When unicast_send_skb() is increasing the orig_node's refcount another thread might have been freeing this orig_node already. We need to increase the refcount in the rcu read lock protected area to avoid that.
The same is true for get_orig_node(). Signed-off-by: Linus Lüssing <[email protected]> --- gateway_client.c | 3 +++ originator.c | 4 ++-- unicast.c | 1 - 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/batman-adv/gateway_client.c b/batman-adv/gateway_client.c index 4624515..b3cda22 100644 --- a/batman-adv/gateway_client.c +++ b/batman-adv/gateway_client.c @@ -55,6 +55,9 @@ void *gw_get_selected(struct bat_priv *bat_priv) } orig_node = curr_gateway_tmp->orig_node; + if (orig_node) + kref_get(&orig_node->refcount); + rcu_read_unlock(); return orig_node; diff --git a/batman-adv/originator.c b/batman-adv/originator.c index bde9778..6fb8393 100644 --- a/batman-adv/originator.c +++ b/batman-adv/originator.c @@ -193,12 +193,12 @@ struct orig_node *get_orig_node(struct bat_priv *bat_priv, uint8_t *addr) orig_node = ((struct orig_node *)hash_find(bat_priv->orig_hash, compare_orig, choose_orig, addr)); - rcu_read_unlock(); - if (orig_node) { kref_get(&orig_node->refcount); + rcu_read_unlock(); return orig_node; } + rcu_read_unlock(); bat_dbg(DBG_BATMAN, bat_priv, "Creating new originator: %pM\n", addr); diff --git a/batman-adv/unicast.c b/batman-adv/unicast.c index 580b547..f4f5115 100644 --- a/batman-adv/unicast.c +++ b/batman-adv/unicast.c @@ -298,7 +298,6 @@ int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv) if (!orig_node) goto trans_search; - kref_get(&orig_node->refcount); goto find_router; } else { rcu_read_lock(); -- 1.7.2.3
