[linux-next] LinuxNextTracking branch, master, updated. next-20160512

batman at open-mesh.org batman at open-mesh.org
Fri May 13 00:15:41 CEST 2016

The following commit has been merged in the master branch:
commit 4fe56e60ac1be4d103f64743d0a36fd31a70657c
Author: Sven Eckelmann <sven at narfation.org>
Date:   Sat Mar 5 16:09:17 2016 +0100

    batman-adv: Check hard_iface refcnt when receiving skb
    The receive function may start processing an incoming packet while the
    hard_iface is shut down in a different context. All called functions called
    with the batadv_hard_iface object belonging to the incoming interface would
    have to check whether the reference counter is still > 0.
    This is rather error-prone because this check can be forgotten easily.
    Instead check the reference counter when receiving the object to make sure
    that all called functions have a valid reference.
    Signed-off-by: Sven Eckelmann <sven at narfation.org>
    Signed-off-by: Marek Lindner <mareklindner at neomailbox.ch>
    Signed-off-by: Antonio Quartulli <a at unstable.cc>

diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c
index 78c05a9..c8d8bc7 100644
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -401,11 +401,19 @@ int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
 	hard_iface = container_of(ptype, struct batadv_hard_iface,
+	/* Prevent processing a packet received on an interface which is getting
+	 * shut down otherwise the packet may trigger de-reference errors
+	 * further down in the receive path.
+	 */
+	if (!kref_get_unless_zero(&hard_iface->refcount))
+		goto err_out;
 	skb = skb_share_check(skb, GFP_ATOMIC);
 	/* skb was released by skb_share_check() */
 	if (!skb)
-		goto err_out;
+		goto err_put;
 	/* packet should hold at least type and version */
 	if (unlikely(!pskb_may_pull(skb, 2)))
@@ -448,6 +456,8 @@ int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
 	if (ret == NET_RX_DROP)
+	batadv_hardif_put(hard_iface);
 	/* return NET_RX_SUCCESS in any case as we
 	 * most probably dropped the packet for
 	 * routing-logical reasons.
@@ -456,6 +466,8 @@ int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
+	batadv_hardif_put(hard_iface);
 	return NET_RX_DROP;


More information about the linux-merge mailing list