From: Simon Horman <simon.horman@corigine.com>
To: Vignesh Viswanathan <quic_viswanat@quicinc.com>
Cc: mani@kernel.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com,
linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, quic_srichara@quicinc.com,
quic_clew@quicinc.com
Subject: Re: [PATCH net-next 1/3] net: qrtr: ns: Change servers radix tree to xarray
Date: Thu, 13 Jul 2023 15:54:01 +0100 [thread overview]
Message-ID: <ZLAQCTcRd2uoHE9i@corigine.com> (raw)
In-Reply-To: <20230712112631.3461793-2-quic_viswanat@quicinc.com>
On Wed, Jul 12, 2023 at 04:56:29PM +0530, Vignesh Viswanathan wrote:
> There is a use after free scenario while iterating through the servers
> radix tree despite the ns being a single threaded process. This can
> happen when the radix tree APIs are not synchronized with the
> rcu_read_lock() APIs.
>
> Convert the radix tree for servers to xarray to take advantage of the
> built in rcu lock usage provided by xarray.
>
> Signed-off-by: Chris Lew <quic_clew@quicinc.com>
> Signed-off-by: Vignesh Viswanathan <quic_viswanat@quicinc.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
A few very minor nits below.
...
> @@ -256,14 +240,17 @@ static struct qrtr_server *server_add(unsigned int service,
> goto err;
>
> /* Delete the old server on the same port */
> - old = radix_tree_lookup(&node->servers, port);
> + old = xa_store(&node->servers, port, srv, GFP_KERNEL);
> if (old) {
> - radix_tree_delete(&node->servers, port);
> - kfree(old);
> + if (xa_is_err(old)) {
> + pr_err("failed to add server [0x%x:0x%x] ret:%d\n",
> + srv->service, srv->instance, xa_err(old));
The indentation of the line above is not correct.
It should be:
pr_err("failed to add server [0x%x:0x%x] ret:%d\n",
srv->service, srv->instance, xa_err(old));
> + goto err;
> + } else {
> + kfree(old);
> + }
> }
>
> - radix_tree_insert(&node->servers, port, srv);
> -
> trace_qrtr_ns_server_add(srv->service, srv->instance,
> srv->node, srv->port);
>
...
> @@ -576,13 +518,12 @@ static int ctrl_cmd_del_server(struct sockaddr_qrtr *from,
> static int ctrl_cmd_new_lookup(struct sockaddr_qrtr *from,
> unsigned int service, unsigned int instance)
> {
> - struct radix_tree_iter node_iter;
> struct qrtr_server_filter filter;
> - struct radix_tree_iter srv_iter;
> struct qrtr_lookup *lookup;
> struct qrtr_node *node;
> - void __rcu **node_slot;
> - void __rcu **srv_slot;
> + struct qrtr_server *srv;
This breaks reverse xmas tree ordering of local variables.
The srv line should be directly above rather than below the node line.
> + unsigned long node_idx;
> + unsigned long srv_idx;
>
> /* Accept only local observers */
> if (from->sq_node != qrtr_ns.local_node)
...
next prev parent reply other threads:[~2023-07-13 14:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-12 11:26 [PATCH net-next 0/3] net: qrtr: Few fixes in QRTR Vignesh Viswanathan
2023-07-12 11:26 ` [PATCH net-next 1/3] net: qrtr: ns: Change servers radix tree to xarray Vignesh Viswanathan
2023-07-13 14:54 ` Simon Horman [this message]
2023-07-14 5:48 ` Vignesh Viswanathan
2023-07-12 11:26 ` [PATCH net-next 2/3] net: qrtr: ns: Change nodes " Vignesh Viswanathan
2023-07-13 14:55 ` Simon Horman
2023-07-12 11:26 ` [PATCH net-next 3/3] net: qrtr: Handle IPCR control port format of older targets Vignesh Viswanathan
2023-07-13 14:56 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZLAQCTcRd2uoHE9i@corigine.com \
--to=simon.horman@corigine.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mani@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=quic_clew@quicinc.com \
--cc=quic_srichara@quicinc.com \
--cc=quic_viswanat@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.