[linux-next] LinuxNextTracking branch, master, updated. next-20160429

batman at open-mesh.org batman at open-mesh.org
Sat Apr 30 00:15:56 CEST 2016


The following commit has been merged in the master branch:
commit d1a65f1741bfd9c69f9e4e2ad447a89b6810427d
Author: Sven Eckelmann <sven at narfation.org>
Date:   Sun Mar 20 12:27:53 2016 +0100

    batman-adv: Reduce refcnt of removed router when updating route
    
    _batadv_update_route rcu_derefences orig_ifinfo->router outside of a
    spinlock protected region to print some information messages to the debug
    log. But this pointer is not checked again when the new pointer is assigned
    in the spinlock protected region. Thus is can happen that the value of
    orig_ifinfo->router changed in the meantime and thus the reference counter
    of the wrong router gets reduced after the spinlock protected region.
    
    Just rcu_dereferencing the value of orig_ifinfo->router inside the spinlock
    protected region (which also set the new pointer) is enough to get the
    correct old router object.
    
    Fixes: e1a5382f978b ("batman-adv: Make orig_node->router an rcu protected pointer")
    Signed-off-by: Sven Eckelmann <sven at narfation.org>
    Signed-off-by: Marek Lindner <mareklindner at neomailbox.ch>
    Signed-off-by: Antonio Quartulli <a at unstable.cc>

diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 4dd646a..b781bf7 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -105,6 +105,15 @@ static void _batadv_update_route(struct batadv_priv *bat_priv,
 		neigh_node = NULL;
 
 	spin_lock_bh(&orig_node->neigh_list_lock);
+	/* curr_router used earlier may not be the current orig_ifinfo->router
+	 * anymore because it was dereferenced outside of the neigh_list_lock
+	 * protected region. After the new best neighbor has replace the current
+	 * best neighbor the reference counter needs to decrease. Consequently,
+	 * the code needs to ensure the curr_router variable contains a pointer
+	 * to the replaced best neighbor.
+	 */
+	curr_router = rcu_dereference_protected(orig_ifinfo->router, true);
+
 	rcu_assign_pointer(orig_ifinfo->router, neigh_node);
 	spin_unlock_bh(&orig_node->neigh_list_lock);
 	batadv_orig_ifinfo_put(orig_ifinfo);

-- 
LinuxNextTracking


More information about the linux-merge mailing list