rtnetlink: add reference counting to prevent module unload while dump is in progress
authorFlorian Westphal <fw@strlen.de>
Wed, 9 Aug 2017 18:41:49 +0000 (20:41 +0200)
committerDavid S. Miller <davem@davemloft.net>
Wed, 9 Aug 2017 23:57:38 +0000 (16:57 -0700)
I don't see what prevents rmmod (unregister_all is called) while a dump
is active.

Even if we'd add rtnl lock/unlock pair to unregister_all (as done here),
thats not enough either as rtnl_lock is released right before the dump
process starts.

So this adds a refcount:
 * acquire rtnl mutex
 * bump refcount
 * release mutex
 * start the dump

... and make unregister_all remove the callbacks (no new dumps possible)
and then wait until refcount is 0.

Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/rtnetlink.c

index 67607c540c034474ca648e9b78eac5505f5a0af1..c45a7c5e323255ff0a445a7fbce6094e92fd53ea 100644 (file)
@@ -127,6 +127,7 @@ EXPORT_SYMBOL(lockdep_rtnl_is_held);
 #endif /* #ifdef CONFIG_PROVE_LOCKING */
 
 static struct rtnl_link *rtnl_msg_handlers[RTNL_FAMILY_MAX + 1];
+static refcount_t rtnl_msg_handlers_ref[RTNL_FAMILY_MAX + 1];
 
 static inline int rtm_msgindex(int msgtype)
 {
@@ -272,10 +273,18 @@ EXPORT_SYMBOL_GPL(rtnl_unregister);
  */
 void rtnl_unregister_all(int protocol)
 {
+       struct rtnl_link *handlers;
+
        BUG_ON(protocol < 0 || protocol > RTNL_FAMILY_MAX);
 
-       kfree(rtnl_msg_handlers[protocol]);
+       rtnl_lock();
+       handlers = rtnl_msg_handlers[protocol];
        rtnl_msg_handlers[protocol] = NULL;
+       rtnl_unlock();
+
+       while (refcount_read(&rtnl_msg_handlers_ref[protocol]) > 0)
+               schedule();
+       kfree(handlers);
 }
 EXPORT_SYMBOL_GPL(rtnl_unregister_all);
 
@@ -4173,6 +4182,8 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
                if (dumpit == NULL)
                        return -EOPNOTSUPP;
 
+               refcount_inc(&rtnl_msg_handlers_ref[family]);
+
                if (type == RTM_GETLINK)
                        min_dump_alloc = rtnl_calcit(skb, nlh);
 
@@ -4186,6 +4197,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
                        err = netlink_dump_start(rtnl, skb, nlh, &c);
                }
                rtnl_lock();
+               refcount_dec(&rtnl_msg_handlers_ref[family]);
                return err;
        }