]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - net/tipc/subscr.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tipc: fix a race condition leading to subscriber refcnt bug
[mirror_ubuntu-artful-kernel.git] / net / tipc / subscr.c
1 /*
2 * net/tipc/subscr.c: TIPC network topology service
3 *
4 * Copyright (c) 2000-2006, Ericsson AB
5 * Copyright (c) 2005-2007, 2010-2013, Wind River Systems
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the names of the copyright holders nor the names of its
17 * contributors may be used to endorse or promote products derived from
18 * this software without specific prior written permission.
19 *
20 * Alternatively, this software may be distributed under the terms of the
21 * GNU General Public License ("GPL") version 2 as published by the Free
22 * Software Foundation.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
25 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
34 * POSSIBILITY OF SUCH DAMAGE.
35 */
36
37 #include "core.h"
38 #include "name_table.h"
39 #include "subscr.h"
40
41 /**
42 * struct tipc_subscriber - TIPC network topology subscriber
43 * @kref: reference counter to tipc_subscription object
44 * @conid: connection identifier to server connecting to subscriber
45 * @lock: control access to subscriber
46 * @subscrp_list: list of subscription objects for this subscriber
47 */
48 struct tipc_subscriber {
49 struct kref kref;
50 int conid;
51 spinlock_t lock;
52 struct list_head subscrp_list;
53 };
54
55 static void tipc_subscrp_delete(struct tipc_subscription *sub);
56 static void tipc_subscrb_put(struct tipc_subscriber *subscriber);
57
58 /**
59 * htohl - convert value to endianness used by destination
60 * @in: value to convert
61 * @swap: non-zero if endianness must be reversed
62 *
63 * Returns converted value
64 */
65 static u32 htohl(u32 in, int swap)
66 {
67 return swap ? swab32(in) : in;
68 }
69
70 static void tipc_subscrp_send_event(struct tipc_subscription *sub,
71 u32 found_lower, u32 found_upper,
72 u32 event, u32 port_ref, u32 node)
73 {
74 struct tipc_net *tn = net_generic(sub->net, tipc_net_id);
75 struct tipc_subscriber *subscriber = sub->subscriber;
76 struct kvec msg_sect;
77
78 msg_sect.iov_base = (void *)&sub->evt;
79 msg_sect.iov_len = sizeof(struct tipc_event);
80 sub->evt.event = htohl(event, sub->swap);
81 sub->evt.found_lower = htohl(found_lower, sub->swap);
82 sub->evt.found_upper = htohl(found_upper, sub->swap);
83 sub->evt.port.ref = htohl(port_ref, sub->swap);
84 sub->evt.port.node = htohl(node, sub->swap);
85 tipc_conn_sendmsg(tn->topsrv, subscriber->conid, NULL,
86 msg_sect.iov_base, msg_sect.iov_len);
87 }
88
89 /**
90 * tipc_subscrp_check_overlap - test for subscription overlap with the
91 * given values
92 *
93 * Returns 1 if there is overlap, otherwise 0.
94 */
95 int tipc_subscrp_check_overlap(struct tipc_name_seq *seq, u32 found_lower,
96 u32 found_upper)
97 {
98 if (found_lower < seq->lower)
99 found_lower = seq->lower;
100 if (found_upper > seq->upper)
101 found_upper = seq->upper;
102 if (found_lower > found_upper)
103 return 0;
104 return 1;
105 }
106
107 u32 tipc_subscrp_convert_seq_type(u32 type, int swap)
108 {
109 return htohl(type, swap);
110 }
111
112 void tipc_subscrp_convert_seq(struct tipc_name_seq *in, int swap,
113 struct tipc_name_seq *out)
114 {
115 out->type = htohl(in->type, swap);
116 out->lower = htohl(in->lower, swap);
117 out->upper = htohl(in->upper, swap);
118 }
119
120 void tipc_subscrp_report_overlap(struct tipc_subscription *sub, u32 found_lower,
121 u32 found_upper, u32 event, u32 port_ref,
122 u32 node, int must)
123 {
124 struct tipc_name_seq seq;
125
126 tipc_subscrp_convert_seq(&sub->evt.s.seq, sub->swap, &seq);
127 if (!tipc_subscrp_check_overlap(&seq, found_lower, found_upper))
128 return;
129 if (!must &&
130 !(htohl(sub->evt.s.filter, sub->swap) & TIPC_SUB_PORTS))
