diff options
author | Tomas Bortoli <tomasbortoli@gmail.com> | 2018-08-14 19:43:42 +0200 |
---|---|---|
committer | Dominique Martinet <dominique.martinet@cea.fr> | 2018-09-08 01:39:47 +0900 |
commit | 728356dedeff8ef999cb436c71333ef4ac51a81c (patch) | |
tree | ca05afe6f54f9f2bec2128f4cfd97cfc6ff23764 /net/9p/trans_rdma.c | |
parent | 43cbcbee9938b17f77cf34f1bc12d302f456810f (diff) | |
download | lwn-728356dedeff8ef999cb436c71333ef4ac51a81c.tar.gz lwn-728356dedeff8ef999cb436c71333ef4ac51a81c.zip |
9p: Add refcount to p9_req_t
To avoid use-after-free(s), use a refcount to keep track of the
usable references to any instantiated struct p9_req_t.
This commit adds p9_req_put(), p9_req_get() and p9_req_try_get() as
wrappers to kref_put(), kref_get() and kref_get_unless_zero().
These are used by the client and the transports to keep track of
valid requests' references.
p9_free_req() is added back and used as callback by kref_put().
Add SLAB_TYPESAFE_BY_RCU as it ensures that the memory freed by
kmem_cache_free() will not be reused for another type until the rcu
synchronisation period is over, so an address gotten under rcu read
lock is safe to inc_ref() without corrupting random memory while
the lock is held.
Link: http://lkml.kernel.org/r/1535626341-20693-1-git-send-email-asmadeus@codewreck.org
Co-developed-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+467050c1ce275af2a5b8@syzkaller.appspotmail.com
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Diffstat (limited to 'net/9p/trans_rdma.c')
-rw-r--r-- | net/9p/trans_rdma.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c index 5b0cda1aaa7a..9cc9b3a19ee7 100644 --- a/net/9p/trans_rdma.c +++ b/net/9p/trans_rdma.c @@ -365,6 +365,7 @@ send_done(struct ib_cq *cq, struct ib_wc *wc) c->busa, c->req->tc.size, DMA_TO_DEVICE); up(&rdma->sq_sem); + p9_req_put(c->req); kfree(c); } |