summaryrefslogtreecommitdiffstats
path: root/net/tipc/server.c
diff options
context:
space:
mode:
authorParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>2017-01-24 13:00:44 +0100
committerDavid S. Miller <davem@davemloft.net>2017-01-24 22:14:57 +0100
commitd094c4d5f5c7e1b225e94227ca3f007be3adc4e8 (patch)
tree7b7792ad4b80d260e38ad267d567b07867c7c0f7 /net/tipc/server.c
parenttipc: fix nametbl_lock soft lockup at node/link events (diff)
downloadlinux-d094c4d5f5c7e1b225e94227ca3f007be3adc4e8.tar.xz
linux-d094c4d5f5c7e1b225e94227ca3f007be3adc4e8.zip
tipc: add subscription refcount to avoid invalid delete
Until now, the subscribers keep track of the subscriptions using reference count at subscriber level. At subscription cancel or subscriber delete, we delete the subscription only if the timer was pending for the subscription. This approach is incorrect as: 1. del_timer() is not SMP safe, if on CPU0 the check for pending timer returns true but CPU1 might schedule the timer callback thereby deleting the subscription. Thus when CPU0 is scheduled, it deletes an invalid subscription. 2. We export tipc_subscrp_report_overlap(), which accesses the subscription pointer multiple times. Meanwhile the subscription timer can expire thereby freeing the subscription and we might continue to access the subscription pointer leading to memory violations. In this commit, we introduce subscription refcount to avoid deleting an invalid subscription. Reported-and-Tested-by: John Thompson <thompa.atl@gmail.com> Acked-by: Ying Xue <ying.xue@windriver.com> Acked-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc/server.c')
0 files changed, 0 insertions, 0 deletions