review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Tomas Bortoli <tomasbortoli@gmail.com>
	Tue, 14 Aug 2018 17:43:42 +0000 (19:43 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 3 Jul 2019 11:14:42 +0000 (13:14 +0200)
commit	3665a4d9dca1bd06bc34afb72e637fe01b2776ee
tree	685753a989dd458d6206ee0d1666cfb81f8e233f	tree \| snapshot
parent	fa3625794f1a77335480234f59503905bff2a6d2	commit \| diff

9p: Add refcount to p9_req_t

[ Upstream commit 728356dedeff8ef999cb436c71333ef4ac51a81c ]

To avoid use-after-free(s), use a refcount to keep track of the
usable references to any instantiated struct p9_req_t.

This commit adds p9_req_put(), p9_req_get() and p9_req_try_get() as
wrappers to kref_put(), kref_get() and kref_get_unless_zero().
These are used by the client and the transports to keep track of
valid requests' references.

p9_free_req() is added back and used as callback by kref_put().

Add SLAB_TYPESAFE_BY_RCU as it ensures that the memory freed by
kmem_cache_free() will not be reused for another type until the rcu
synchronisation period is over, so an address gotten under rcu read
lock is safe to inc_ref() without corrupting random memory while
the lock is held.

Link: http://lkml.kernel.org/r/1535626341-20693-1-git-send-email-asmadeus@codewreck.org
Co-developed-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+467050c1ce275af2a5b8@syzkaller.appspotmail.com
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/net/9p/client.h		diff \| blob \| history
net/9p/client.c		diff \| blob \| history
net/9p/trans_fd.c		diff \| blob \| history
net/9p/trans_rdma.c		diff \| blob \| history
net/9p/trans_virtio.c		diff \| blob \| history
net/9p/trans_xen.c		diff \| blob \| history