Fix: use after free in ring buffer clients

[lttng-modules.git] / lttng-ring-buffer-client.h

diff --git a/lttng-ring-buffer-client.h b/lttng-ring-buffer-client.h
index c97793d2061a784b9ea68014a0c12cc9349c8bf6..288cc32509dcde332f3aa3d9eab7b2a39b9b2f32 100644 (file)
--- a/lttng-ring-buffer-client.h
+++ b/lttng-ring-buffer-client.h
@@ -32,6 +32,8 @@
 #define LTTNG_COMPACT_EVENT_BITS       5
 #define LTTNG_COMPACT_TSC_BITS         27
 
+static struct lttng_transport lttng_relay_transport;
+
 /*
  * Keep the natural field alignment for _each field_ within this structure if
  * you ever add/remove a field from this header. Packed attribute is not used
@@ -486,6 +488,18 @@ static const struct lib_ring_buffer_config client_config = {
        .wakeup = RING_BUFFER_WAKEUP_BY_TIMER,
 };
 
+static
+void release_priv_ops(void *priv_ops)
+{
+       module_put(THIS_MODULE);
+}
+
+static
+void lttng_channel_destroy(struct channel *chan)
+{
+       channel_destroy(chan);
+}
+
 static
 struct channel *_channel_create(const char *name,
                                struct lttng_channel *lttng_chan, void *buf_addr,
@@ -493,23 +507,28 @@ struct channel *_channel_create(const char *name,
                                unsigned int switch_timer_interval,
                                unsigned int read_timer_interval)
 {
-       lttng_chan->ops->timestamp_begin = client_timestamp_begin;
-       lttng_chan->ops->timestamp_end = client_timestamp_end;
-       lttng_chan->ops->events_discarded = client_events_discarded;
-       lttng_chan->ops->content_size = client_content_size;
-       lttng_chan->ops->packet_size = client_packet_size;
-       lttng_chan->ops->stream_id = client_stream_id;
-       lttng_chan->ops->current_timestamp = client_current_timestamp;
+       struct channel *chan;
 
-       return channel_create(&client_config, name, lttng_chan, buf_addr,
+       chan = channel_create(&client_config, name, lttng_chan, buf_addr,
                              subbuf_size, num_subbuf, switch_timer_interval,
                              read_timer_interval);
-}
+       if (chan) {
+               /*
+                * Ensure this module is not unloaded before we finish
+                * using lttng_relay_transport.ops.
+                */
+               if (!try_module_get(THIS_MODULE)) {
+                       printk(KERN_WARNING "LTT : Can't lock transport module.\n");
+                       goto error;
+               }
+               chan->backend.priv_ops = &lttng_relay_transport.ops;
+               chan->backend.release_priv_ops = release_priv_ops;
+       }
+       return chan;
 
-static
-void lttng_channel_destroy(struct channel *chan)
-{
-       channel_destroy(chan);
+error:
+       lttng_channel_destroy(chan);
+       return NULL;
 }
 
 static
@@ -655,6 +674,13 @@ static struct lttng_transport lttng_relay_transport = {
                .get_hp_wait_queue = lttng_get_hp_wait_queue,
                .is_finalized = lttng_is_finalized,
                .is_disabled = lttng_is_disabled,
+               .timestamp_begin = client_timestamp_begin,
+               .timestamp_end = client_timestamp_end,
+               .events_discarded = client_events_discarded,
+               .content_size = client_content_size,
+               .packet_size = client_packet_size,
+               .stream_id = client_stream_id,
+               .current_timestamp = client_current_timestamp,
        },
 };