/* * netsniff-ng - the packet sniffing beast * Copyright 2009, 2010 Daniel Borkmann. * Subject to the GPL, version 2. */ #include #include "hash.h" #include "oui.h" #include "str.h" #include "protos.h" #include "pkt_buff.h" #include "dissector.h" #include "dissector_eth.h" #include "xmalloc.h" struct hash_table eth_lay2; struct hash_table eth_lay3; static struct hash_table eth_ether_types; static struct hash_table eth_ports_udp; static struct hash_table eth_ports_tcp; struct port { unsigned int id; char *port; struct port *next; }; #define __do_lookup_inline(id, struct_name, hash_ptr, struct_member) \ ({ \ struct struct_name *entry = lookup_hash(id, hash_ptr); \ \ while (entry && id != entry->id) \ entry = entry->next; \ \ (entry && id == entry->id ? entry->struct_member : 0); \ }) char *lookup_port_udp(unsigned int id) { return __do_lookup_inline(id, port, ð_ports_udp, port); } char *lookup_port_tcp(unsigned int id) { return __do_lookup_inline(id, port, ð_ports_tcp, port); } char *lookup_ether_type(unsigned int id) { return __do_lookup_inline(id, port, ð_ether_types, port); } #ifdef __WITH_PROTOS static inline void dissector_init_entry(int type) { dissector_set_print_type(ðernet_ops, type); } static inline void dissector_init_exit(int type) { dissector_set_print_type(&none_ops, type); } static void dissector_init_layer_2(int type) { init_hash(ð_lay2); INSERT_HASH_PROTOS(arp_ops, eth_lay2); INSERT_HASH_PROTOS(lldp_ops, eth_lay2); INSERT_HASH_PROTOS(vlan_ops, eth_lay2); INSERT_HASH_PROTOS(ipv4_ops, eth_lay2); INSERT_HASH_PROTOS(ipv6_ops, eth_lay2); INSERT_HASH_PROTOS(QinQ_ops, eth_lay2); INSERT_HASH_PROTOS(mpls_uc_ops, eth_lay2); for_each_hash_int(ð_lay2, dissector_set_print_type, type); } static void dissector_init_layer_3(int type) { init_hash(ð_lay3); INSERT_HASH_PROTOS(icmpv4_ops, eth_lay3); INSERT_HASH_PROTOS(icmpv6_ops, eth_lay3); INSERT_HASH_PROTOS(igmp_ops, eth_lay3); INSERT_HASH_PROTOS(ip_auth_ops, eth_lay3); INSERT_HASH_PROTOS(ip_esp_ops, eth_lay3); INSERT_HASH_PROTOS(ipv6_dest_opts_ops, eth_lay3); INSERT_HASH_PROTOS(ipv6_fragm_ops, eth_lay3); INSERT_HASH_PROTOS(ipv6_hop_by_hop_ops, eth_lay3); INSERT_HASH_PROTOS(ipv6_in_ipv4_ops, eth_lay3); INSERT_HASH_PROTOS(ipv6_mobility_ops, eth_lay3); INSERT_HASH_PROTOS(ipv6_no_next_header_ops, eth_lay3); INSERT_HASH_PROTOS(ipv6_routing_ops, eth_lay3); INSERT_HASH_PROTOS(tcp_ops, eth_lay3); INSERT_HASH_PROTOS(udp_ops, eth_lay3); for_each_hash_int(ð_lay3, dissector_set_print_type, type); } #else static inline void dissector_init_entry(int type) {} static inline void dissector_init_exit(int type) {} static void dissector_init_layer_2(int type) {} static void dissector_init_layer_3(int type) {} #endif /* __WITH_PROTOS */ enum ports { PORTS_UDP, PORTS_TCP, PORTS_ETHER, }; static void dissector_init_ports(enum ports which) { FILE *fp; char buff[128], *ptr, *file, *end; struct hash_table *table; struct port *p; void **pos; switch (which) { case PORTS_UDP: file = PREFIX_STRING "/etc/netsniff-ng/udp.conf"; table = ð_ports_udp; break; case PORTS_TCP: file = PREFIX_STRING "/etc/netsniff-ng/tcp.conf"; table = ð_ports_tcp; break; case PORTS_ETHER: file = PREFIX_STRING "/etc/netsniff-ng/ether.conf"; table = ð_ether_types; break; default: bug(); } fp = fopen(file, "r"); if (!fp) panic("No %s found!