Commit 7ef43eba authored by Allan Stephens's avatar Allan Stephens Committed by David S. Miller

tipc: Fix race condition when creating socket or native port

This patch eliminates the (very remote) chance of a crash resulting
from a partially initialized socket or native port unexpectedly
receiving a message.  Now, during the creation of a socket or native
port, the underlying generic port's lock is not released until all
initialization required to handle incoming messages has been done.
Signed-off-by: default avatarAllan Stephens <allan.stephens@windriver.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 4e3e6dcb
...@@ -84,7 +84,8 @@ struct tipc_port { ...@@ -84,7 +84,8 @@ struct tipc_port {
u32 tipc_createport_raw(void *usr_handle, u32 tipc_createport_raw(void *usr_handle,
u32 (*dispatcher)(struct tipc_port *, struct sk_buff *), u32 (*dispatcher)(struct tipc_port *, struct sk_buff *),
void (*wakeup)(struct tipc_port *), void (*wakeup)(struct tipc_port *),
const u32 importance); const u32 importance,
struct tipc_port **tp_ptr);
int tipc_reject_msg(struct sk_buff *buf, u32 err); int tipc_reject_msg(struct sk_buff *buf, u32 err);
......
...@@ -211,15 +211,18 @@ void tipc_port_recv_mcast(struct sk_buff *buf, struct port_list *dp) ...@@ -211,15 +211,18 @@ void tipc_port_recv_mcast(struct sk_buff *buf, struct port_list *dp)
} }
/** /**
* tipc_createport_raw - create a native TIPC port * tipc_createport_raw - create a generic TIPC port
* *
* Returns local port reference * Returns port reference, or 0 if unable to create it
*
* Note: The newly created port is returned in the locked state.
*/ */
u32 tipc_createport_raw(void *usr_handle, u32 tipc_createport_raw(void *usr_handle,
u32 (*dispatcher)(struct tipc_port *, struct sk_buff *), u32 (*dispatcher)(struct tipc_port *, struct sk_buff *),
void (*wakeup)(struct tipc_port *), void (*wakeup)(struct tipc_port *),
const u32 importance) const u32 importance,
struct tipc_port **tp_ptr)
{ {
struct port *p_ptr; struct port *p_ptr;
struct tipc_msg *msg; struct tipc_msg *msg;
...@@ -237,7 +240,6 @@ u32 tipc_createport_raw(void *usr_handle, ...@@ -237,7 +240,6 @@ u32 tipc_createport_raw(void *usr_handle,
return 0; return 0;
} }
tipc_port_lock(ref);
p_ptr->publ.usr_handle = usr_handle; p_ptr->publ.usr_handle = usr_handle;
p_ptr->publ.max_pkt = MAX_PKT_DEFAULT; p_ptr->publ.max_pkt = MAX_PKT_DEFAULT;
p_ptr->publ.ref = ref; p_ptr->publ.ref = ref;
...@@ -262,7 +264,7 @@ u32 tipc_createport_raw(void *usr_handle, ...@@ -262,7 +264,7 @@ u32 tipc_createport_raw(void *usr_handle,
INIT_LIST_HEAD(&p_ptr->port_list); INIT_LIST_HEAD(&p_ptr->port_list);
list_add_tail(&p_ptr->port_list, &ports); list_add_tail(&p_ptr->port_list, &ports);
spin_unlock_bh(&tipc_port_list_lock); spin_unlock_bh(&tipc_port_list_lock);
tipc_port_unlock(p_ptr); *tp_ptr = &p_ptr->publ;
return ref; return ref;
} }
...@@ -1053,6 +1055,7 @@ int tipc_createport(u32 user_ref, ...@@ -1053,6 +1055,7 @@ int tipc_createport(u32 user_ref,
{ {
struct user_port *up_ptr; struct user_port *up_ptr;
struct port *p_ptr; struct port *p_ptr;
struct tipc_port *tp_ptr;
u32 ref; u32 ref;
up_ptr = kmalloc(sizeof(*up_ptr), GFP_ATOMIC); up_ptr = kmalloc(sizeof(*up_ptr), GFP_ATOMIC);
...@@ -1060,12 +1063,13 @@ int tipc_createport(u32 user_ref, ...@@ -1060,12 +1063,13 @@ int tipc_createport(u32 user_ref,
warn("Port creation failed, no memory\n"); warn("Port creation failed, no memory\n");
return -ENOMEM; return -ENOMEM;
} }
ref = tipc_createport_raw(NULL, port_dispatcher, port_wakeup, importance); ref = tipc_createport_raw(NULL, port_dispatcher, port_wakeup,
p_ptr = tipc_port_lock(ref); importance, &tp_ptr);
if (!p_ptr) { if (ref == 0) {
kfree(up_ptr); kfree(up_ptr);
return -ENOMEM; return -ENOMEM;
} }
p_ptr = (struct port *)tp_ptr;
p_ptr->user_port = up_ptr; p_ptr->user_port = up_ptr;
up_ptr->user_ref = user_ref; up_ptr->user_ref = user_ref;
......
