On 21/06/15 18:30, Marek Lindner wrote:
The hlist_del_rcu() call in batadv_tt_global_size_mod() does not check if the element still is part of the list prior to deletion. The atomic list counter should prevent the worst but converting to hlist_del_init_rcu() ensures the element can't be deleted more than once.
Signed-off-by: Marek Lindner mareklindner@neomailbox.ch
Acked-by: Antonio Quartulli antonio@meshcoding.com
However, as discussed offline after Sven's suggestion in ticket #217, the entire if-loop still needs to be protected with the vlan_list_lock and not just its body.
Cheers,
net/batman-adv/translation-table.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index ca0bcac..e29c9e1 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -315,7 +315,7 @@ static void batadv_tt_global_size_mod(struct batadv_orig_node *orig_node,
if (atomic_add_return(v, &vlan->tt.num_entries) == 0) { spin_lock_bh(&orig_node->vlan_list_lock);
hlist_del_rcu(&vlan->list);
spin_unlock_bh(&orig_node->vlan_list_lock); batadv_orig_node_vlan_free_ref(vlan); }hlist_del_init_rcu(&vlan->list);