提交 9e741045 编写于 作者: V Vivien Didelot 提交者: David S. Miller

net: dsa: fix 'increment on 0' warning

Setting the refcount to 0 when allocating a tree to match the number of
switch devices it holds may cause an 'increment on 0; use-after-free',
if CONFIG_REFCOUNT_FULL is enabled.

To fix this, do not decrement the refcount of a newly allocated tree,
increment it when an already allocated tree is found, and decrement it
after the probing of a switch, as done with the previous behavior.

At the same time, make dsa_tree_get and dsa_tree_put accept a NULL
argument to simplify callers, and return the tree after incrementation,
as most kref users like of_node_get and of_node_put do.

Fixes: 8e5bf975 ("net: dsa: simplify tree reference counting")
Signed-off-by: NVivien Didelot <vivien.didelot@savoirfairelinux.com>
Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
Tested-by: NFlorian Fainelli <f.fainelli@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 afbea2cd
...@@ -51,9 +51,7 @@ static struct dsa_switch_tree *dsa_tree_alloc(int index) ...@@ -51,9 +51,7 @@ static struct dsa_switch_tree *dsa_tree_alloc(int index)
INIT_LIST_HEAD(&dst->list); INIT_LIST_HEAD(&dst->list);
list_add_tail(&dsa_tree_list, &dst->list); list_add_tail(&dsa_tree_list, &dst->list);
/* Initialize the reference counter to the number of switches, not 1 */
kref_init(&dst->refcount); kref_init(&dst->refcount);
refcount_set(&dst->refcount.refcount, 0);
return dst; return dst;
} }
...@@ -64,20 +62,23 @@ static void dsa_tree_free(struct dsa_switch_tree *dst) ...@@ -64,20 +62,23 @@ static void dsa_tree_free(struct dsa_switch_tree *dst)
kfree(dst); kfree(dst);
} }
static struct dsa_switch_tree *dsa_tree_touch(int index) static struct dsa_switch_tree *dsa_tree_get(struct dsa_switch_tree *dst)
{ {
struct dsa_switch_tree *dst; if (dst)
kref_get(&dst->refcount);
dst = dsa_tree_find(index);
if (!dst)
dst = dsa_tree_alloc(index);
return dst; return dst;
} }
static void dsa_tree_get(struct dsa_switch_tree *dst) static struct dsa_switch_tree *dsa_tree_touch(int index)
{ {
kref_get(&dst->refcount); struct dsa_switch_tree *dst;
dst = dsa_tree_find(index);
if (dst)
return dsa_tree_get(dst);
else
return dsa_tree_alloc(index);
} }
static void dsa_tree_release(struct kref *ref) static void dsa_tree_release(struct kref *ref)
...@@ -91,7 +92,8 @@ static void dsa_tree_release(struct kref *ref) ...@@ -91,7 +92,8 @@ static void dsa_tree_release(struct kref *ref)
static void dsa_tree_put(struct dsa_switch_tree *dst) static void dsa_tree_put(struct dsa_switch_tree *dst)
{ {
kref_put(&dst->refcount, dsa_tree_release); if (dst)
kref_put(&dst->refcount, dsa_tree_release);
} }
static bool dsa_port_is_dsa(struct dsa_port *port) static bool dsa_port_is_dsa(struct dsa_port *port)
...@@ -765,6 +767,7 @@ int dsa_register_switch(struct dsa_switch *ds) ...@@ -765,6 +767,7 @@ int dsa_register_switch(struct dsa_switch *ds)
mutex_lock(&dsa2_mutex); mutex_lock(&dsa2_mutex);
err = dsa_switch_probe(ds); err = dsa_switch_probe(ds);
dsa_tree_put(ds->dst);
mutex_unlock(&dsa2_mutex); mutex_unlock(&dsa2_mutex);
return err; return err;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册