summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorJon Paul Maloy <jon.maloy@ericsson.com>2016-02-24 17:10:48 +0100
committerDavid S. Miller <davem@davemloft.net>2016-02-25 23:04:48 +0100
commitd25a01257e422a4bdeb426f69529d57c73b235fe (patch)
tree09941b9ca9b6136a6f3a3cb0458cbfaf1656bad3 /lib
parenttipc: eliminate risk of finding to-be-deleted node instance (diff)
downloadlinux-d25a01257e422a4bdeb426f69529d57c73b235fe.tar.xz
linux-d25a01257e422a4bdeb426f69529d57c73b235fe.zip
tipc: fix crash during node removal
When the TIPC module is unloaded, we have identified a race condition that allows a node reference counter to go to zero and the node instance being freed before the node timer is finished with accessing it. This leads to occasional crashes, especially in multi-namespace environments. The scenario goes as follows: CPU0:(node_stop) CPU1:(node_timeout) // ref == 2 1: if(!mod_timer()) 2: if (del_timer()) 3: tipc_node_put() // ref -> 1 4: tipc_node_put() // ref -> 0 5: kfree_rcu(node); 6: tipc_node_get(node) 7: // BOOM! We now clean up this functionality as follows: 1) We remove the node pointer from the node lookup table before we attempt deactivating the timer. This way, we reduce the risk that tipc_node_find() may obtain a valid pointer to an instance marked for deletion; a harmless but undesirable situation. 2) We use del_timer_sync() instead of del_timer() to safely deactivate the node timer without any risk that it might be reactivated by the timeout handler. There is no risk of deadlock here, since the two functions never touch the same spinlocks. 3: We remove a pointless tipc_node_get() + tipc_node_put() from the timeout handler. Reported-by: Zhijiang Hu <huzhijiang@gmail.com> Acked-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'lib')
0 files changed, 0 insertions, 0 deletions