From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk, "Jonathan Kliegman" <kliegs@google.com>,
"Eric Dumazet" <edumazet@google.com>,
"Stéphane Marchesin" <marcheu@google.com>,
"Sam Leffler" <sleffler@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 45/66] netlink: use kfree_rcu() in netlink_release()
Date: Wed, 14 Nov 2012 20:10:50 -0800 [thread overview]
Message-ID: <20121115040942.374568094@linuxfoundation.org> (raw)
In-Reply-To: <20121115040939.016421011@linuxfoundation.org>
3.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 6d772ac5578f711d1ce7b03535d1c95bffb21dff ]
On some suspend/resume operations involving wimax device, we have
noticed some intermittent memory corruptions in netlink code.
Stéphane Marchesin tracked this corruption in netlink_update_listeners()
and suggested a patch.
It appears netlink_release() should use kfree_rcu() instead of kfree()
for the listeners structure as it may be used by other cpus using RCU
protection.
netlink_release() must set to NULL the listeners pointer when
it is about to be freed.
Also have to protect netlink_update_listeners() and
netlink_has_listeners() if listeners is NULL.
Add a nl_deref_protected() lockdep helper to properly document which
locks protects us.
Reported-by: Jonathan Kliegman <kliegs@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stéphane Marchesin <marcheu@google.com>
Cc: Sam Leffler <sleffler@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netlink/af_netlink.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -138,6 +138,8 @@ static int netlink_dump(struct sock *sk)
static DEFINE_RWLOCK(nl_table_lock);
static atomic_t nl_table_users = ATOMIC_INIT(0);
+#define nl_deref_protected(X) rcu_dereference_protected(X, lockdep_is_held(&nl_table_lock));
+
static ATOMIC_NOTIFIER_HEAD(netlink_chain);
static inline u32 netlink_group_mask(u32 group)
@@ -345,6 +347,11 @@ netlink_update_listeners(struct sock *sk
struct hlist_node *node;
unsigned long mask;
unsigned int i;
+ struct listeners *listeners;
+
+ listeners = nl_deref_protected(tbl->listeners);
+ if (!listeners)
+ return;
for (i = 0; i < NLGRPLONGS(tbl->groups); i++) {
mask = 0;
@@ -352,7 +359,7 @@ netlink_update_listeners(struct sock *sk
if (i < NLGRPLONGS(nlk_sk(sk)->ngroups))
mask |= nlk_sk(sk)->groups[i];
}
- tbl->listeners->masks[i] = mask;
+ listeners->masks[i] = mask;
}
/* this function is only called with the netlink table "grabbed", which
* makes sure updates are visible before bind or setsockopt return. */
@@ -536,7 +543,11 @@ static int netlink_release(struct socket
if (netlink_is_kernel(sk)) {
BUG_ON(nl_table[sk->sk_protocol].registered == 0);
if (--nl_table[sk->sk_protocol].registered == 0) {
- kfree(nl_table[sk->sk_protocol].listeners);
+ struct listeners *old;
+
+ old = nl_deref_protected(nl_table[sk->sk_protocol].listeners);
+ RCU_INIT_POINTER(nl_table[sk->sk_protocol].listeners, NULL);
+ kfree_rcu(old, rcu);
nl_table[sk->sk_protocol].module = NULL;
nl_table[sk->sk_protocol].registered = 0;
}
@@ -978,7 +989,7 @@ int netlink_has_listeners(struct sock *s
rcu_read_lock();
listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners);
- if (group - 1 < nl_table[sk->sk_protocol].groups)
+ if (listeners && group - 1 < nl_table[sk->sk_protocol].groups)
res = test_bit(group - 1, listeners->masks);
rcu_read_unlock();
@@ -1620,7 +1631,7 @@ int __netlink_change_ngroups(struct sock
new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC);
if (!new)
return -ENOMEM;
- old = rcu_dereference_protected(tbl->listeners, 1);
+ old = nl_deref_protected(tbl->listeners);
memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups));
