On Sunday, March 20, 2016 12:27:53 Sven Eckelmann wrote:
_batadv_update_route rcu_derefences orig_ifinfo->router outside of a spinlock protected region to print some information messages to the debug log. But this pointer is not checked again when the new pointer is assigned in the spinlock protected region. Thus is can happen that the value of orig_ifinfo->router changed in the meantime and thus the reference counter of the wrong router gets reduced after the spinlock protected region.
Just rcu_dereferencing the value of orig_ifinfo->router inside the spinlock protected region (which also set the new pointer) is enough to get the correct old router object.
Fixes: d90ddb94423f ("batman-adv: Make orig_node->router an rcu protected pointer") Signed-off-by: Sven Eckelmann sven@narfation.org -- v2:
- add comment explaining the idea behind the extra
rcu_dereference_protected --- net/batman-adv/routing.c | 7 +++++++ 1 file changed, 7 insertions(+)
Applied with minor modifications in revision 08ba64d.
Thanks, Marek