Commit e3ececfe authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

ref_tracker: implement use-after-free detection 



Whenever ref_tracker_dir_init() is called, mark the struct ref_tracker_dir
as dead.

Test the dead status from ref_tracker_alloc() and ref_tracker_free()

This should detect buggy dev_put()/dev_hold() happening too late
in netdevice dismantle process.

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent cc306350

include/linux/ref_tracker.h

+2 −0
Original line number Diff line number Diff line
@@ -13,6 +13,7 @@ struct ref_tracker_dir { 
	spinlock_t		lock;

	unsigned int		quarantine_avail;

	refcount_t		untracked;

	bool			dead;

	struct list_head	list; /* List of active trackers */

	struct list_head	quarantine; /* List of dead trackers */

#endif
@@ -26,6 +27,7 @@ static inline void ref_tracker_dir_init(struct ref_tracker_dir *dir, 
	INIT_LIST_HEAD(&dir->quarantine);

	spin_lock_init(&dir->lock);

	dir->quarantine_avail = quarantine_count;

	dir->dead = false;

	refcount_set(&dir->untracked, 1);

	stack_depot_init();

}

lib/ref_tracker.c

+5 −0
Original line number Diff line number Diff line
@@ -20,6 +20,7 @@ void ref_tracker_dir_exit(struct ref_tracker_dir *dir) 
	unsigned long flags;

	bool leak = false;



	dir->dead = true;

	spin_lock_irqsave(&dir->lock, flags);

	list_for_each_entry_safe(tracker, n, &dir->quarantine, head) {

		list_del(&tracker->head);
@@ -72,6 +73,8 @@ int ref_tracker_alloc(struct ref_tracker_dir *dir, 
	gfp_t gfp_mask = gfp;

	unsigned long flags;



	WARN_ON_ONCE(dir->dead);



	if (gfp & __GFP_DIRECT_RECLAIM)

		gfp_mask |= __GFP_NOFAIL;

	*trackerp = tracker = kzalloc(sizeof(*tracker), gfp_mask);
@@ -100,6 +103,8 @@ int ref_tracker_free(struct ref_tracker_dir *dir, 
	unsigned int nr_entries;

	unsigned long flags;



	WARN_ON_ONCE(dir->dead);



	if (!tracker) {

		refcount_dec(&dir->untracked);

		return -EEXIST;