rcu_assign_pointer(tbl->listeners, new);
next prev parent reply other threads:[~2012-11-15 4:32 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-15 4:10 [ 00/66] 3.6.7-stable review Greg Kroah-Hartman
2012-11-15 4:10 ` [ 01/66] xen/gntdev: dont leak memory from IOCTL_GNTDEV_MAP_GRANT_REF Greg Kroah-Hartman
2012-11-15 4:10 ` [ 02/66] xen/mmu: Use Xen specific TLB flush instead of the generic one Greg Kroah-Hartman
2012-11-15 4:10 ` [ 03/66] ixgbe: PTP get_ts_info missing software support Greg Kroah-Hartman
2012-11-15 4:10 ` [ 04/66] Input: tsc40 - remove wrong announcement of pressure support Greg Kroah-Hartman
2012-11-15 4:10 ` [ 05/66] ath9k: fix stale pointers potentially causing access to freed skbs Greg Kroah-Hartman
2012-11-15 4:10 ` [ 06/66] ath9k: Test for TID only in BlockAcks while checking tx status Greg Kroah-Hartman
2012-11-15 4:10 ` [ 07/66] rt2800: validate step value for temperature compensation Greg Kroah-Hartman
2012-11-15 4:10 ` [ 08/66] target: Dont return success from module_init() if setup fails Greg Kroah-Hartman
2012-11-15 4:10 ` [ 09/66] target: Avoid integer overflow in se_dev_align_max_sectors() Greg Kroah-Hartman
2012-11-15 4:10 ` [ 10/66] iscsi-target: Fix missed wakeup race in TX thread Greg Kroah-Hartman
2012-11-15 4:10 ` [ 11/66] target: Fix incorrect usage of nested IRQ spinlocks in ABORT_TASK path Greg Kroah-Hartman
2012-11-15 4:10 ` [ 12/66] target: Re-add explict zeroing of INQUIRY bounce buffer memory Greg Kroah-Hartman
2012-11-15 4:10 ` [ 13/66] cfg80211: fix antenna gain handling Greg Kroah-Hartman
2012-11-15 4:10 ` [ 14/66] wireless: drop invalid mesh address extension frames Greg Kroah-Hartman
2012-11-15 4:10 ` [ 15/66] mac80211: use blacklist for duplicate IE check Greg Kroah-Hartman
2012-11-15 4:10 ` [ 16/66] mac80211: Only process mesh config header on frames that RA_MATCH Greg Kroah-Hartman
2012-11-15 4:10 ` [ 17/66] mac80211: dont inspect Sequence Control field on control frames Greg Kroah-Hartman
2012-11-15 4:10 ` [ 18/66] DRM/Radeon: Fix Load Detection on legacy primary DAC Greg Kroah-Hartman
2012-11-15 4:10 ` [ 19/66] drm/udl: fix stride issues scanning out stride != width*bpp Greg Kroah-Hartman
2012-11-15 4:10 ` [ 20/66] drm/i915: clear the entire sdvo infoframe buffer Greg Kroah-Hartman
2012-11-15 4:10 ` [ 21/66] drm/i915: fix overlay on i830M Greg Kroah-Hartman
2012-11-16 16:14 ` Ben Hutchings
2012-11-21 1:25 ` Greg Kroah-Hartman
2012-11-15 4:10 ` [ 22/66] drm/i915: Only kick out vesafb if we takeover the fbcon with KMS Greg Kroah-Hartman
2012-11-15 4:10 ` [ 23/66] mac80211: check management frame header length Greg Kroah-Hartman
2012-11-15 4:10 ` [ 24/66] mac80211: verify that skb data is present Greg Kroah-Hartman
2012-11-15 4:10 ` [ 25/66] mac80211: make sure data is accessible in EAPOL check Greg Kroah-Hartman
2012-11-15 4:10 ` [ 26/66] mac80211: fix SSID copy on IBSS JOIN Greg Kroah-Hartman
2012-11-15 4:10 ` [ 27/66] nfsv3: Make v3 mounts fail with ETIMEDOUTs instead EIO on mountd timeouts Greg Kroah-Hartman
2012-11-15 4:10 ` [ 28/66] nfs: Show original device name verbatim in /proc/*/mount{s,info} Greg Kroah-Hartman
2012-11-15 4:10 ` [ 29/66] NFSv4: nfs4_locku_done must release the sequence id Greg Kroah-Hartman
2012-11-15 4:10 ` [ 30/66] NFSv4.1: We must release the sequence id when we fail to get a session slot Greg Kroah-Hartman
2012-11-15 4:10 ` [ 31/66] NFS: Wait for session recovery to finish before returning Greg Kroah-Hartman
2012-11-16 16:17 ` Ben Hutchings
2012-11-21 1:26 ` Greg Kroah-Hartman
2012-11-15 4:10 ` [ 32/66] NFS: fix bug in legacy DNS resolver Greg Kroah-Hartman
