From: Adam Nielsen <a.nielsen@shikadi.net>
To: Patrick McHardy <kaber@trash.net>
Cc: Jan Engelhardt <jengelh@medozas.de>,
Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH v3] Add refcounts to LED target
Date: Thu, 08 Apr 2010 13:03:43 +1000 [thread overview]
Message-ID: <4BBD478F.4050208@shikadi.net> (raw)
In-Reply-To: <4BBCAF97.6040806@trash.net>
[-- Attachment #1: Type: text/plain, Size: 840 bytes --]
>> I also noticed one another thing: you don't increase the refcount while
>> xt_led_mutex is held. That means it is theoretically possible that you
>> do a lookup, then a destructor runs and frees the object, leading to
>> ++ledinternal->refcnt dereference an illegal ledinternal.
Thanks both for your comments and explanations. I've attached an updated
patch, I hope this one addresses these issues.
> Indeed, I also noticed this. Basically, you need to make sure that
>
> - the lookup and refcnt increase is atomic,
> - the refcnt decrease and list deletion is atomic
> - the lookup and list insertion is atomic (in case no trigger exists)
I've moved the mutex around so that hopefully all these operations are now atomic.
> The remaining parts look fine to me, thanks.
Great, I hope you're happy with this one!
Cheers,
Adam.
[-- Attachment #2: netfilter-leds-add_refcount_v3.patch --]
[-- Type: text/plain, Size: 3998 bytes --]
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index efcf56d..196bf26 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -31,12 +31,18 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Adam Nielsen <a.nielsen@shikadi.net>");
MODULE_DESCRIPTION("Xtables: trigger LED devices on packet match");
+static LIST_HEAD(xt_led_triggers);
+static DEFINE_MUTEX(xt_led_mutex);
+
/*
* This is declared in here (the kernel module) only, to avoid having these
* dependencies in userspace code. This is what xt_led_info.internal_data
* points to.
*/
struct xt_led_info_internal {
+ struct list_head list;
+ int refcnt;
+ char *trigger_id;
struct led_trigger netfilter_led_trigger;
struct timer_list timer;
};
@@ -53,7 +59,7 @@ led_tg(struct sk_buff *skb, const struct xt_target_param *par)
*/
if ((ledinfo->delay > 0) && ledinfo->always_blink &&
timer_pending(&ledinternal->timer))
- led_trigger_event(&ledinternal->netfilter_led_trigger,LED_OFF);
+ led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
led_trigger_event(&ledinternal->netfilter_led_trigger, LED_FULL);
@@ -74,12 +80,24 @@ led_tg(struct sk_buff *skb, const struct xt_target_param *par)
static void led_timeout_callback(unsigned long data)
{
- struct xt_led_info *ledinfo = (struct xt_led_info *)data;
- struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
+ struct xt_led_info_internal *ledinternal = (struct xt_led_info_internal *)data;
led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
}
+static struct xt_led_info_internal *led_trigger_lookup(const char *name)
+{
+ struct xt_led_info_internal *ledinternal;
+
+ list_for_each_entry(ledinternal, &xt_led_triggers, list) {
+ if (!strcmp(name, ledinternal->netfilter_led_trigger.name)) {
+ mutex_unlock(&xt_led_mutex);
+ return ledinternal;
+ }
+ }
+ return NULL;
+}
+
static int led_tg_check(const struct xt_tgchk_param *par)
{
struct xt_led_info *ledinfo = par->targinfo;
@@ -91,11 +109,26 @@ static int led_tg_check(const struct xt_tgchk_param *par)
return -EINVAL;
}
+ mutex_lock(&xt_led_mutex);
+
+ ledinternal = led_trigger_lookup(ledinfo->id);
+ if (ledinternal) {
+ ledinternal->refcnt++;
+ goto out;
+ }
+
