• Erik Hugne's avatar
    tipc: fix node refcount issue · 73a31737
    Erik Hugne authored
    When link statistics is dumped over netlink, we iterate over
    the list of peer nodes and append each links statistics to
    the netlink msg. In the case where the dump is resumed after
    filling up a nlmsg, the node refcnt is decremented without
    having been incremented previously which may cause the node
    reference to be freed. When this happens, the following
    info/stacktrace will be generated, followed by a crash or
    undefined behavior.
    We fix this by removing the erroneous call to tipc_node_put
    inside the loop that iterates over nodes.
    
    [  384.312303] INFO: trying to register non-static key.
    [  384.313110] the code is fine but needs lockdep annotation.
    [  384.313290] turning off the locking correctness validator.
    [  384.313290] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.0.0+ #13
    [  384.313290] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    [  384.313290]  ffff88003c6d0290 ffff88003cc03ca8 ffffffff8170adf1 0000000000000007
    [  384.313290]  ffffffff82728730 ffff88003cc03d38 ffffffff810a6a6d 00000000001d7200
    [  384.313290]  ffff88003c6d0ab0 ffff88003cc03ce8 0000000000000285 0000000000000001
    [  384.313290] Call Trace:
    [  384.313290]  <IRQ>  [<ffffffff8170adf1>] dump_stack+0x4c/0x65
    [  384.313290]  [<ffffffff810a6a6d>] __lock_acquire+0xf3d/0xf50
    [  384.313290]  [<ffffffff810a7375>] lock_acquire+0xd5/0x290
    [  384.313290]  [<ffffffffa0043e8c>] ? link_timeout+0x1c/0x170 [tipc]
    [  384.313290]  [<ffffffffa0043e70>] ? link_state_event+0x4e0/0x4e0 [tipc]
    [  384.313290]  [<ffffffff81712890>] _raw_spin_lock_bh+0x40/0x80
    [  384.313290]  [<ffffffffa0043e8c>] ? link_timeout+0x1c/0x170 [tipc]
    [  384.313290]  [<ffffffffa0043e8c>] link_timeout+0x1c/0x170 [tipc]
    [  384.313290]  [<ffffffff810c4698>] call_timer_fn+0xb8/0x490
    [  384.313290]  [<ffffffff810c45e0>] ? process_timeout+0x10/0x10
    [  384.313290]  [<ffffffff810c5a2c>] run_timer_softirq+0x21c/0x420
    [  384.313290]  [<ffffffffa0043e70>] ? link_state_event+0x4e0/0x4e0 [tipc]
    [  384.313290]  [<ffffffff8105a954>] __do_softirq+0xf4/0x630
    [  384.313290]  [<ffffffff8105afdd>] irq_exit+0x5d/0x60
    [  384.313290]  [<ffffffff8103ade1>] smp_apic_timer_interrupt+0x41/0x50
    [  384.313290]  [<ffffffff817144a0>] apic_timer_interrupt+0x70/0x80
    [  384.313290]  <EOI>  [<ffffffff8100db10>] ? default_idle+0x20/0x210
    [  384.313290]  [<ffffffff8100db0e>] ? default_idle+0x1e/0x210
    [  384.313290]  [<ffffffff8100e61a>] arch_cpu_idle+0xa/0x10
    [  384.313290]  [<ffffffff81099803>] cpu_startup_entry+0x2c3/0x530
    [  384.313290]  [<ffffffff810d2893>] ? clockevents_register_device+0x113/0x200
    [  384.313290]  [<ffffffff81038b0f>] start_secondary+0x13f/0x170
    
    Fixes: 8a0f6ebe ("tipc: involve reference counter for node structure")
    Signed-off-by: default avatarErik Hugne <erik.hugne@ericsson.com>
    Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    73a31737
link.c 60.3 KB