\n", file); memset(buff, 0, sizeof(buff)); while (fgets(buff, sizeof(buff), fp) != NULL) { buff[sizeof(buff) - 1] = 0; ptr = buff; p = xmalloc(sizeof(*p)); p->id = strtol(ptr, &end, 0); /* not a valid line, skip */ if (p->id == 0 && end == ptr) { xfree(p); continue; } ptr = strstr(buff, ", "); /* likewise */ if (!ptr) { xfree(p); continue; } ptr += strlen(", "); ptr = strtrim_right(ptr, '\n'); ptr = strtrim_right(ptr, ' '); p->port = xstrdup(ptr); p->next = NULL; pos = insert_hash(p->id, p, table); if (pos) { p->next = *pos; *pos = p; } memset(buff, 0, sizeof(buff)); } fclose(fp); } static int dissector_cleanup_ports(void *ptr) { struct port *tmp, *p = ptr; if (!ptr) return 0; while ((tmp = p->next)) { xfree(p->port); xfree(p); p = tmp; } xfree(p->port); xfree(p); return 0; } void dissector_init_ethernet(int fnttype) { dissector_init_entry(fnttype); dissector_init_layer_2(fnttype); dissector_init_layer_3(fnttype); dissector_init_exit(fnttype); #ifdef __WITH_PROTOS dissector_init_oui(); #endif dissector_init_ports(PORTS_UDP); dissector_init_ports(PORTS_TCP); dissector_init_ports(PORTS_ETHER); } void dissector_cleanup_ethernet(void) { free_hash(ð_lay2); free_hash(ð_lay3); for_each_hash(ð_ether_types, dissector_cleanup_ports); for_each_hash(ð_ports_udp, dissector_cleanup_ports); for_each_hash(ð_ports_tcp, dissector_cleanup_ports); free_hash(ð_ether_types); free_hash(ð_ports_udp); free_hash(ð_ports_tcp); #ifdef __WITH_PROTOS dissector_cleanup_oui(); #endif } committerTejun Heo <tj@kernel.org>2017-01-28 07:49:42 -0500 commit966d2b04e070bc040319aaebfec09e0144dc3341 (patch) tree4b96156e3d1dd4dfd6039b7c219c9dc4616da52d /net/ipv6/xfrm6_output.c parent1b1bc42c1692e9b62756323c675a44cb1a1f9dbd (diff)
percpu-refcount: fix reference leak during percpu-atomic transition
percpu_ref_tryget() and percpu_ref_tryget_live() should return "true" IFF they acquire a reference. But the return value from atomic_long_inc_not_zero() is a long and may have high bits set, e.g. PERCPU_COUNT_BIAS, and the return value of the tryget routines is bool so the reference may actually be acquired but the routines return "false" which results in a reference leak since the caller assumes it does not need to do a corresponding percpu_ref_put(). This was seen when performing CPU hotplug during I/O, as hangs in blk_mq_freeze_queue_wait where percpu_ref_kill (blk_mq_freeze_queue_start) raced with percpu_ref_tryget (blk_mq_timeout_work). Sample stack trace: __switch_to+0x2c0/0x450 __schedule+0x2f8/0x970 schedule+0x48/0xc0 blk_mq_freeze_queue_wait+0x94/0x120 blk_mq_queue_reinit_work+0xb8/0x180 blk_mq_queue_reinit_prepare+0x84/0xa0 cpuhp_invoke_callback+0x17c/0x600 cpuhp_up_callbacks+0x58/0x150 _cpu_up+0xf0/0x1c0 do_cpu_up+0x120/0x150 cpu_subsys_online+0x64/0xe0 device_online+0xb4/0x120 online_store+0xb4/0xc0 dev_attr_store+0x68/0xa0 sysfs_kf_write+0x80/0xb0 kernfs_fop_write+0x17c/0x250 __vfs_write+0x6c/0x1e0 vfs_write+0xd0/0x270 SyS_write+0x6c/0x110 system_call+0x38/0xe0 Examination of the queue showed a single reference (no PERCPU_COUNT_BIAS, and __PERCPU_REF_DEAD, __PERCPU_REF_ATOMIC set) and no requests. However, conditions at the time of the race are count of PERCPU_COUNT_BIAS + 0 and __PERCPU_REF_DEAD and __PERCPU_REF_ATOMIC set. The fix is to make the tryget routines use an actual boolean internally instead of the atomic long result truncated to a int. Fixes: e625305b3907 percpu-refcount: make percpu_ref based on longs instead of ints Link: https://bugzilla.kernel.org/show_bug.cgi?id=190751 Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com> Reviewed-by: Jens Axboe <axboe@fb.com> Signed-off-by: Tejun Heo <tj@kernel.org> Fixes: e625305b3907 ("percpu-refcount: make percpu_ref based on longs instead of ints") Cc: stable@vger.kernel.org # v3.18+
Diffstat (limited to 'net/ipv6/xfrm6_output.c')