[FIB]: full_children & empty_children should be uint, not ushort
If declared as unsigned short, these fields can overflow, and whole trie logic is broken. I could not make the machine crash, but some tnode can never be freed. Note for 64 bit arches : By reordering t_key and parent in [node, leaf, tnode] structures, we can use 32 bits hole after t_key so that sizeof(struct tnode) doesnt change after this patch. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: Robert Olsson <robert.olsson@its.uu.se> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
f16f3026db
commit
8d96544475
|
@ -97,13 +97,13 @@ typedef unsigned int t_key;
|
||||||
#define IS_LEAF(n) (n->parent & T_LEAF)
|
#define IS_LEAF(n) (n->parent & T_LEAF)
|
||||||
|
|
||||||
struct node {
|
struct node {
|
||||||
t_key key;
|
|
||||||
unsigned long parent;
|
unsigned long parent;
|
||||||
|
t_key key;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct leaf {
|
struct leaf {
|
||||||
t_key key;
|
|
||||||
unsigned long parent;
|
unsigned long parent;
|
||||||
|
t_key key;
|
||||||
struct hlist_head list;
|
struct hlist_head list;
|
||||||
struct rcu_head rcu;
|
struct rcu_head rcu;
|
||||||
};
|
};
|
||||||
|
@ -116,12 +116,12 @@ struct leaf_info {
|
||||||
};
|
};
|
||||||
|
|
||||||
struct tnode {
|
struct tnode {
|
||||||
t_key key;
|
|
||||||
unsigned long parent;
|
unsigned long parent;
|
||||||
|
t_key key;
|
||||||
unsigned char pos; /* 2log(KEYLENGTH) bits needed */
|
unsigned char pos; /* 2log(KEYLENGTH) bits needed */
|
||||||
unsigned char bits; /* 2log(KEYLENGTH) bits needed */
|
unsigned char bits; /* 2log(KEYLENGTH) bits needed */
|
||||||
unsigned short full_children; /* KEYLENGTH bits needed */
|
unsigned int full_children; /* KEYLENGTH bits needed */
|
||||||
unsigned short empty_children; /* KEYLENGTH bits needed */
|
unsigned int empty_children; /* KEYLENGTH bits needed */
|
||||||
struct rcu_head rcu;
|
struct rcu_head rcu;
|
||||||
struct node *child[0];
|
struct node *child[0];
|
||||||
};
|
};
|
||||||
|
@ -329,12 +329,12 @@ static inline void free_leaf_info(struct leaf_info *leaf)
|
||||||
call_rcu(&leaf->rcu, __leaf_info_free_rcu);
|
call_rcu(&leaf->rcu, __leaf_info_free_rcu);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct tnode *tnode_alloc(unsigned int size)
|
static struct tnode *tnode_alloc(size_t size)
|
||||||
{
|
{
|
||||||
struct page *pages;
|
struct page *pages;
|
||||||
|
|
||||||
if (size <= PAGE_SIZE)
|
if (size <= PAGE_SIZE)
|
||||||
return kcalloc(size, 1, GFP_KERNEL);
|
return kzalloc(size, GFP_KERNEL);
|
||||||
|
|
||||||
pages = alloc_pages(GFP_KERNEL|__GFP_ZERO, get_order(size));
|
pages = alloc_pages(GFP_KERNEL|__GFP_ZERO, get_order(size));
|
||||||
if (!pages)
|
if (!pages)
|
||||||
|
@ -346,8 +346,8 @@ static struct tnode *tnode_alloc(unsigned int size)
|
||||||
static void __tnode_free_rcu(struct rcu_head *head)
|
static void __tnode_free_rcu(struct rcu_head *head)
|
||||||
{
|
{
|
||||||
struct tnode *tn = container_of(head, struct tnode, rcu);
|
struct tnode *tn = container_of(head, struct tnode, rcu);
|
||||||
unsigned int size = sizeof(struct tnode) +
|
size_t size = sizeof(struct tnode) +
|
||||||
(1 << tn->bits) * sizeof(struct node *);
|
(sizeof(struct node *) << tn->bits);
|
||||||
|
|
||||||
if (size <= PAGE_SIZE)
|
if (size <= PAGE_SIZE)
|
||||||
kfree(tn);
|
kfree(tn);
|
||||||
|
@ -386,8 +386,7 @@ static struct leaf_info *leaf_info_new(int plen)
|
||||||
|
|
||||||
static struct tnode* tnode_new(t_key key, int pos, int bits)
|
static struct tnode* tnode_new(t_key key, int pos, int bits)
|
||||||
{
|
{
|
||||||
int nchildren = 1<<bits;
|
size_t sz = sizeof(struct tnode) + (sizeof(struct node *) << bits);
|
||||||
int sz = sizeof(struct tnode) + nchildren * sizeof(struct node *);
|
|
||||||
struct tnode *tn = tnode_alloc(sz);
|
struct tnode *tn = tnode_alloc(sz);
|
||||||
|
|
||||||
if (tn) {
|
if (tn) {
|
||||||
|
@ -399,8 +398,8 @@ static struct tnode* tnode_new(t_key key, int pos, int bits)
|
||||||
tn->empty_children = 1<<bits;
|
tn->empty_children = 1<<bits;
|
||||||
}
|
}
|
||||||
|
|
||||||
pr_debug("AT %p s=%u %u\n", tn, (unsigned int) sizeof(struct tnode),
|
pr_debug("AT %p s=%u %lu\n", tn, (unsigned int) sizeof(struct tnode),
|
||||||
(unsigned int) (sizeof(struct node) * 1<<bits));
|
(unsigned long) (sizeof(struct node) << bits));
|
||||||
return tn;
|
return tn;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue