Received: by 10.223.164.202 with SMTP id h10csp2289288wrb;
        Fri, 24 Nov 2017 08:37:01 -0800 (PST)
X-Google-Smtp-Source: AGs4zMZ+y3B1iMBH/0dtthHoDw2ECQoJF1wvApqgKWYRCX17DbS8pq9W/snPwm53zG+mnQQLIBM0
X-Received: by 10.84.235.140 with SMTP id p12mr26757493plk.153.1511541421149;
        Fri, 24 Nov 2017 08:37:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511541421; cv=none;
        d=google.com; s=arc-20160816;
        b=mNQt9kMH9eCmDlGM6gFm6r20Hfg4oTy0rUPvez3ne49h7NAj6AxCm1c6GEVhTZ23HC
         0WYxZSFKuuOL+bmTJfzsGL6SXR783vMiKtZVvb4pDgtsdi0TVitlkVgZFEEovM36wlwQ
         xXeAPeuC99UNN9ISVAq3BnVGmk0SFq6myo0dKDUiHOzvWDLjhcJteNxP020VSGDAhv/G
         4VlU382ZkxNFdANIZSNGcHceMDzS8Ahln2i4/BTElbDotaobZS/k4P2IAHS12POCZymB
         TZW+t6q2i/mkRmIRWq/a5eQhobx42GahruGT5uMudhmYa6xulO848DGYQjUsZEGkPJrB
         8yUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=2PGvBo5ythqGzHZl1xg+ARQbh2x9uwU98idhXieKdM8=;
        b=GJpagIT5uPEDkudum6HIJYLd9E8/1hFMo79FfxFE4DVP54IxnM8UqPStefgpQtKqrX
         kN8pR4yLxAsfmS/SI9Bxkx4n5ouYYuUITYZRCBUcHvEDYIXr6iOliyXTBI57/LfnNy4s
         dYvPtf2hciFKrTWH8fZiANXISNB0wYe23j6WVxY+r45GVIGzYUYGpJ/WmMM9JhtSTmN+
         BCFoZGVQtEHr67XKGOHCbq1AjP5Xf2iWEcN+IaAo3P5KvsHS+XhN5Zi8jahO4rQ8jeK/
         vIVNWmn5on3FA+mYGgMQgVZDwZX2cxchPa+0oSNlSrnBx5VfzCrgdb5nuDWv+8bPPW13
         w2yg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 37si4582470plq.194.2017.11.24.08.36.49;
        Fri, 24 Nov 2017 08:37:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753632AbdKXQgN (ORCPT <rfc822;ntypanski@gmail.com> + 77 others);
        Fri, 24 Nov 2017 11:36:13 -0500
Received: from mail.savoirfairelinux.com ([208.88.110.44]:43504 "EHLO
        mail.savoirfairelinux.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751018AbdKXQgL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 24 Nov 2017 11:36:11 -0500
Received: from localhost (localhost [127.0.0.1])
        by mail.savoirfairelinux.com (Postfix) with ESMTP id E68129C2F13;
        Fri, 24 Nov 2017 11:36:10 -0500 (EST)
Received: from mail.savoirfairelinux.com ([127.0.0.1])
        by localhost (mail.savoirfairelinux.com [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id 3_ZYE8ZbtIZm; Fri, 24 Nov 2017 11:36:10 -0500 (EST)
Received: from localhost (localhost [127.0.0.1])
        by mail.savoirfairelinux.com (Postfix) with ESMTP id 5E7919C2E37;
        Fri, 24 Nov 2017 11:36:10 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.savoirfairelinux.com
Received: from mail.savoirfairelinux.com ([127.0.0.1])
        by localhost (mail.savoirfairelinux.com [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id desk4sHAhq6S; Fri, 24 Nov 2017 11:36:10 -0500 (EST)
Received: from weeman.mtl.sfl (unknown [192.168.49.104])
        by mail.savoirfairelinux.com (Postfix) with ESMTPSA id 354709C2F13;
        Fri, 24 Nov 2017 11:36:10 -0500 (EST)
From:   Vivien Didelot <vivien.didelot@savoirfairelinux.com>
To:     netdev@vger.kernel.org
Cc:     linux-kernel@vger.kernel.org, kernel@savoirfairelinux.com,
        "David S. Miller" <davem@davemloft.net>,
        Florian Fainelli <f.fainelli@gmail.com>,
        Andrew Lunn <andrew@lunn.ch>,
        Fengguang Wu <fengguang.wu@intel.com>, wfg@linux.intel.com,
        LKP <lkp@01.org>,
        Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Subject: [PATCH net] net: dsa: fix 'increment on 0' warning
Date:   Fri, 24 Nov 2017 11:36:06 -0500
Message-Id: <20171124163606.11212-1-vivien.didelot@savoirfairelinux.com>
X-Mailer: git-send-email 2.15.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Setting the refcount to 0 when allocating a tree to match the number of
switch devices it holds may cause an 'increment on 0; use-after-free',
if CONFIG_REFCOUNT_FULL is enabled.

