On Friday, March 11, 2016 16:44:06 Sven Eckelmann wrote:
The batadv_neigh_node was specific to a batadv_hardif_neigh_node and held an implicit reference to it. But this reference was never stored in form of a pointer in the batadv_neigh_node itself. Instead batadv_neigh_node_release depends on a consistent state of hard_iface->neigh_list and that batadv_hardif_neigh_get always returns the batadv_hardif_neigh_node object which it has a reference for. But batadv_hardif_neigh_get cannot guarantee that because it is working only with rcu_read_lock on this list. It can therefore happen that a neigh_addr is in this list twice or that batadv_hardif_neigh_get cannot find the batadv_hardif_neigh_node for an neigh_addr due to some other list operations taking place at the same time.
Instead add a batadv_hardif_neigh_node pointer directly in batadv_neigh_node which will be used for the reference counter decremented on release of batadv_neigh_node.
Fixes: fed2826b490c ("batman-adv: add list of unique single hop neighbors per hard-interface") Signed-off-by: Sven Eckelmann sven@narfation.org
See https://www.open-mesh.org/issues/242
v1:
- Remove the old code blocks
- make the _put unconditional
net/batman-adv/originator.c | 16 +++++----------- net/batman-adv/types.h | 2 ++ 2 files changed, 7 insertions(+), 11 deletions(-)
Applied in revision a198a23.
Thanks, Marek