The tt_local_entry deletion performed batadv_tt_local_remove() was neither protecting against simultaneous deletes nor checking whether the element was still part of the list before calling hlist_del_rcu().
Replacing the hlist_del_rcu() with batadv_hash_remove() provides adequate protection via hash spinlocks as well as a is-element-still-in-hash check. Reported-by: [email protected] Signed-off-by: Marek Lindner <[email protected]> --- translation-table.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/translation-table.c b/translation-table.c index e95a424..4afeeb5 100644 --- a/translation-table.c +++ b/translation-table.c @@ -1042,7 +1042,8 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv, * immediately purge it */ batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL); - hlist_del_rcu(&tt_local_entry->common.hash_entry); + batadv_hash_remove(bat_priv->tt.local_hash, batadv_compare_tt, + batadv_choose_tt, &tt_local_entry->common); batadv_tt_local_entry_free_ref(tt_local_entry); /* decrease the reference held for this vlan */ -- 2.1.4
