From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
"Marek Lindner" <mareklindner@neomailbox.ch>,
"Antonio Quartulli" <a@unstable.cc>,
"Sven Eckelmann" <sven@narfation.org>
Subject: [PATCH 3.2 26/46] batman-adv: Reduce refcnt of removed router when updating route
Date: Sun, 12 Jun 2016 22:34:42 +0100 [thread overview]
Message-ID: <lsq.1465767282.679032205@decadent.org.uk> (raw)
In-Reply-To: <lsq.1465767281.501580564@decadent.org.uk>
3.2.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d1a65f1741bfd9c69f9e4e2ad447a89b6810427d upstream.
_batadv_update_route rcu_derefences orig_ifinfo->router outside of a
spinlock protected region to print some information messages to the debug
log. But this pointer is not checked again when the new pointer is assigned
in the spinlock protected region. Thus is can happen that the value of
orig_ifinfo->router changed in the meantime and thus the reference counter
of the wrong router gets reduced after the spinlock protected region.
Just rcu_dereferencing the value of orig_ifinfo->router inside the spinlock
protected region (which also set the new pointer) is enough to get the
correct old router object.
Fixes: e1a5382f978b ("batman-adv: Make orig_node->router an rcu protected pointer")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
[bwh: Backported to 3.2: s/orig_ifinfo/orig_node/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/routing.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -98,6 +98,15 @@ static void _update_route(struct bat_pri
neigh_node = NULL;
spin_lock_bh(&orig_node->neigh_list_lock);
+ /* curr_router used earlier may not be the current orig_node->router
+ * anymore because it was dereferenced outside of the neigh_list_lock
+ * protected region. After the new best neighbor has replace the current
+ * best neighbor the reference counter needs to decrease. Consequently,
+ * the code needs to ensure the curr_router variable contains a pointer
+ * to the replaced best neighbor.
+ */
+ curr_router = rcu_dereference_protected(orig_node->router, true);
+
rcu_assign_pointer(orig_node->router, neigh_node);
spin_unlock_bh(&orig_node->neigh_list_lock);
next prev parent reply other threads:[~2016-06-12 21:40 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-12 21:34 [PATCH 3.2 00/46] 3.2.81-rc1 review Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 06/46] crypto: gcm - Fix rfc4543 decryption crash Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 04/46] x86/microcode/amd: Do not overwrite final patch levels Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 11/46] libahci: save port map for forced port map Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 16/46] USB: uas: Add a new NO_REPORT_LUNS quirk Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 15/46] usb: xhci: fix wild pointers in xhci_mem_cleanup Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 14/46] usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 09/46] ipmi: fix timeout calculation when bmc is disconnected Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 08/46] x86, sparse: Do not force removal of __user when calling copy_to/from_user_nocheck() Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 18/46] Input: pmic8xxx-pwrkey - fix algorithm for converting trigger delay Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 07/46] x86: Add 1/2/4/8 byte optimization to 64bit __copy_{from,to}_user_inatomic Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 17/46] usb: hcd: out of bounds access in for_each_companion Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 13/46] nl80211: check netlink protocol in socket release notification Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 12/46] kvm: x86: do not leak guest xcr0 into host interrupt handlers Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 01/46] Revert "ax25: add link layer header validation function" Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 02/46] Revert "net: validate variable length ll headers" Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 10/46] Input: gtco - fix crash on detecting device without endpoints Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 03/46] x86/microcode/amd: Extract current patch level read to a function Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 05/46] crypto: gcm - fix rfc4543 to handle async crypto correctly Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 22/46] mm: hugetlb: allow hugepages_supported to be architecture specific Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 19/46] powerpc: scan_features() updates incorrect bits for REAL_LE Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 39/46] crypto: hash - Fix page length clamping in hash walk Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 25/46] batman-adv: Check skb size before using encapsulated ETH+VLAN header Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 23/46] s390/hugetlb: add hugepages_supported define Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 35/46] Make hash_64() use a 64-bit multiply when appropriate Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 32/46] thp: introduce hugepage_vma_check() Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 41/46] parisc: fix a bug when syscall number of tracee is __NR_Linux_syscalls Ben Hutchings
2016-06-12 21:34 ` Ben Hutchings [this message]
2016-06-12 21:34 ` [PATCH 3.2 42/46] get_rock_ridge_filename(): handle malformed NM entries Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 31/46] IB/security: Restrict use of the write() interface Ben Hutchings
2016-06-14 21:11 ` Sudip Mukherjee
2016-06-14 21:23 ` Ben Hutchings
2016-06-14 22:04 ` Sudip Mukherjee
2016-06-12 21:34 ` [PATCH 3.2 21/46] hugetlb: ensure hugepage access is denied if hugepages are not supported Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 36/46] Minimal fix-up of bad hashing behavior of hash_64() Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 29/46] USB: serial: cp210x: add Straizona Focusers device ids Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 24/46] x86/mm/xen: Suppress hugetlbfs in PV guests Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 34/46] EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 44/46] net: fix infoleak in llc Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 46/46] net: fix a kernel infoleak in x25 module Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 37/46] drm/radeon: make sure vertical front porch is at least 1 Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 20/46] atl2: Disable unimplemented scatter/gather feature Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 33/46] mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 45/46] net: fix infoleak in rtnetlink Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 40/46] proc: prevent accessing /proc/<PID>/environ until it's ready Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 27/46] batman-adv: Fix broadcast/ogm queue limit on a removed interface Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 43/46] nf_conntrack: avoid kernel pointer value leak in slab name Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 30/46] drm/i915: Fix system resume if PCI device remained enabled Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 38/46] ACPICA: Dispatcher: Update thread ID for recursive method calls Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 28/46] USB: serial: cp210x: add ID for Link ECU Ben Hutchings
2016-06-12 23:13 ` [PATCH 3.2 00/46] 3.2.81-rc1 review Guenter Roeck
2016-06-12 23:49 ` Ben Hutchings
2016-06-13 18:45 ` Ben Hutchings
2016-06-14 21:56 ` Sudip Mukherjee
2016-06-14 22:16 ` Ben Hutchings
2016-06-14 22:35 ` Sudip Mukherjee
2017-10-08 18:55 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1465767282.679032205@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=a@unstable.cc \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mareklindner@neomailbox.ch \
--cc=stable@vger.kernel.org \
--cc=sven@narfation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).