linux/net/tipc
Erik Hugne 73a3173773 tipc: fix node refcount issue
When link statistics is dumped over netlink, we iterate over
the list of peer nodes and append each links statistics to
the netlink msg. In the case where the dump is resumed after
filling up a nlmsg, the node refcnt is decremented without
having been incremented previously which may cause the node
reference to be freed. When this happens, the following
info/stacktrace will be generated, followed by a crash or
undefined behavior.
We fix this by removing the erroneous call to tipc_node_put
inside the loop that iterates over nodes.

[  384.312303] INFO: trying to register non-static key.
[  384.313110] the code is fine but needs lockdep annotation.
[  384.313290] turning off the locking correctness validator.
[  384.313290] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.0.0+ #13
[  384.313290] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  384.313290]  ffff88003c6d0290 ffff88003cc03ca8 ffffffff8170adf1 0000000000000007
[  384.313290]  ffffffff82728730 ffff88003cc03d38 ffffffff810a6a6d 00000000001d7200
[  384.313290]  ffff88003c6d0ab0 ffff88003cc03ce8 0000000000000285 0000000000000001
[  384.313290] Call Trace:
[  384.313290]  <IRQ>  [<ffffffff8170adf1>] dump_stack+0x4c/0x65
[  384.313290]  [<ffffffff810a6a6d>] __lock_acquire+0xf3d/0xf50
[  384.313290]  [<ffffffff810a7375>] lock_acquire+0xd5/0x290
[  384.313290]  [<ffffffffa0043e8c>] ? link_timeout+0x1c/0x170 [tipc]
[  384.313290]  [<ffffffffa0043e70>] ? link_state_event+0x4e0/0x4e0 [tipc]
[  384.313290]  [<ffffffff81712890>] _raw_spin_lock_bh+0x40/0x80
[  384.313290]  [<ffffffffa0043e8c>] ? link_timeout+0x1c/0x170 [tipc]
[  384.313290]  [<ffffffffa0043e8c>] link_timeout+0x1c/0x170 [tipc]
[  384.313290]  [<ffffffff810c4698>] call_timer_fn+0xb8/0x490
[  384.313290]  [<ffffffff810c45e0>] ? process_timeout+0x10/0x10
[  384.313290]  [<ffffffff810c5a2c>] run_timer_softirq+0x21c/0x420
[  384.313290]  [<ffffffffa0043e70>] ? link_state_event+0x4e0/0x4e0 [tipc]
[  384.313290]  [<ffffffff8105a954>] __do_softirq+0xf4/0x630
[  384.313290]  [<ffffffff8105afdd>] irq_exit+0x5d/0x60
[  384.313290]  [<ffffffff8103ade1>] smp_apic_timer_interrupt+0x41/0x50
[  384.313290]  [<ffffffff817144a0>] apic_timer_interrupt+0x70/0x80
[  384.313290]  <EOI>  [<ffffffff8100db10>] ? default_idle+0x20/0x210
[  384.313290]  [<ffffffff8100db0e>] ? default_idle+0x1e/0x210
[  384.313290]  [<ffffffff8100e61a>] arch_cpu_idle+0xa/0x10
[  384.313290]  [<ffffffff81099803>] cpu_startup_entry+0x2c3/0x530
[  384.313290]  [<ffffffff810d2893>] ? clockevents_register_device+0x113/0x200
[  384.313290]  [<ffffffff81038b0f>] start_secondary+0x13f/0x170

Fixes: 8a0f6ebe84 ("tipc: involve reference counter for node structure")
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-04-23 11:50:34 -04:00
..
addr.c tipc: fix two bugs in secondary destination lookup 2015-03-29 13:47:36 -07:00
addr.h tipc: fix two bugs in secondary destination lookup 2015-03-29 13:47:36 -07:00
bcast.c tipc: simplify link mtu negotiation 2015-04-02 16:27:12 -04:00
bcast.h tipc: fix potential deadlock when all links are reset 2015-03-29 12:40:27 -07:00
bearer.c tipc: ensure that idle links are deleted when a bearer is disabled 2015-03-10 18:37:36 -04:00
bearer.h tipc: add ip/udp media type 2015-03-05 22:08:42 -05:00
core.c tipc: fix a slab object leak 2015-03-31 23:10:08 -04:00
core.h tipc: remove tipc_snprintf 2015-02-09 13:20:49 -08:00
discover.c tipc: involve reference counter for node structure 2015-03-29 12:40:28 -07:00
discover.h
eth_media.c tipc: make media address offset a common define 2015-02-27 18:18:48 -05:00
ib_media.c tipc: rename media/msg related definitions 2015-02-27 18:18:48 -05:00
Kconfig tipc: add ip/udp media type 2015-03-05 22:08:42 -05:00
link.c tipc: fix node refcount issue 2015-04-23 11:50:34 -04:00
link.h tipc: simplify link mtu negotiation 2015-04-02 16:27:12 -04:00
Makefile tipc: add ip/udp media type 2015-03-05 22:08:42 -05:00
msg.c tipc: eliminate delayed link deletion at link failover 2015-04-02 16:27:12 -04:00
msg.h tipc: eliminate delayed link deletion at link failover 2015-04-02 16:27:12 -04:00
name_distr.c tipc: involve reference counter for node structure 2015-03-29 12:40:28 -07:00
name_distr.h tipc: resolve race problem at unicast message reception 2015-02-05 16:00:02 -08:00
name_table.c tipc: fix a potential deadlock when nametable is purged 2015-03-17 22:11:26 -04:00
name_table.h tipc: convert legacy nl name table dump to nl compat 2015-02-09 13:20:48 -08:00
net.c tipc: nl compat add noop and remove legacy nl framework 2015-02-09 13:20:49 -08:00
net.h
netlink_compat.c tipc: nl compat add noop and remove legacy nl framework 2015-02-09 13:20:49 -08:00
netlink.c tipc: move and rename the legacy nl api to "nl compat" 2015-02-09 13:20:47 -08:00
netlink.h tipc: move and rename the legacy nl api to "nl compat" 2015-02-09 13:20:47 -08:00
node.c tipc: simplify link mtu negotiation 2015-04-02 16:27:12 -04:00
node.h tipc: involve reference counter for node structure 2015-03-29 12:40:28 -07:00
server.c tipc: fix topology server broken issue 2015-04-23 11:50:34 -04:00
server.h
socket.c tipc: fix random link reset problem 2015-04-23 11:50:34 -04:00
socket.h tipc: fix netns refcnt leak 2015-03-17 22:11:26 -04:00
subscr.c tipc: fix nullpointer bug when subscribing to events 2015-02-27 18:18:47 -05:00
subscr.h
sysctl.c
udp_media.c udp_tunnel: Pass UDP socket down through udp_tunnel{, 6}_xmit_skb(). 2015-04-07 15:29:08 -04:00