...@@ -142,9 +142,13 @@ void tipc_ref_table_stop(void) ...@@ -142,9 +142,13 @@ void tipc_ref_table_stop(void)
/** /**
* tipc_ref_acquire - create reference to an object * tipc_ref_acquire - create reference to an object
* *
* Return a unique reference value which can be translated back to the pointer * Register an object pointer in reference table and lock the object.
* 'object' at a later time. Also, pass back a pointer to the lock protecting * Returns a unique reference value that is used from then on to retrieve the
* the object, but without locking it. * object pointer, or to determine that the object has been deregistered.
*
* Note: The object is returned in the locked state so that the caller can
* register a partially initialized object, without running the risk that
* the object will be accessed before initialization is complete.
*/ */
u32 tipc_ref_acquire(void *object, spinlock_t **lock) u32 tipc_ref_acquire(void *object, spinlock_t **lock)
...@@ -178,13 +182,13 @@ u32 tipc_ref_acquire(void *object, spinlock_t **lock) ...@@ -178,13 +182,13 @@ u32 tipc_ref_acquire(void *object, spinlock_t **lock)
ref = (next_plus_upper & ~index_mask) + index; ref = (next_plus_upper & ~index_mask) + index;
entry->ref = ref; entry->ref = ref;
entry->object = object; entry->object = object;
spin_unlock_bh(&entry->lock);
*lock = &entry->lock; *lock = &entry->lock;
} }
else if (tipc_ref_table.init_point < tipc_ref_table.capacity) { else if (tipc_ref_table.init_point < tipc_ref_table.capacity) {
index = tipc_ref_table.init_point++; index = tipc_ref_table.init_point++;
entry = &(tipc_ref_table.entries[index]); entry = &(tipc_ref_table.entries[index]);
spin_lock_init(&entry->lock); spin_lock_init(&entry->lock);
spin_lock_bh(&entry->lock);
ref = tipc_ref_table.start_mask + index; ref = tipc_ref_table.start_mask + index;
entry->ref = ref; entry->ref = ref;
entry->object = object; entry->object = object;
......
...@@ -188,6 +188,7 @@ static int tipc_create(struct net *net, struct socket *sock, int protocol) ...@@ -188,6 +188,7 @@ static int tipc_create(struct net *net, struct socket *sock, int protocol)
const struct proto_ops *ops; const struct proto_ops *ops;
socket_state state; socket_state state;
struct sock *sk; struct sock *sk;
struct tipc_port *tp_ptr;
u32 portref; u32 portref;
/* Validate arguments */ /* Validate arguments */
...@@ -225,7 +226,7 @@ static int tipc_create(struct net *net, struct socket *sock, int protocol) ...@@ -225,7 +226,7 @@ static int tipc_create(struct net *net, struct socket *sock, int protocol)
/* Allocate TIPC port for socket to use */ /* Allocate TIPC port for socket to use */
portref = tipc_createport_raw(sk, &dispatch, &wakeupdispatch, portref = tipc_createport_raw(sk, &dispatch, &wakeupdispatch,
TIPC_LOW_IMPORTANCE); TIPC_LOW_IMPORTANCE, &tp_ptr);
if (unlikely(portref == 0)) { if (unlikely(portref == 0)) {
sk_free(sk); sk_free(sk);
return -ENOMEM; return -ENOMEM;
...@@ -241,6 +242,8 @@ static int tipc_create(struct net *net, struct socket *sock, int protocol) ...@@ -241,6 +242,8 @@ static int tipc_create(struct net *net, struct socket *sock, int protocol)
sk->sk_backlog_rcv = backlog_rcv; sk->sk_backlog_rcv = backlog_rcv;
tipc_sk(sk)->p = tipc_get_port(portref); tipc_sk(sk)->p = tipc_get_port(portref);
spin_unlock_bh(tp_ptr->lock);
if (sock->state == SS_READY) { if (sock->state == SS_READY) {
tipc_set_portunreturnable(portref, 1); tipc_set_portunreturnable(portref, 1);
if (sock->type == SOCK_DGRAM) if (sock->type == SOCK_DGRAM)
......
...@@ -474,6 +474,7 @@ static void subscr_named_msg_event(void *usr_handle, ...@@ -474,6 +474,7 @@ static void subscr_named_msg_event(void *usr_handle,
kfree(subscriber); kfree(subscriber);
return; return;
} }
spin_unlock_bh(subscriber->lock);
/* Establish a connection to subscriber */ /* Establish a connection to subscriber */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment