From patchwork Sun Jun 21 16:30:23 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marek Lindner <mareklindner@neomailbox.ch>
X-Patchwork-Id: 4539
Return-Path: <mareklindner@neomailbox.ch>
Received-SPF: Softfail (domain owner discourages use of this host)
	identity=mailfrom; client-ip=5.148.176.57; helo=s1.neomailbox.net;
	envelope-from=mareklindner@neomailbox.ch;
	receiver=b.a.t.m.a.n@lists.open-mesh.org
Received: from s1.neomailbox.net (s1.neomailbox.net [5.148.176.57])
	by open-mesh.org (Postfix) with ESMTPS id EA35960103A
	for <b.a.t.m.a.n@lists.open-mesh.org>;
	Sun, 21 Jun 2015 18:30:43 +0200 (CEST)
From: Marek Lindner <mareklindner@neomailbox.ch>
To: b.a.t.m.a.n@lists.open-mesh.org
Date: Mon, 22 Jun 2015 00:30:23 +0800
Message-Id: <1434904223-10227-2-git-send-email-mareklindner@neomailbox.ch>
In-Reply-To: <1434904223-10227-1-git-send-email-mareklindner@neomailbox.ch>
References: <1434904223-10227-1-git-send-email-mareklindner@neomailbox.ch>
Cc: Marek Lindner <mareklindner@neomailbox.ch>
Subject: [B.A.T.M.A.N.] [PATCH 2/2] batman-adv: prevent potential hlist
	double deletion
X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n@lists.open-mesh.org>
List-Id: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n.lists.open-mesh.org>
List-Unsubscribe: <https://lists.open-mesh.org/mm/options/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=unsubscribe>
List-Archive: <http://lists.open-mesh.org/pipermail/b.a.t.m.a.n/>
List-Post: <mailto:b.a.t.m.a.n@lists.open-mesh.org>
List-Help: <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=help>
List-Subscribe: <https://lists.open-mesh.org/mm/listinfo/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jun 2015 16:30:44 -0000

The hlist_del_rcu() call in batadv_tt_global_size_mod() does not check
if the element still is part of the list prior to deletion. The atomic
list counter should prevent the worst but converting to
hlist_del_init_rcu() ensures the element can't be deleted more than
once.

Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Acked-by: Antonio Quartulli <antonio@meshcoding.com>
---
 net/batman-adv/translation-table.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index ca0bcac..e29c9e1 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -315,7 +315,7 @@ static void batadv_tt_global_size_mod(struct batadv_orig_node *orig_node,
 
 	if (atomic_add_return(v, &vlan->tt.num_entries) == 0) {
 		spin_lock_bh(&orig_node->vlan_list_lock);
-		hlist_del_rcu(&vlan->list);
+		hlist_del_init_rcu(&vlan->list);
 		spin_unlock_bh(&orig_node->vlan_list_lock);
 		batadv_orig_node_vlan_free_ref(vlan);
 	}