summaryrefslogtreecommitdiffstats
path: root/net/9p/trans_xen.c
diff options
context:
space:
mode:
authorTomas Bortoli <tomasbortoli@gmail.com>2018-08-14 19:43:42 +0200
committerDominique Martinet <dominique.martinet@cea.fr>2018-09-07 18:39:47 +0200
commit728356dedeff8ef999cb436c71333ef4ac51a81c (patch)
treeca05afe6f54f9f2bec2128f4cfd97cfc6ff23764 /net/9p/trans_xen.c
parent9p: rename p9_free_req() function (diff)
downloadlinux-728356dedeff8ef999cb436c71333ef4ac51a81c.tar.xz
linux-728356dedeff8ef999cb436c71333ef4ac51a81c.zip
9p: Add refcount to p9_req_t
To avoid use-after-free(s), use a refcount to keep track of the usable references to any instantiated struct p9_req_t. This commit adds p9_req_put(), p9_req_get() and p9_req_try_get() as wrappers to kref_put(), kref_get() and kref_get_unless_zero(). These are used by the client and the transports to keep track of valid requests' references. p9_free_req() is added back and used as callback by kref_put(). Add SLAB_TYPESAFE_BY_RCU as it ensures that the memory freed by kmem_cache_free() will not be reused for another type until the rcu synchronisation period is over, so an address gotten under rcu read lock is safe to inc_ref() without corrupting random memory while the lock is held. Link: http://lkml.kernel.org/r/1535626341-20693-1-git-send-email-asmadeus@codewreck.org Co-developed-by: Dominique Martinet <dominique.martinet@cea.fr> Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com> Reported-by: syzbot+467050c1ce275af2a5b8@syzkaller.appspotmail.com Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Diffstat (limited to 'net/9p/trans_xen.c')
-rw-r--r--net/9p/trans_xen.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 782a07f2ad0c..e2fbf3677b9b 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -185,6 +185,7 @@ again:
ring->intf->out_prod = prod;
spin_unlock_irqrestore(&ring->lock, flags);
notify_remote_via_irq(ring->irq);
+ p9_req_put(p9_req);
return 0;
}