When unicast_send_skb() is increasing the orig_node's refcount another thread might have been freeing this orig_node already. We need to increase the refcount in the rcu read lock protected area to avoid that.
Signed-off-by: Linus Lüssing linus.luessing@ascom.ch --- gateway_client.c | 1 + unicast.c | 1 - 2 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/batman-adv/gateway_client.c b/batman-adv/gateway_client.c index ee71335..15ea268 100644 --- a/batman-adv/gateway_client.c +++ b/batman-adv/gateway_client.c @@ -57,6 +57,7 @@ void *gw_get_selected(struct bat_priv *bat_priv)
orig_node = rcu_dereference(curr_gateway_tmp->orig_node); if (orig_node) { + kref_get(&orig_node->refcount); rcu_read_unlock(); return NULL; } diff --git a/batman-adv/unicast.c b/batman-adv/unicast.c index 8816102..b42e40e 100644 --- a/batman-adv/unicast.c +++ b/batman-adv/unicast.c @@ -310,7 +310,6 @@ int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv) goto trans_search; }
- kref_get(&orig_node->refcount); rcu_read_unlock(); goto find_router; }