Commit e3ececfe authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

ref_tracker: implement use-after-free detection

Whenever ref_tracker_dir_init() is called, mark the struct ref_tracker_dir
as dead.

Test the dead status from ref_tracker_alloc() and ref_tracker_free()

This should detect buggy dev_put()/dev_hold() happening too late
in netdevice dismantle process.
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent cc306350
...@@ -13,6 +13,7 @@ struct ref_tracker_dir { ...@@ -13,6 +13,7 @@ struct ref_tracker_dir {
spinlock_t lock; spinlock_t lock;
unsigned int quarantine_avail; unsigned int quarantine_avail;
refcount_t untracked; refcount_t untracked;
bool dead;
struct list_head list; /* List of active trackers */ struct list_head list; /* List of active trackers */
struct list_head quarantine; /* List of dead trackers */ struct list_head quarantine; /* List of dead trackers */
#endif #endif
...@@ -26,6 +27,7 @@ static inline void ref_tracker_dir_init(struct ref_tracker_dir *dir, ...@@ -26,6 +27,7 @@ static inline void ref_tracker_dir_init(struct ref_tracker_dir *dir,
INIT_LIST_HEAD(&dir->quarantine); INIT_LIST_HEAD(&dir->quarantine);
spin_lock_init(&dir->lock); spin_lock_init(&dir->lock);
dir->quarantine_avail = quarantine_count; dir->quarantine_avail = quarantine_count;
dir->dead = false;
refcount_set(&dir->untracked, 1); refcount_set(&dir->untracked, 1);
stack_depot_init(); stack_depot_init();
} }
......
...@@ -20,6 +20,7 @@ void ref_tracker_dir_exit(struct ref_tracker_dir *dir) ...@@ -20,6 +20,7 @@ void ref_tracker_dir_exit(struct ref_tracker_dir *dir)
unsigned long flags; unsigned long flags;
bool leak = false; bool leak = false;
dir->dead = true;
spin_lock_irqsave(&dir->lock, flags); spin_lock_irqsave(&dir->lock, flags);
list_for_each_entry_safe(tracker, n, &dir->quarantine, head) { list_for_each_entry_safe(tracker, n, &dir->quarantine, head) {
list_del(&tracker->head); list_del(&tracker->head);
...@@ -72,6 +73,8 @@ int ref_tracker_alloc(struct ref_tracker_dir *dir, ...@@ -72,6 +73,8 @@ int ref_tracker_alloc(struct ref_tracker_dir *dir,
gfp_t gfp_mask = gfp; gfp_t gfp_mask = gfp;
unsigned long flags; unsigned long flags;
WARN_ON_ONCE(dir->dead);
if (gfp & __GFP_DIRECT_RECLAIM) if (gfp & __GFP_DIRECT_RECLAIM)
gfp_mask |= __GFP_NOFAIL; gfp_mask |= __GFP_NOFAIL;
*trackerp = tracker = kzalloc(sizeof(*tracker), gfp_mask); *trackerp = tracker = kzalloc(sizeof(*tracker), gfp_mask);
...@@ -100,6 +103,8 @@ int ref_tracker_free(struct ref_tracker_dir *dir, ...@@ -100,6 +103,8 @@ int ref_tracker_free(struct ref_tracker_dir *dir,
unsigned int nr_entries; unsigned int nr_entries;
unsigned long flags; unsigned long flags;
WARN_ON_ONCE(dir->dead);
if (!tracker) { if (!tracker) {
refcount_dec(&dir->untracked); refcount_dec(&dir->untracked);
return -EEXIST; return -EEXIST;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment