From: Linus Lüssing <linus.luess...@ascom.ch>
When unicast_send_skb() is increasing the orig_node's refcount another
thread might have been freeing this orig_node already. We need to
increase the refcount in the rcu read lock protected area to avoid that.
Signed-off-by: Linus Lüssing <linus.luess...@ascom.ch>
Signed-off-by: Marek Lindner <lindner_ma...@yahoo.de>
---
net/batman-adv/gateway_client.c | 3 +++
net/batman-adv/unicast.c | 5 ++---
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index a3e842f..41eba8a 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -54,6 +54,9 @@ void *gw_get_selected(struct bat_priv *bat_priv)
orig_node = curr_gateway_tmp->orig_node;
+ if (orig_node)
+ kref_get(&orig_node->refcount);
+
out:
rcu_read_unlock();
return orig_node;
diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c
index 7ca994c..0603cea 100644
--- a/net/batman-adv/unicast.c
+++ b/net/batman-adv/unicast.c
@@ -293,10 +293,9 @@ int unicast_send_skb(struct sk_buff *skb, struct bat_priv
*bat_priv)
spin_lock_bh(&bat_priv->orig_hash_lock);
/* get routing information */
- if (is_multicast_ether_addr(ethhdr->h_dest))
+ if (is_multicast_ether_addr(ethhdr->h_dest)) {
orig_node = (struct orig_node *)gw_get_selected(bat_priv);
- if (orig_node) {
- kref_get(&orig_node->refcount);
+ if (orig_node)
goto find_router;
}
--
1.7.2.3