131 return;
132
133 tipc_subscrp_send_event(sub, found_lower, found_upper, event, port_ref,
134 node);
135 }
136
137 static void tipc_subscrp_timeout(unsigned long data)
138 {
139 struct tipc_subscription *sub = (struct tipc_subscription *)data;
140 struct tipc_subscriber *subscriber = sub->subscriber;
141
142 /* Notify subscriber of timeout */
143 tipc_subscrp_send_event(sub, sub->evt.s.seq.lower, sub->evt.s.seq.upper,
144 TIPC_SUBSCR_TIMEOUT, 0, 0);
145
146 spin_lock_bh(&subscriber->lock);
147 tipc_subscrp_delete(sub);
148 spin_unlock_bh(&subscriber->lock);
149
150 tipc_subscrb_put(subscriber);
151 }
152
153 static void tipc_subscrb_kref_release(struct kref *kref)
154 {
155 struct tipc_subscriber *subcriber = container_of(kref,
156 struct tipc_subscriber, kref);
157
158 kfree(subcriber);
159 }
160
161 static void tipc_subscrb_put(struct tipc_subscriber *subscriber)
162 {
163 kref_put(&subscriber->kref, tipc_subscrb_kref_release);
164 }
165
166 static void tipc_subscrb_get(struct tipc_subscriber *subscriber)
167 {
168 kref_get(&subscriber->kref);
169 }
170
171 static struct tipc_subscriber *tipc_subscrb_create(int conid)
172 {
173 struct tipc_subscriber *subscriber;
174
175 subscriber = kzalloc(sizeof(*subscriber), GFP_ATOMIC);
176 if (!subscriber) {
177 pr_warn("Subscriber rejected, no memory\n");
178 return NULL;
179 }
180 kref_init(&subscriber->kref);
181 INIT_LIST_HEAD(&subscriber->subscrp_list);
182 subscriber->conid = conid;
183 spin_lock_init(&subscriber->lock);
184
185 return subscriber;
186 }
187
188 static void tipc_subscrb_delete(struct tipc_subscriber *subscriber)
189 {
190 struct tipc_subscription *sub, *temp;
191 u32 timeout;
192
193 spin_lock_bh(&subscriber->lock);
194 /* Destroy any existing subscriptions for subscriber */
195 list_for_each_entry_safe(sub, temp, &subscriber->subscrp_list,
196 subscrp_list) {
197 timeout = htohl(sub->evt.s.timeout, sub->swap);
198 if ((timeout == TIPC_WAIT_FOREVER) || del_timer(&sub->timer)) {
199 tipc_subscrp_delete(sub);
200 tipc_subscrb_put(subscriber);
201 }
202 }
203 spin_unlock_bh(&subscriber->lock);
204
205 tipc_subscrb_put(subscriber);
206 }
207
208 static void tipc_subscrp_delete(struct tipc_subscription *sub)
209 {
210 struct tipc_net *tn = net_generic(sub->net, tipc_net_id);
211
212 tipc_nametbl_unsubscribe(sub);
213 list_del(&sub->subscrp_list);
214 kfree(sub);
215 atomic_dec(&tn->subscription_count);
216 }
217
218 static void tipc_subscrp_cancel(struct tipc_subscr *s,
219 struct tipc_subscriber *subscriber)
220 {
221 struct tipc_subscription *sub, *temp;
222 u32 timeout;
223
224 spin_lock_bh(&subscriber->lock);
225 /* Find first matching subscription, exit if not found */
226 list_for_each_entry_safe(sub, temp, &subscriber->subscrp_list,
227 subscrp_list) {
228 if (!memcmp(s, &sub->evt.s, sizeof(struct tipc_subscr))) {
229 timeout = htohl(sub->evt.s.timeout, sub->swap);
230 if ((timeout == TIPC_WAIT_FOREVER) ||
231 del_timer(&sub->timer)) {
232 tipc_subscrp_delete(sub);
233 tipc_subscrb_put(subscriber);
234 }
235 break;
236 }
237 }
238 spin_unlock_bh(&subscriber->lock);
239 }
240
241 static struct tipc_subscription *tipc_subscrp_create(struct net *net,
242 struct tipc_subscr *s,
243 int swap)
244 {
245 struct tipc_net *tn = net_generic(net, tipc_net_id);
246 struct tipc_subscription *sub;
247 u32 filter = htohl(s->filter, swap);
248
249 /* Refuse subscription if global limit exceeded */
250 if (atomic_read(&tn->subscription_count) >= TIPC_MAX_SUBSCRIPTIONS) {
251 pr_warn("Subscription rejected, limit reached (%u)\n",
252 TIPC_MAX_SUBSCRIPTIONS);
253 return NULL;
254 }
255
256 /* Allocate subscription object */
257 sub = kmalloc(sizeof(*sub), GFP_ATOMIC);
258 if (!sub) {
259 pr_warn("Subscription rejected, no memory\n");
260 return NULL;
261 }
262
263 /* Initialize subscription object */
