| Message ID | 20230712112631.3461793-3-quic_viswanat@quicinc.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | net: qrtr: Few fixes in QRTR | expand |
On Wed, Jul 12, 2023 at 04:56:30PM +0530, Vignesh Viswanathan wrote: > There is a use after free scenario while iterating through the nodes > radix tree despite the ns being a single threaded process. This can > happen when the radix tree APIs are not synchronized with the > rcu_read_lock() APIs. > > Convert the radix tree for nodes to xarray to take advantage of the > built in rcu lock usage provided by xarray. > > Signed-off-by: Chris Lew <quic_clew@quicinc.com> > Signed-off-by: Vignesh Viswanathan <quic_viswanat@quicinc.com> Reviewed-by: Simon Horman <simon.horman@corigine.com>
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c index 039313c3e044..12de671d7992 100644 --- a/net/qrtr/ns.c +++ b/net/qrtr/ns.c @@ -16,7 +16,7 @@ #define CREATE_TRACE_POINTS #include <trace/events/qrtr.h> -static RADIX_TREE(nodes, GFP_KERNEL); +static DEFINE_XARRAY(nodes); static struct { struct socket *sock; @@ -73,7 +73,7 @@ static struct qrtr_node *node_get(unsigned int node_id) { struct qrtr_node *node; - node = radix_tree_lookup(&nodes, node_id); + node = xa_load(&nodes, node_id); if (node) return node; @@ -85,7 +85,7 @@ static struct qrtr_node *node_get(unsigned int node_id) node->id = node_id; xa_init(&node->servers); - if (radix_tree_insert(&nodes, node_id, node)) { + if (xa_store(&nodes, node_id, node, GFP_KERNEL)) { kfree(node); return NULL; }