git.baikalelectronics.ru Git - kernel.git/commit

tipc: add subscription refcount to avoid invalid delete

Until now, the subscribers keep track of the subscriptions using
reference count at subscriber level. At subscription cancel or
subscriber delete, we delete the subscription only if the timer
was pending for the subscription. This approach is incorrect as:
1. del_timer() is not SMP safe, if on CPU0 the check for pending
   timer returns true but CPU1 might schedule the timer callback
   thereby deleting the subscription. Thus when CPU0 is scheduled,
   it deletes an invalid subscription.
2. We export tipc_subscrp_report_overlap(), which accesses the
   subscription pointer multiple times. Meanwhile the subscription
   timer can expire thereby freeing the subscription and we might
   continue to access the subscription pointer leading to memory
   violations.

In this commit, we introduce subscription refcount to avoid deleting
an invalid subscription.

Reported-and-Tested-by: John Thompson <thompa.atl@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

author	Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
	Tue, 24 Jan 2017 12:00:44 +0000 (13:00 +0100)
committer	David S. Miller <davem@davemloft.net>
	Tue, 24 Jan 2017 21:14:57 +0000 (16:14 -0500)
commit	54ca85e0bdc8a36714a6d88aabd86c8329e1ee6f
tree	7b7792ad4b80d260e38ad267d567b07867c7c0f7	tree \| snapshot
parent	49bd07673a9aadede3e3b392a99618785fccada9	commit \| diff

net/tipc/subscr.c		diff \| blob \| history
net/tipc/subscr.h		diff \| blob \| history