[tipc-discussion] [PATCH net 1/1] tipc: fix crash during node removal

Jon Maloy Mon, 15 Feb 2016 08:43:21 -0800

When the TIPC module is unloaded, we have identified a race condition
that allows a node reference counter to go to zero and the node instance
freed before the node timer is finished with accessing it. This leads to
occasional crashes, especially in multi-namespace environments.


The scenario goes as follows:

CPU0:(node_stop)                       CPU1:(node_timeout)  // ref == 2

1:                                          if(!mod_timer())
2: if (del_timer())
3:   tipc_node_put()                                        // ref -> 1
4: tipc_node_put()                                          // ref -> 0
5:   kfree_rcu(node);
6:                                               tipc_node_get(node)
7:                                               // BOOM!

In this commit, we reverse the order of reference counter increment/
decrement, so that the counter can't reach zero in this scenario:

CPU0:(node_stop)                   CPU1:(node_timeout)    // ref == 2

1:                                 tipc_node_get(node)    // ref -> 3
2:                                    if (mod_timer())
3: if (del_timer())
4:    tipc_node_put()                                     // ref -> 2
5: tipc_node_put()                                        // ref -> 1
6:                                        tipc_node_put() // not called
7:                                    tipc_node_put()     // ref -> 0
8:                                       kfree_rcu(node)

In the above scenario, one should notice that row 4 and 6 are mutually
exclusive, which means that the counter never goes to zero prematurely.

Reported-by: Jason Huzhijiang <huzhiji...@gmail.com>
Signed-off-by: Jon Maloy <jon.ma...@ericsson.com>
---
 net/tipc/node.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/tipc/node.c b/net/tipc/node.c
index 9d7a16f..b0deaae 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -530,8 +530,9 @@ static void tipc_node_timeout(unsigned long data)
                if (rc & TIPC_LINK_DOWN_EVT)
                        tipc_node_link_down(n, bearer_id, false);
        }
-       if (!mod_timer(&n->timer, jiffies + n->keepalive_intv))
-               tipc_node_get(n);
+       tipc_node_get(n);
+       if (mod_timer(&n->timer, jiffies + n->keepalive_intv))
+               tipc_node_put(n);
        tipc_node_put(n);
 }
 
-- 
1.9.1


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
tipc-discussion mailing list
tipc-discussion@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tipc-discussion

[tipc-discussion] [PATCH net 1/1] tipc: fix crash during node removal

Reply via email to