6_addr_equal(&p->prefix, prefix)) {
>  			hlist_del_rcu(&p->list);
>  			ip6addrlbl_put(p);
> -			call_rcu(&p->rcu, ip6addrlbl_free_rcu);
>  			ret = 0;
>  			break;
>  		}
> 
> -- 
> YOSHIFUJI Hideaki @ USAGI Project  <yoshfuji@linux-ipv6.org>
> GPG-FP  : 9022 65EB 1ECF 3AD1 0BDF  80D8 4807 F894 E062 0EEA
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2008-01-29 20:59 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-01-28 12:02 [PATCH net-2.6.25] [IPV6] ADDRLABEL: Fix double free on label deletion YOSHIFUJI Hideaki / 吉藤英明
2008-01-29  0:21 ` David Miller
2008-01-29 20:59 ` Paul E. McKenney [this message]
2008-02-01  6:37 ` [PATCH] add if_addrlabel.h to sanitized headers Stephen Hemminger
2008-02-05 11:19   ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080129205913.GE10525@linux.vnet.ibm.com \
    --to=paulmck@linux.vnet.ibm.com \
    --cc=davem@davemloft.net \
    --cc=mitch@linux.vnet.ibm.com \
    --cc=netdev@vger.kernel.org \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.