[PATCH 13/28] batman-adv: Correct rcu refcounting for softif_neigh

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sven Eckelmann <sven@narfation.org>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, b.a.t.m.a.n@lists.open-mesh.org,
	Marek Lindner <lindner_marek@yahoo.de>
Subject: [PATCH 13/28] batman-adv: Correct rcu refcounting for softif_neigh
Date: Sat,  5 Mar 2011 13:28:27 +0100	[thread overview]
Message-ID: <1299328122-21468-14-git-send-email-sven@narfation.org> (raw)
In-Reply-To: <1299328122-21468-1-git-send-email-sven@narfation.org>

From: Marek Lindner <lindner_marek@yahoo.de>

It might be possible that 2 threads access the same data in the same
rcu grace period. The first thread calls call_rcu() to decrement the
refcount and free the data while the second thread increases the
refcount to use the data. To avoid this race condition all refcount
operations have to be atomic.

Reported-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
---
 net/batman-adv/soft-interface.c |   31 +++++++++++++++----------------
 net/batman-adv/types.h          |    2 +-
 2 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 7e37077..152beaa 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -76,20 +76,18 @@ int my_skb_head_push(struct sk_buff *skb, unsigned int len)
 	return 0;
 }
 
-static void softif_neigh_free_ref(struct kref *refcount)
+static void softif_neigh_free_rcu(struct rcu_head *rcu)
 {
 	struct softif_neigh *softif_neigh;
 
-	softif_neigh = container_of(refcount, struct softif_neigh, refcount);
+	softif_neigh = container_of(rcu, struct softif_neigh, rcu);
 	kfree(softif_neigh);
 }
 
-static void softif_neigh_free_rcu(struct rcu_head *rcu)
+static void softif_neigh_free_ref(struct softif_neigh *softif_neigh)
 {
-	struct softif_neigh *softif_neigh;
-
-	softif_neigh = container_of(rcu, struct softif_neigh, rcu);
-	kref_put(&softif_neigh->refcount, softif_neigh_free_ref);
+	if (atomic_dec_and_test(&softif_neigh->refcount))
+		call_rcu(&softif_neigh->rcu, softif_neigh_free_rcu);
 }
 
 void softif_neigh_purge(struct bat_priv *bat_priv)
@@ -116,11 +114,10 @@ void softif_neigh_purge(struct bat_priv *bat_priv)
 				 softif_neigh->addr, softif_neigh->vid);
 			softif_neigh_tmp = bat_priv->softif_neigh;
 			bat_priv->softif_neigh = NULL;
-			kref_put(&softif_neigh_tmp->refcount,
-				 softif_neigh_free_ref);
+			softif_neigh_free_ref(softif_neigh_tmp);
 		}
 
-		call_rcu(&softif_neigh->rcu, softif_neigh_free_rcu);
+		softif_neigh_free_ref(softif_neigh);
 	}
 
 	spin_unlock_bh(&bat_priv->softif_neigh_lock);
@@ -141,8 +138,11 @@ static struct softif_neigh *softif_neigh_get(struct bat_priv *bat_priv,
 		if (softif_neigh->vid != vid)
 			continue;
 
+		if (!atomic_inc_not_zero(&softif_neigh->refcount))
+			continue;
+
 		softif_neigh->last_seen = jiffies;
-		goto found;
+		goto out;
 	}
 
 	softif_neigh = kzalloc(sizeof(struct softif_neigh), GFP_ATOMIC);
@@ -152,15 +152,14 @@ static struct softif_neigh *softif_neigh_get(struct bat_priv *bat_priv,
 	memcpy(softif_neigh->addr, addr, ETH_ALEN);
 	softif_neigh->vid = vid;
 	softif_neigh->last_seen = jiffies;
-	kref_init(&softif_neigh->refcount);
+	/* initialize with 2 - caller decrements counter by one */
+	atomic_set(&softif_neigh->refcount, 2);
 
 	INIT_HLIST_NODE(&softif_neigh->list);
 	spin_lock_bh(&bat_priv->softif_neigh_lock);
 	hlist_add_head_rcu(&softif_neigh->list, &bat_priv->softif_neigh_list);
 	spin_unlock_bh(&bat_priv->softif_neigh_lock);
 
-found:
-	kref_get(&softif_neigh->refcount);
 out:
 	rcu_read_unlock();
 	return softif_neigh;
@@ -264,7 +263,7 @@ static void softif_batman_recv(struct sk_buff *skb, struct net_device *dev,
 			 softif_neigh->addr, softif_neigh->vid);
 		softif_neigh_tmp = bat_priv->softif_neigh;
 		bat_priv->softif_neigh = softif_neigh;
-		kref_put(&softif_neigh_tmp->refcount, softif_neigh_free_ref);
+		softif_neigh_free_ref(softif_neigh_tmp);
 		/* we need to hold the additional reference */
 		goto err;
 	}
@@ -282,7 +281,7 @@ static void softif_batman_recv(struct sk_buff *skb, struct net_device *dev,
 	}
 
 out:
-	kref_put(&softif_neigh->refcount, softif_neigh_free_ref);
+	softif_neigh_free_ref(softif_neigh);
 err:
 	kfree_skb(skb);
 	return;
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index cfbeb45..96f7c22 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -268,7 +268,7 @@ struct softif_neigh {
 	uint8_t addr[ETH_ALEN];
 	unsigned long last_seen;
 	short vid;
-	struct kref refcount;
+	atomic_t refcount;
 	struct rcu_head rcu;
 };
 
