This patch adds refcounting for qdisc->dev to avoid accessing freed memory
from the __qdisc_destroy rcu-callback when the device is unregistered.
Without
refcounting netdev_wait_allrefs could free the device before __qdisc_destroy
is done.
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2004/08/02 23:50:01+02:00 kaber@xxxxxxxxxxxx
# [PKT_SCHED: Refcount qdisc->dev for __qdisc_destroy rcu-callback
#
# Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
#
# net/sched/sch_generic.c
# 2004/08/02 23:49:40+02:00 kaber@xxxxxxxxxxxx +3 -0
# [PKT_SCHED: Refcount qdisc->dev for __qdisc_destroy rcu-callback
#
# net/sched/sch_api.c
# 2004/08/02 23:49:40+02:00 kaber@xxxxxxxxxxxx +1 -0
# [PKT_SCHED: Refcount qdisc->dev for __qdisc_destroy rcu-callback
#
diff -Nru a/net/sched/sch_api.c b/net/sched/sch_api.c
--- a/net/sched/sch_api.c 2004-08-03 01:10:18 +02:00
+++ b/net/sched/sch_api.c 2004-08-03 01:10:18 +02:00
@@ -430,6 +430,7 @@
sch->enqueue = ops->enqueue;
sch->dequeue = ops->dequeue;
sch->dev = dev;
+ dev_hold(dev);
atomic_set(&sch->refcnt, 1);
sch->stats_lock = &dev->queue_lock;
if (handle == 0) {
diff -Nru a/net/sched/sch_generic.c b/net/sched/sch_generic.c
--- a/net/sched/sch_generic.c 2004-08-03 01:10:18 +02:00
+++ b/net/sched/sch_generic.c 2004-08-03 01:10:18 +02:00
@@ -399,6 +399,7 @@
sch->enqueue = ops->enqueue;
sch->dequeue = ops->dequeue;
sch->dev = dev;
+ dev_hold(dev);
sch->stats_lock = &dev->queue_lock;
atomic_set(&sch->refcnt, 1);
/* enqueue is accessed locklessly - make sure it's visible
@@ -440,6 +441,8 @@
write_unlock(&qdisc_tree_lock);
module_put(ops->owner);
+ if (qdisc->dev)
+ dev_put(qdisc->dev);
if (!(qdisc->flags&TCQ_F_BUILTIN))
kfree(qdisc);
}
|