2012-11-15 4:10 ` [ 33/66] batman-adv: Fix broadcast packet CRC calculation Greg Kroah-Hartman
2012-11-15 4:10 ` [ 34/66] drm: restore open_count if drm_setup fails Greg Kroah-Hartman
2012-11-15 4:10 ` [ 35/66] drm: set dev_mapping before calling drm_open_helper Greg Kroah-Hartman
2012-11-15 4:10 ` [ 36/66] hwmon: (w83627ehf) Force initial bank selection Greg Kroah-Hartman
2012-11-15 4:10 ` [ 37/66] ALSA: PCM: Fix some races at disconnection Greg Kroah-Hartman
2012-11-15 4:10 ` [ 38/66] ALSA: usb-audio: Fix " Greg Kroah-Hartman
2012-11-15 4:10 ` [ 39/66] ALSA: usb-audio: Use rwsem for disconnect protection Greg Kroah-Hartman
2012-11-15 4:10 ` [ 40/66] ALSA: usb-audio: Fix races at disconnection in mixer_quirks.c Greg Kroah-Hartman
2012-11-15 4:10 ` [ 41/66] ALSA: Add a reference counter to card instance Greg Kroah-Hartman
2012-11-15 4:10 ` [ 42/66] ALSA: Avoid endless sleep after disconnect Greg Kroah-Hartman
2012-11-15 7:25 ` Takashi Iwai
2012-11-15 22:49 ` Greg Kroah-Hartman
2012-11-15 4:10 ` [ 43/66] sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter() Greg Kroah-Hartman
2012-11-15 4:10 ` [ 44/66] ipv4: Fix flushing of cached routing informations Greg Kroah-Hartman
2012-11-15 4:10 ` Greg Kroah-Hartman [this message]
2012-11-15 4:10 ` [ 46/66] tcp: fix FIONREAD/SIOCINQ Greg Kroah-Hartman
2012-11-15 4:10 ` [ 47/66] net: fix secpath kmemleak Greg Kroah-Hartman
2012-11-15 4:10 ` [ 48/66] ipv6: Set default hoplimit as zero Greg Kroah-Hartman
2012-11-15 4:10 ` [ 49/66] net: usb: Fix memory leak on Tx data path Greg Kroah-Hartman
2012-11-15 4:10 ` [ 50/66] net: fix divide by zero in tcp algorithm illinois Greg Kroah-Hartman
2012-11-15 4:10 ` [ 51/66] drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free Greg Kroah-Hartman
2012-11-15 4:10 ` [ 52/66] l2tp: fix oops in l2tp_eth_create() error path Greg Kroah-Hartman
2012-11-15 4:10 ` [ 53/66] tcp-repair: Handle zero-length data put in rcv queue Greg Kroah-Hartman
2012-11-15 4:10 ` [ 54/66] net: inet_diag -- Return error code if protocol handler is missed Greg Kroah-Hartman
2012-11-15 4:11 ` [ 55/66] af-packet: fix oops when socket is not present Greg Kroah-Hartman
2012-11-15 4:11 ` [ 56/66] ipv6: send unsolicited neighbour advertisements to all-nodes Greg Kroah-Hartman
2012-11-15 4:11 ` [ 57/66] futex: Handle futex_pi OWNER_DIED take over correctly Greg Kroah-Hartman
2012-11-15 4:11 ` [ 58/66] mmc: sh_mmcif: fix use after free Greg Kroah-Hartman
2012-11-15 4:11 ` [ 59/66] mmc: sdhci: fix NULL dereference in sdhci_request() tuning Greg Kroah-Hartman
2012-11-15 4:11 ` [ 60/66] drm/vmwgfx: Fix hibernation device reset Greg Kroah-Hartman
2012-11-15 4:11 ` [ 61/66] drm/vmwgfx: Fix a case where the code would BUG when trying to pin GMR memory Greg Kroah-Hartman
2012-11-15 4:11 ` [ 62/66] drm/radeon/cayman: add some missing regs to the VM reg checker Greg Kroah-Hartman
2012-11-15 4:11 ` [ 63/66] drm/radeon/si: " Greg Kroah-Hartman
2012-11-15 4:11 ` [ 64/66] GFS2: Test bufdata with buffer locked and gfs2_log_lock held Greg Kroah-Hartman
2012-11-25 13:11 ` Ben Hutchings
2012-11-26 15:13 ` Steven Whitehouse
2012-12-02 3:52 ` Ben Hutchings
2012-11-15 4:11 ` [ 65/66] xfs: fix reading of wrapped log data Greg Kroah-Hartman
2012-11-15 4:11 ` [ 66/66] xfs: fix buffer shudown reference count mismatch Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121115040942.374568094@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kliegs@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcheu@google.com \
--cc=sleffler@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.