-- 
1.7.2.3

next prev parent reply	other threads:[~2011-03-05 12:29 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-05 12:28 pull request: batman-adv 2011-03-05 Sven Eckelmann
     [not found] ` <1299328122-21468-1-git-send-email-sven-KaDOiPu9UxWEi8DpZVb4nw@public.gmane.org>
2011-03-05 12:28   ` [PATCH 01/28] batman-adv: Remove two duplicate includes Sven Eckelmann
2011-03-05 12:28   ` [PATCH 02/28] batman-adv: protect neighbor nodes with reference counters Sven Eckelmann
2011-03-05 12:28   ` [PATCH 03/28] batman-adv: convert neighbor list to hlist Sven Eckelmann
2011-03-05 12:28   ` [PATCH 04/28] batman-adv: protect neighbor list with rcu locks Sven Eckelmann
2011-03-05 12:28   ` [PATCH 05/28] batman-adv: free neighbors when an interface is deactivated Sven Eckelmann
2011-03-05 12:28   ` [PATCH 06/28] batman-adv: protect neigh_nodes used outside of rcu_locks with refcounting Sven Eckelmann
2011-03-05 12:28   ` [PATCH 11/28] batman-adv: Correct rcu refcounting for neigh_node Sven Eckelmann
2011-03-05 12:28   ` [PATCH 19/28] batman-adv: Fix possible buffer overflow in softif neigh list output Sven Eckelmann
2011-03-05 12:28 ` [PATCH 07/28] batman-adv: protect each hash row with rcu locks Sven Eckelmann
2011-03-05 12:28 ` [PATCH 08/28] batman-adv: protect originator nodes with reference counters Sven Eckelmann
2011-03-05 12:28 ` [PATCH 09/28] batman-adv: protect ogm counter arrays with spinlock Sven Eckelmann
2011-03-05 12:28 ` [PATCH 10/28] batman-adv: protect bonding with rcu locks Sven Eckelmann
2011-03-05 12:28 ` [PATCH 12/28] batman-adv: Correct rcu refcounting for gw_node Sven Eckelmann
2011-03-05 12:28 ` Sven Eckelmann [this message]
2011-03-05 12:28 ` [PATCH 14/28] batman-adv: Correct rcu refcounting for batman_if Sven Eckelmann
2011-03-05 12:28 ` [PATCH 15/28] batman-adv: protect bit operations to count OGMs with spinlock Sven Eckelmann
2011-03-05 12:28 ` [PATCH 16/28] batman-adv: make broadcast seqno operations atomic Sven Eckelmann
2011-03-05 12:28 ` [PATCH 17/28] batman-adv: Make bat_priv->curr_gw an rcu protected pointer Sven Eckelmann
2011-03-05 12:28 ` [PATCH 18/28] batman-adv: Increase orig_node refcount before releasing rcu read lock Sven Eckelmann
2011-03-05 12:28 ` [PATCH 20/28] batman-adv: separate ethernet comparing calls from hash functions Sven Eckelmann
2011-03-05 12:28 ` [PATCH 21/28] batman-adv: remove extra layer between hash and hash element - hash bucket Sven Eckelmann
2011-03-05 12:28 ` [PATCH 22/28] batman-adv: Correct rcu refcounting for orig_node Sven Eckelmann
2011-03-05 12:28 ` [PATCH 23/28] batman-adv: increase refcount in create_neighbor to be consistent Sven Eckelmann
2011-03-05 12:28 ` [PATCH 24/28] batman-adv: remove orig_hash spinlock Sven Eckelmann
2011-03-05 12:28 ` [PATCH 25/28] batman-adv: rename global if_list to hardif_list Sven Eckelmann
2011-03-05 12:28 ` [PATCH 26/28] batman-adv: rename batman_if struct to hard_iface Sven Eckelmann
2011-03-05 12:28 ` [PATCH 27/28] batman-adv: Remove unused hdr_size variable in route_unicast_packet() Sven Eckelmann
2011-03-05 12:28 ` [PATCH 28/28] batman-adv: Disallow regular interface as mesh device Sven Eckelmann
2011-03-05 14:13 ` [B.A.T.M.A.N.] pull request: batman-adv 2011-03-05 Sven Eckelmann
2011-03-07  2:14 ` David Miller
2011-03-07  9:01   ` Sven Eckelmann
2011-03-07  9:19     ` David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7e37077 dfblob:152beaa dfblob:cfbeb45 dfblob:96f7c22 )
 OR (
bs:"[PATCH 13/28] batman-adv: Correct rcu refcounting for softif_neigh" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1299328122-21468-14-git-send-email-sven@narfation.org \
    --to=sven@narfation.org \
    --cc=b.a.t.m.a.n@lists.open-mesh.org \
    --cc=davem@davemloft.net \
    --cc=lindner_marek@yahoo.de \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).