To fix this, do not decrement the refcount of a newly allocated tree,
increment it when an already allocated tree is found, and decrement it
after the probing of a switch, as done with the previous behavior.

At the same time, make dsa_tree_get and dsa_tree_put accept a NULL
argument to simplify callers, and return the tree after incrementation,
as most kref users like of_node_get and of_node_put do.

Fixes: 8e5bf9759a06 ("net: dsa: simplify tree reference counting")
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
---
 net/dsa/dsa2.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c
index 44e3fb7dec8c..1e287420ff49 100644
--- a/net/dsa/dsa2.c
+++ b/net/dsa/dsa2.c
@@ -51,9 +51,7 @@ static struct dsa_switch_tree *dsa_tree_alloc(int index)
 	INIT_LIST_HEAD(&dst->list);
 	list_add_tail(&dsa_tree_list, &dst->list);
 
-	/* Initialize the reference counter to the number of switches, not 1 */
 	kref_init(&dst->refcount);
-	refcount_set(&dst->refcount.refcount, 0);
 
 	return dst;
 }
@@ -64,20 +62,23 @@ static void dsa_tree_free(struct dsa_switch_tree *dst)
 	kfree(dst);
 }
 
+static struct dsa_switch_tree *dsa_tree_get(struct dsa_switch_tree *dst)
+{
+	if (dst)
+		kref_get(&dst->refcount);
+
+	return dst;
+}
+
 static struct dsa_switch_tree *dsa_tree_touch(int index)
 {
 	struct dsa_switch_tree *dst;
 
 	dst = dsa_tree_find(index);
-	if (!dst)
-		dst = dsa_tree_alloc(index);
-
-	return dst;
-}
-
-static void dsa_tree_get(struct dsa_switch_tree *dst)
-{
-	kref_get(&dst->refcount);
+	if (dst)
+		return dsa_tree_get(dst);
+	else
+		return dsa_tree_alloc(index);
 }
 
 static void dsa_tree_release(struct kref *ref)
@@ -91,7 +92,8 @@ static void dsa_tree_release(struct kref *ref)
 
 static void dsa_tree_put(struct dsa_switch_tree *dst)
 {
-	kref_put(&dst->refcount, dsa_tree_release);
+	if (dst)
+		kref_put(&dst->refcount, dsa_tree_release);
 }
 
 static bool dsa_port_is_dsa(struct dsa_port *port)
@@ -765,6 +767,7 @@ int dsa_register_switch(struct dsa_switch *ds)
 
 	mutex_lock(&dsa2_mutex);
 	err = dsa_switch_probe(ds);
+	dsa_tree_put(ds->dst);
 	mutex_unlock(&dsa2_mutex);
 
 	return err;
-- 
2.15.0


From 1584984995383770307@xxx Fri Nov 24 21:38:01 +0000 2017
X-GM-THRID: 1584796433942799837
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread