From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sven Eckelmann <sven@narfation.org>,
Marek Lindner <mareklindner@neomailbox.ch>,
Antonio Quartulli <a@unstable.cc>
Subject: [PATCH 3.14 14/23] batman-adv: Reduce refcnt of removed router when updating route
Date: Mon, 9 May 2016 09:17:34 +0200 [thread overview]
Message-ID: <20160509071647.495006970@linuxfoundation.org> (raw)
In-Reply-To: <20160509071646.726412064@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d1a65f1741bfd9c69f9e4e2ad447a89b6810427d upstream.
_batadv_update_route rcu_derefences orig_ifinfo->router outside of a
spinlock protected region to print some information messages to the debug
log. But this pointer is not checked again when the new pointer is assigned
in the spinlock protected region. Thus is can happen that the value of
orig_ifinfo->router changed in the meantime and thus the reference counter
of the wrong router gets reduced after the spinlock protected region.
Just rcu_dereferencing the value of orig_ifinfo->router inside the spinlock
protected region (which also set the new pointer) is enough to get the
correct old router object.
Fixes: e1a5382f978b ("batman-adv: Make orig_node->router an rcu protected pointer")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/routing.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -88,6 +88,15 @@ static void _batadv_update_route(struct
neigh_node = NULL;
spin_lock_bh(&orig_node->neigh_list_lock);
+ /* curr_router used earlier may not be the current orig_ifinfo->router
+ * anymore because it was dereferenced outside of the neigh_list_lock
+ * protected region. After the new best neighbor has replace the current
+ * best neighbor the reference counter needs to decrease. Consequently,
+ * the code needs to ensure the curr_router variable contains a pointer
+ * to the replaced best neighbor.
+ */
+ curr_router = rcu_dereference_protected(orig_ifinfo->router, true);
+
rcu_assign_pointer(orig_ifinfo->router, neigh_node);
spin_unlock_bh(&orig_node->neigh_list_lock);
batadv_orig_ifinfo_free_ref(orig_ifinfo);
next prev parent reply other threads:[~2016-05-09 7:18 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-09 7:17 [PATCH 3.14 00/23] 3.14.69-stable review Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 01/23] compiler-gcc: integrate the various compiler-gcc[345].h files Greg Kroah-Hartman
2016-05-11 9:27 ` Jiri Slaby
2016-05-14 23:41 ` Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 02/23] compiler-gcc: disable -ftracer for __noclone functions Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 04/23] ipvs: correct initial offset of Call-ID header search in SIP persistence engine Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 05/23] nbd: ratelimit error msgs after socket close Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 06/23] clk: versatile: sp810: support reentrance Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 07/23] lpfc: fix misleading indentation Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 08/23] tracing: Dont display trigger file for events that cant be enabled Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 09/23] ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 10/23] Input: zforce_ts - fix dual touch recognition Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 11/23] proc: prevent accessing /proc/<PID>/environ until its ready Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 12/23] batman-adv: Check skb size before using encapsulated ETH+VLAN header Greg Kroah-Hartman
2016-05-09 7:17 ` Greg Kroah-Hartman [this message]
2016-05-09 7:17 ` [PATCH 3.14 15/23] MAINTAINERS: Remove asterisk from EFI directory names Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 16/23] x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 17/23] x86/sysfb_efi: Fix valid BAR address range check Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 18/23] ACPICA: Dispatcher: Update thread ID for recursive method calls Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 19/23] USB: serial: cp210x: add ID for Link ECU Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 20/23] USB: serial: cp210x: add Straizona Focusers device ids Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 21/23] iio: ak8975: Fix NULL pointer exception on early interrupt Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 22/23] Input: ads7846 - correct the value got from SPI Greg Kroah-Hartman
2016-05-09 7:17 ` [PATCH 3.14 23/23] powerpc: scan_features() updates incorrect bits for REAL_LE Greg Kroah-Hartman
2016-05-09 13:20 ` [PATCH 3.14 00/23] 3.14.69-stable review Guenter Roeck
2016-05-09 18:21 ` Christoph Biedl
2016-05-10 7:03 ` Greg KH
2016-05-11 6:19 ` Christoph Biedl
2016-05-12 18:13 ` Christoph Biedl
2016-05-09 19:40 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160509071647.495006970@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=a@unstable.cc \
--cc=linux-kernel@vger.kernel.org \
--cc=mareklindner@neomailbox.ch \
--cc=stable@vger.kernel.org \
--cc=sven@narfation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).