From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sven Eckelmann <sven@narfation.org>,
Marek Lindner <mareklindner@neomailbox.ch>,
Antonio Quartulli <a@unstable.cc>
Subject: [PATCH 4.4 39/67] batman-adv: Reduce refcnt of removed router when updating route
Date: Mon, 9 May 2016 09:18:44 +0200 [thread overview]
Message-ID: <20160509071839.191549523@linuxfoundation.org> (raw)
In-Reply-To: <20160509071837.238078895@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d1a65f1741bfd9c69f9e4e2ad447a89b6810427d upstream.
_batadv_update_route rcu_derefences orig_ifinfo->router outside of a
spinlock protected region to print some information messages to the debug
log. But this pointer is not checked again when the new pointer is assigned
in the spinlock protected region. Thus is can happen that the value of
orig_ifinfo->router changed in the meantime and thus the reference counter
of the wrong router gets reduced after the spinlock protected region.
Just rcu_dereferencing the value of orig_ifinfo->router inside the spinlock
protected region (which also set the new pointer) is enough to get the
correct old router object.
Fixes: e1a5382f978b ("batman-adv: Make orig_node->router an rcu protected pointer")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/routing.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -104,6 +104,15 @@ static void _batadv_update_route(struct
neigh_node = NULL;
spin_lock_bh(&orig_node->neigh_list_lock);
+ /* curr_router used earlier may not be the current orig_ifinfo->router
+ * anymore because it was dereferenced outside of the neigh_list_lock
+ * protected region. After the new best neighbor has replace the current
+ * best neighbor the reference counter needs to decrease. Consequently,
+ * the code needs to ensure the curr_router variable contains a pointer
+ * to the replaced best neighbor.
+ */
+ curr_router = rcu_dereference_protected(orig_ifinfo->router, true);
+
rcu_assign_pointer(orig_ifinfo->router, neigh_node);
spin_unlock_bh(&orig_node->neigh_list_lock);
batadv_orig_ifinfo_free_ref(orig_ifinfo);
next prev parent reply other threads:[~2016-05-09 7:20 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-09 7:18 [PATCH 4.4 00/67] 4.4.10-stable review Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 01/67] Revert: "powerpc/tm: Check for already reclaimed tasks" Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 02/67] RDMA/iw_cxgb4: Fix bar2 virt addr calculation for T4 chips Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 03/67] ipvs: handle ip_vs_fill_iph_skb_off failure Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 04/67] ipvs: correct initial offset of Call-ID header search in SIP persistence engine Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 05/67] ipvs: drop first packet to redirect conntrack Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 06/67] mfd: intel-lpss: Remove clock tree on error path Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 07/67] nbd: ratelimit error msgs after socket close Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 08/67] ata: ahci_xgene: dereferencing uninitialized pointer in probe Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 09/67] mwifiex: fix corner case association failure Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 11/67] clk-divider: make sure read-only dividers do not write to their register Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 12/67] soc: rockchip: power-domain: fix err handle while probing Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 13/67] clk: rockchip: free memory in error cases when registering clock branches Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 15/67] clk: qcom: msm8960: fix ce3_core clk enable register Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 16/67] clk: versatile: sp810: support reentrance Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 17/67] clk: qcom: msm8960: Fix ce3_src register offset Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 18/67] lpfc: fix misleading indentation Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 19/67] ath9k: ar5008_hw_cmn_spur_mitigate: add missing mask_m & mask_p initialisation Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 20/67] mac80211: fix statistics leak if dev_alloc_name() fails Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 21/67] tracing: Dont display trigger file for events that cant be enabled Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 22/67] MD: make bio mergeable Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 23/67] Minimal fix-up of bad hashing behavior of hash_64() Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 