From: Jon Maloy <jon.ma...@ericsson.com> Date: Wed, 24 Feb 2016 11:00:19 -0500
> Although we have never seen it happen, we have identified the > following problematic scenario when nodes are stopped and deleted: > > CPU0: CPU1: > > tipc_node_xxx() //ref == 1 > tipc_node_put() //ref -> 0 > tipc_node_find() // node still in table > tipc_node_delete() > list_del_rcu(n. list) > tipc_node_get() //ref -> 1, bad > kfree_rcu() > > tipc_node_put() //ref to 0 again. > kfree_rcu() // BOOM! > > We fix this by introducing use of the conditional kref_get_if_not_zero() > instead of kref_get() in the function tipc_node_find(). This eliminates > any risk of post-mortem access. > > Reported-by: Zhijiang Hu <huzhiji...@gmail.com> > Acked-by: Ying Xue <ying....@windriver.com> > Signed-off-by: Jon Maloy <jon.ma...@ericsson.com> Applied.
