ref_tracker: implement use-after-free detection
authorEric Dumazet <edumazet@google.com>
Fri, 4 Feb 2022 22:42:35 +0000 (14:42 -0800)
committerDavid S. Miller <davem@davemloft.net>
Sat, 5 Feb 2022 15:22:44 +0000 (15:22 +0000)
Whenever ref_tracker_dir_init() is called, mark the struct ref_tracker_dir
as dead.

Test the dead status from ref_tracker_alloc() and ref_tracker_free()

This should detect buggy dev_put()/dev_hold() happening too late
in netdevice dismantle process.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/ref_tracker.h
lib/ref_tracker.c

index 60f3453be23e6881725d383c55f93143fda1e7a2..a443abda937d86ff534225bf16b958a9da295a7d 100644 (file)
@@ -13,6 +13,7 @@ struct ref_tracker_dir {
        spinlock_t              lock;
        unsigned int            quarantine_avail;
        refcount_t              untracked;
+       bool                    dead;
        struct list_head        list; /* List of active trackers */
        struct list_head        quarantine; /* List of dead trackers */
 #endif
@@ -26,6 +27,7 @@ static inline void ref_tracker_dir_init(struct ref_tracker_dir *dir,
        INIT_LIST_HEAD(&dir->quarantine);
        spin_lock_init(&dir->lock);
        dir->quarantine_avail = quarantine_count;
+       dir->dead = false;
        refcount_set(&dir->untracked, 1);
        stack_depot_init();
 }
index a6789c0c626b0f68ad67c264cd19177a63fb82d2..32ff6bd497f8e464eeb51a3628cb24bded0547da 100644 (file)
@@ -20,6 +20,7 @@ void ref_tracker_dir_exit(struct ref_tracker_dir *dir)
        unsigned long flags;
        bool leak = false;
 
+       dir->dead = true;
        spin_lock_irqsave(&dir->lock, flags);
        list_for_each_entry_safe(tracker, n, &dir->quarantine, head) {
                list_del(&tracker->head);
@@ -72,6 +73,8 @@ int ref_tracker_alloc(struct ref_tracker_dir *dir,
        gfp_t gfp_mask = gfp;
        unsigned long flags;
 
+       WARN_ON_ONCE(dir->dead);
+
        if (gfp & __GFP_DIRECT_RECLAIM)
                gfp_mask |= __GFP_NOFAIL;
        *trackerp = tracker = kzalloc(sizeof(*tracker), gfp_mask);
@@ -100,6 +103,8 @@ int ref_tracker_free(struct ref_tracker_dir *dir,
        unsigned int nr_entries;
        unsigned long flags;
 
+       WARN_ON_ONCE(dir->dead);
+
        if (!tracker) {
                refcount_dec(&dir->untracked);
                return -EEXIST;