24/67] mm, cma: prevent nr_isolated_* counters from going negative Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 25/67] mm/zswap: provide unique zpool name Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 26/67] ARM: EXYNOS: Properly skip unitialized parent clock in power domain on Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 27/67] ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 28/67] xen: Fix page <-> pfn conversion on 32 bit systems Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 29/67] xen/balloon: Fix crash when ballooning on x86 32 bit PAE Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 30/67] xen/evtchn: fix ring resize when binding new events Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 31/67] HID: wacom: Add support for DTK-1651 Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 32/67] HID: Fix boot delay for Creative SB Omni Surround 5.1 with quirk Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 33/67] Input: zforce_ts - fix dual touch recognition Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 34/67] proc: prevent accessing /proc/<PID>/environ until its ready Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 35/67] mm: update min_free_kbytes from khugepaged after core initialization Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 36/67] batman-adv: fix DAT candidate selection (must use vid) Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 37/67] batman-adv: Check skb size before using encapsulated ETH+VLAN header Greg Kroah-Hartman
2016-05-09 7:18 ` Greg Kroah-Hartman [this message]
2016-05-09 7:18 ` [PATCH 4.4 40/67] writeback: Fix performance regression in wb_over_bg_thresh() Greg Kroah-Hartman
[not found] ` <20160509071837.238078895-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2016-05-09 7:18 ` [PATCH 4.4 41/67] MAINTAINERS: Remove asterisk from EFI directory names Greg Kroah-Hartman
2016-05-09 7:18 ` Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 42/67] x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 43/67] fs/pnode.c: treat zero mnt_group_id-s as unequal Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 44/67] propogate_mnt: Handle the first propogated copy being a slave Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 45/67] ARM: cpuidle: Pass on arm_cpuidle_suspend()s return value Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 46/67] ARC: Add missing io barriers to io{read,write}{16,32}be() Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 47/67] x86/sysfb_efi: Fix valid BAR address range check Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 48/67] ACPICA: Dispatcher: Update thread ID for recursive method calls Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 49/67] powerpc: Fix bad inline asm constraint in create_zero_mask() Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 50/67] libahci: save port map for forced port map Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 51/67] ata: ahci-platform: Add ports-implemented DT bindings Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 52/67] USB: serial: cp210x: add ID for Link ECU Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 53/67] USB: serial: cp210x: add Straizona Focusers device ids Greg Kroah-Hartman
2016-05-09 7:18 ` [PATCH 4.4 54/67] nvmem: mxs-ocotp: fix buffer overflow in read Greg Kroah-Hartman
2016-05-09 7:19 ` [PATCH 4.4 55/67] gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading Greg Kroah-Hartman
2016-05-09 7:19 ` [PATCH 4.4 56/67] drm/amdgpu: make sure vertical front porch is at least 1 Greg Kroah-Hartman
2016-05-09 7:19 ` [PATCH 4.4 58/67] iio: ak8975: Fix NULL pointer exception on early interrupt Greg Kroah-Hartman
2016-05-09 7:19 ` [PATCH 4.4 60/67] drm/radeon: make sure vertical front porch is at least 1 Greg Kroah-Hartman
2016-05-09 7:19 ` [PATCH 4.4 65/67] ACPI / processor: Request native thermal interrupt handling via _OSC Greg Kroah-Hartman
2016-05-09 7:19 ` [PATCH 4.4 66/67] lib/test-string_helpers.c: fix and improve string_get_size() tests Greg Kroah-Hartman
2016-05-09 7:19 ` [PATCH 4.4 67/67] drm/i915/skl: Fix DMC load on Skylake J0 and K0 Greg Kroah-Hartman
[not found] ` <5730411d.d72d1c0a.4dc63.ffff8ef4@mx.google.com>
2016-05-09 8:08 ` [PATCH 4.4 00/67] 4.4.10-stable review Greg Kroah-Hartman
2016-05-09 13:10 ` Guenter Roeck
2016-05-09 19:41 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160509071839.191549523@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=a@unstable.cc \
--cc=linux-kernel@vger.kernel.org \
--cc=mareklindner@neomailbox.ch \
--cc=stable@vger.kernel.org \
--cc=sven@narfation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.