264 sub->net = net;
265 if (((filter & TIPC_SUB_PORTS) && (filter & TIPC_SUB_SERVICE)) ||
266 (htohl(s->seq.lower, swap) > htohl(s->seq.upper, swap))) {
267 pr_warn("Subscription rejected, illegal request\n");
268 kfree(sub);
269 return NULL;
270 }
271
272 sub->swap = swap;
273 memcpy(&sub->evt.s, s, sizeof(*s));
274 atomic_inc(&tn->subscription_count);
275 return sub;
276 }
277
278 static void tipc_subscrp_subscribe(struct net *net, struct tipc_subscr *s,
279 struct tipc_subscriber *subscriber, int swap)
280 {
281 struct tipc_net *tn = net_generic(net, tipc_net_id);
282 struct tipc_subscription *sub = NULL;
283 u32 timeout;
284
285 sub = tipc_subscrp_create(net, s, swap);
286 if (!sub)
287 return tipc_conn_terminate(tn->topsrv, subscriber->conid);
288
289 spin_lock_bh(&subscriber->lock);
290 list_add(&sub->subscrp_list, &subscriber->subscrp_list);
291 tipc_subscrb_get(subscriber);
292 sub->subscriber = subscriber;
293 tipc_nametbl_subscribe(sub);
294 spin_unlock_bh(&subscriber->lock);
295
296 timeout = htohl(sub->evt.s.timeout, swap);
297 if (timeout == TIPC_WAIT_FOREVER)
298 return;
299
300 setup_timer(&sub->timer, tipc_subscrp_timeout, (unsigned long)sub);
301 mod_timer(&sub->timer, jiffies + msecs_to_jiffies(timeout));
302 }
303
304 /* Handle one termination request for the subscriber */
305 static void tipc_subscrb_release_cb(int conid, void *usr_data)
306 {
307 tipc_subscrb_delete((struct tipc_subscriber *)usr_data);
308 }
309
310 /* Handle one request to create a new subscription for the subscriber */
311 static void tipc_subscrb_rcv_cb(struct net *net, int conid,
312 struct sockaddr_tipc *addr, void *usr_data,
313 void *buf, size_t len)
314 {
315 struct tipc_subscriber *subscriber = usr_data;
316 struct tipc_subscr *s = (struct tipc_subscr *)buf;
317 int swap;
318
319 /* Determine subscriber's endianness */
320 swap = !(s->filter & (TIPC_SUB_PORTS | TIPC_SUB_SERVICE |
321 TIPC_SUB_CANCEL));
322
323 /* Detect & process a subscription cancellation request */
324 if (s->filter & htohl(TIPC_SUB_CANCEL, swap)) {
325 s->filter &= ~htohl(TIPC_SUB_CANCEL, swap);
326 return tipc_subscrp_cancel(s, subscriber);
327 }
328
329 if (s)
330 tipc_subscrp_subscribe(net, s, subscriber, swap);
331 }
332
333 /* Handle one request to establish a new subscriber */
334 static void *tipc_subscrb_connect_cb(int conid)
335 {
336 return (void *)tipc_subscrb_create(conid);
337 }
338
339 int tipc_topsrv_start(struct net *net)
340 {
341 struct tipc_net *tn = net_generic(net, tipc_net_id);
342 const char name[] = "topology_server";
343 struct tipc_server *topsrv;
344 struct sockaddr_tipc *saddr;
345
346 saddr = kzalloc(sizeof(*saddr), GFP_ATOMIC);
347 if (!saddr)
348 return -ENOMEM;
349 saddr->family = AF_TIPC;
350 saddr->addrtype = TIPC_ADDR_NAMESEQ;
351 saddr->addr.nameseq.type = TIPC_TOP_SRV;
352 saddr->addr.nameseq.lower = TIPC_TOP_SRV;
353 saddr->addr.nameseq.upper = TIPC_TOP_SRV;
354 saddr->scope = TIPC_NODE_SCOPE;
355
356 topsrv = kzalloc(sizeof(*topsrv), GFP_ATOMIC);
357 if (!topsrv) {
358 kfree(saddr);
359 return -ENOMEM;
360 }
361 topsrv->net = net;
362 topsrv->saddr = saddr;
363 topsrv->imp = TIPC_CRITICAL_IMPORTANCE;
364 topsrv->type = SOCK_SEQPACKET;
365 topsrv->max_rcvbuf_size = sizeof(struct tipc_subscr);
366 topsrv->tipc_conn_recvmsg = tipc_subscrb_rcv_cb;
367 topsrv->tipc_conn_new = tipc_subscrb_connect_cb;
368 topsrv->tipc_conn_release = tipc_subscrb_release_cb;
369
370 strncpy(topsrv->name, name, strlen(name) + 1);
371 tn->topsrv = topsrv;
372 atomic_set(&tn->subscription_count, 0);
373
374 return tipc_server_start(topsrv);
375 }
376
377 void tipc_topsrv_stop(struct net *net)
378 {
379 struct tipc_net *tn = net_generic(net, tipc_net_id);
380 struct tipc_server *topsrv = tn->topsrv;
381
382 tipc_server_stop(topsrv);
383 kfree(topsrv->saddr);
384 kfree(topsrv);
385 }
Ubuntu Artful kernel mirror