+ err = -ENOMEM;
ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
if (!ledinternal)
- return -ENOMEM;
+ goto exit_mutex_only;
+
+ ledinternal->trigger_id = kzalloc(strlen(ledinfo->id) + 1, GFP_KERNEL);
+ if (!ledinternal->trigger_id)
+ goto exit_internal_alloc;
- ledinternal->netfilter_led_trigger.name = ledinfo->id;
+ ledinternal->refcnt = 1;
+ strcpy(ledinternal->trigger_id, ledinfo->id);
+ ledinternal->netfilter_led_trigger.name = ledinternal->trigger_id;
err = led_trigger_register(&ledinternal->netfilter_led_trigger);
if (err) {
@@ -108,13 +141,26 @@ static int led_tg_check(const struct xt_tgchk_param *par)
/* See if we need to set up a timer */
if (ledinfo->delay > 0)
setup_timer(&ledinternal->timer, led_timeout_callback,
- (unsigned long)ledinfo);
+ (unsigned long)ledinternal);
+
+ list_add_tail(&ledinternal->list, &xt_led_triggers);
+
+out:
+ mutex_unlock(&xt_led_mutex);
ledinfo->internal_data = ledinternal;
+
return 0;
exit_alloc:
+ kfree(ledinternal->trigger_id);
+
+exit_internal_alloc:
kfree(ledinternal);
+
+exit_mutex_only:
+ mutex_unlock(&xt_led_mutex);
+
return err;
}
@@ -123,10 +169,23 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par)
const struct xt_led_info *ledinfo = par->targinfo;
struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
+ mutex_lock(&xt_led_mutex);
+
+ if (--ledinternal->refcnt) {
+ mutex_unlock(&xt_led_mutex);
+ return;
+ }
+
+ list_del(&ledinternal->list);
+
if (ledinfo->delay > 0)
del_timer_sync(&ledinternal->timer);
led_trigger_unregister(&ledinternal->netfilter_led_trigger);
+
+ mutex_unlock(&xt_led_mutex);
+
+ kfree(ledinternal->trigger_id);
kfree(ledinternal);
}
next prev parent reply other threads:[~2010-04-08 3:03 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-24 1:46 Avoiding multiple calls to xt_target.checkentry Adam Nielsen
2009-05-24 7:34 ` Jan Engelhardt
2009-05-27 23:07 ` Adam Nielsen
2009-05-28 21:06 ` Jan Engelhardt
2009-06-03 9:25 ` Patrick McHardy
2009-06-03 11:03 ` Adam Nielsen
2009-11-05 15:00 ` Patrick McHardy
2009-11-05 18:40 ` Jan Engelhardt
2009-11-05 18:43 ` Patrick McHardy
2009-11-05 22:04 ` Adam Nielsen
2009-11-06 14:56 ` Patrick McHardy
2009-11-29 1:43 ` [PATCH] Add refcounts to LED target Adam Nielsen
2009-11-29 10:12 ` Jan Engelhardt
2009-11-29 11:33 ` Adam Nielsen
2009-11-29 15:49 ` Jan Engelhardt
2009-12-01 10:05 ` Patrick McHardy
2009-12-06 10:09 ` Adam Nielsen
2009-12-06 13:24 ` Patrick McHardy
2010-03-25 14:01 ` Patrick McHardy
2010-03-25 14:05 ` Jan Engelhardt
2010-03-25 14:08 ` Patrick McHardy
2010-03-27 4:05 ` Adam Nielsen
2010-03-27 11:15 ` Jan Engelhardt
2010-03-27 11:39 ` Adam Nielsen
2010-03-27 11:55 ` Jan Engelhardt
2010-03-28 1:25 ` [PATCH v2] " Adam Nielsen
2010-04-04 11:30 ` Jan Engelhardt
2010-04-07 16:15 ` Patrick McHardy
2010-04-08 3:03 ` Adam Nielsen [this message]
2010-04-08 11:33 ` [PATCH v3] " Patrick McHardy
2010-04-08 12:45 ` Jan Engelhardt
2010-04-08 12:57 ` Patrick McHardy
2010-04-08 23:06 ` [PATCH v4] " Adam Nielsen
2010-04-09 14:52 ` Patrick McHardy
2010-04-08 21:07 ` [PATCH v3] " Florian Westphal
2010-04-08 22:45 ` Adam Nielsen
2010-03-27 18:42 ` [PATCH] " Jan Engelhardt
2010-03-28 1:58 ` Adam Nielsen
2010-04-04 11:59 ` Jan Engelhardt
2010-04-08 3:15 ` input-layer LEDs as LED-class devices (was: Add refcounts to LED target) Adam Nielsen
2010-04-08 8:03 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BBD478F.4050208@shikadi.net \
--to=a.nielsen@shikadi.net \
--cc=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.