linux/net/tipc
Jon Paul Maloy b170997ace tipc: eliminate risk of finding to-be-deleted node instance
Although we have never seen it happen, we have identified the
following problematic scenario when nodes are stopped and deleted:

CPU0:                            CPU1:

tipc_node_xxx()                                   //ref == 1
   tipc_node_put()                                //ref -> 0
                                 tipc_node_find() // node still in table
       tipc_node_delete()
         list_del_rcu(n. list)
                                 tipc_node_get()  //ref -> 1, bad
         kfree_rcu()

                                 tipc_node_put() //ref to 0 again.
                                 kfree_rcu()     // BOOM!

We fix this by introducing use of the conditional kref_get_if_not_zero()
instead of kref_get() in the function tipc_node_find(). This eliminates
any risk of post-mortem access.

Reported-by: Zhijiang Hu <huzhijiang@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-02-25 17:04:48 -05:00
..
addr.c tipc: simplify include dependencies 2015-05-14 12:24:45 -04:00
addr.h tipc: simplify include dependencies 2015-05-14 12:24:45 -04:00
bcast.c tipc: narrow down interface towards struct tipc_link 2015-11-20 14:06:10 -05:00
bcast.h tipc: narrow down exposure of struct tipc_node 2015-11-20 14:06:10 -05:00
bearer.c tipc: eliminate remnants of hungarian notation 2015-11-20 14:06:10 -05:00
bearer.h tipc: eliminate remnants of hungarian notation 2015-11-20 14:06:10 -05:00
core.c tipc: create broadcast transmission link at namespace init 2015-10-24 06:56:27 -07:00
core.h tipc: reduce code dependency between binding table and node layer 2015-11-20 14:06:10 -05:00
discover.c tipc: eliminate remnants of hungarian notation 2015-11-20 14:06:10 -05:00
discover.h tipc: involve namespace infrastructure 2015-01-12 16:24:32 -05:00
eth_media.c tipc: make media address offset a common define 2015-02-27 18:18:48 -05:00
ib_media.c tipc: rename media/msg related definitions 2015-02-27 18:18:48 -05:00
Kconfig tipc: add ip/udp media type 2015-03-05 22:08:42 -05:00
link.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-02-23 00:09:14 -05:00
link.h tipc: fix link attribute propagation bug 2016-02-06 02:45:27 -05:00
Makefile tipc: add ip/udp media type 2015-03-05 22:08:42 -05:00
msg.c tipc: let broadcast packet reception use new link receive function 2015-10-24 06:56:37 -07:00
msg.h tipc: let broadcast packet reception use new link receive function 2015-10-24 06:56:37 -07:00
name_distr.c tipc: reduce code dependency between binding table and node layer 2015-11-20 14:06:10 -05:00
name_distr.h tipc: reduce code dependency between binding table and node layer 2015-11-20 14:06:10 -05:00
name_table.c tipc: remove struct tipc_name_seq from struct tipc_subscription 2016-02-06 03:40:43 -05:00
name_table.h tipc: convert legacy nl name table dump to nl compat 2015-02-09 13:20:48 -08:00
net.c tipc: create broadcast transmission link at namespace init 2015-10-24 06:56:27 -07:00
net.h tipc: make tipc node table aware of net namespace 2015-01-12 16:24:32 -05:00
netlink_compat.c Revert "genl: Add genlmsg_new_unicast() for unicast message allocation" 2016-02-18 11:42:19 -05:00
netlink.c tipc: narrow down interface towards struct tipc_link 2015-11-20 14:06:10 -05:00
netlink.h tipc: move and rename the legacy nl api to "nl compat" 2015-02-09 13:20:47 -08:00
node.c tipc: eliminate risk of finding to-be-deleted node instance 2016-02-25 17:04:48 -05:00
node.h tipc: narrow down interface towards struct tipc_link 2015-11-20 14:06:10 -05:00
server.c tipc: use alloc_ordered_workqueue() instead of WQ_UNBOUND w/ max_active = 1 2016-02-06 03:41:58 -05:00
server.h tipc: make subscriber server support net namespace 2015-01-12 16:24:33 -05:00
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-12-03 21:09:12 -05:00
socket.h tipc: clean up socket layer message reception 2015-07-26 16:31:50 -07:00
subscr.c tipc: donot create timers if subscription timeout = TIPC_WAIT_FOREVER 2016-02-06 03:41:58 -05:00
subscr.h tipc: remove struct tipc_name_seq from struct tipc_subscription 2016-02-06 03:40:43 -05:00
sysctl.c tipc: add name distributor resiliency queue 2014-09-01 17:51:48 -07:00
udp_media.c ip_tunnel: Move stats update to iptunnel_xmit() 2015-12-25 23:32:23 -05:00