Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9e741045 authored by Vivien Didelot's avatar Vivien Didelot Committed by David S. Miller
Browse files

net: dsa: fix 'increment on 0' warning 



Setting the refcount to 0 when allocating a tree to match the number of
switch devices it holds may cause an 'increment on 0; use-after-free',
if CONFIG_REFCOUNT_FULL is enabled.

To fix this, do not decrement the refcount of a newly allocated tree,
increment it when an already allocated tree is found, and decrement it
after the probing of a switch, as done with the previous behavior.

At the same time, make dsa_tree_get and dsa_tree_put accept a NULL
argument to simplify callers, and return the tree after incrementation,
as most kref users like of_node_get and of_node_put do.

Fixes: 8e5bf975 ("net: dsa: simplify tree reference counting")
Signed-off-by: default avatarVivien Didelot <vivien.didelot@savoirfairelinux.com>
Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
Tested-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent afbea2cd

net/dsa/dsa2.c

+14 −11
Original line number Diff line number Diff line
@@ -51,9 +51,7 @@ static struct dsa_switch_tree *dsa_tree_alloc(int index) 
	INIT_LIST_HEAD(&dst->list);

	list_add_tail(&dsa_tree_list, &dst->list);



	/* Initialize the reference counter to the number of switches, not 1 */

	kref_init(&dst->refcount);

	refcount_set(&dst->refcount.refcount, 0);



	return dst;

}
@@ -64,20 +62,23 @@ static void dsa_tree_free(struct dsa_switch_tree *dst) 
	kfree(dst);

}



static struct dsa_switch_tree *dsa_tree_touch(int index)

static struct dsa_switch_tree *dsa_tree_get(struct dsa_switch_tree *dst)

{

	struct dsa_switch_tree *dst;



	dst = dsa_tree_find(index);

	if (!dst)

		dst = dsa_tree_alloc(index);

	if (dst)

		kref_get(&dst->refcount);



	return dst;

}



static void dsa_tree_get(struct dsa_switch_tree *dst)

static struct dsa_switch_tree *dsa_tree_touch(int index)

{

	kref_get(&dst->refcount);

	struct dsa_switch_tree *dst;



	dst = dsa_tree_find(index);

	if (dst)

		return dsa_tree_get(dst);

	else

		return dsa_tree_alloc(index);

}



static void dsa_tree_release(struct kref *ref)
@@ -91,6 +92,7 @@ static void dsa_tree_release(struct kref *ref) 


static void dsa_tree_put(struct dsa_switch_tree *dst)

{

	if (dst)

		kref_put(&dst->refcount, dsa_tree_release);

}
@@ -765,6 +767,7 @@ int dsa_register_switch(struct dsa_switch *ds) 


	mutex_lock(&dsa2_mutex);

	err = dsa_switch_probe(ds);

	dsa_tree_put(ds->dst);

	mutex_unlock(&dsa2_mutex);



	return err;