From patchwork Fri Jun 24 19:43:32 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 16391 X-Patchwork-Delegate: mareklindner@neomailbox.ch Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from open-mesh.org (localhost [IPv6:::1]) by open-mesh.org (Postfix) with ESMTP id 0C0AA8185A; Fri, 24 Jun 2016 21:43:39 +0200 (CEST) Authentication-Results: open-mesh.org; dmarc=none header.from=narfation.org Authentication-Results: open-mesh.org; dkim=fail reason="verification failed; unprotected key" header.d=narfation.org header.i=@narfation.org header.b=W3vzT+t7; dkim-adsp=fail (unprotected policy); dkim-atps=neutral Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2001:4d88:2000:7::2; helo=v3-1039.vlinux.de; envelope-from=sven@narfation.org; receiver=b.a.t.m.a.n@lists.open-mesh.org Authentication-Results: open-mesh.org; dmarc=pass header.from=narfation.org Received: from v3-1039.vlinux.de (narfation.org [IPv6:2001:4d88:2000:7::2]) by open-mesh.org (Postfix) with ESMTPS id 407B581759 for ; Fri, 24 Jun 2016 21:43:36 +0200 (CEST) Received: from sven-desktop.home.narfation.org (p200300C593C0A7F90000000000002E16.dip0.t-ipconnect.de [IPv6:2003:c5:93c0:a7f9::2e16]) by v3-1039.vlinux.de (Postfix) with ESMTPSA id A432F1100E8; Fri, 24 Jun 2016 21:43:35 +0200 (CEST) Authentication-Results: v3-1039.vlinux.de; dmarc=none header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=narfation.org; s=20121; t=1466797415; bh=q9WTyJoIQeHXWu3EXDXyS49u7fhfTYHipfxY29Lf9r0=; h=From:To:Cc:Subject:Date:From; b=W3vzT+t7m3waZ93a46faMuZHT2daTjYnkFg3FkRPKqP8C+7wwJoWaSsw3N+K0EwkP yBcK4RoR2USMZ5jexHMFEBATGgJfTzwaf48s9zQ4wLn3AmkY5fLC83I3++6HonmtU/ fsYsFj5mnB+EyugmM7IGvj6DIk2Jfa3xi/rxWeGU= From: Sven Eckelmann To: b.a.t.m.a.n@lists.open-mesh.org Date: Fri, 24 Jun 2016 21:43:32 +0200 Message-Id: <1466797412-1312-1-git-send-email-sven@narfation.org> X-Mailer: git-send-email 2.8.1 Subject: [B.A.T.M.A.N.] [PATCH maint] batman-adv: Avoid tt_req_node list put for unhashed entry X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking Errors-To: b.a.t.m.a.n-bounces@lists.open-mesh.org Sender: "B.A.T.M.A.N" It can happen that a tt_req_node list entry was already removed from tt.req_list when batadv_send_tt_request reaches the end of the function. The reference counter was already reduced by 1 for the list entry and thus the reference counter is not allowed to be reduced again. Otherwise, the entry is freed too early and the next batadv_tt_req_node_put in this function will operate on freed memory. Fixes: cea194d90b11 ("batman-adv: improved client announcement mechanism") Signed-off-by: Sven Eckelmann --- net/batman-adv/translation-table.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index 3c32f5f..7e6df7a 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -2639,11 +2639,13 @@ static bool batadv_send_tt_request(struct batadv_priv *bat_priv, out: if (primary_if) batadv_hardif_put(primary_if); + if (ret && tt_req_node) { spin_lock_bh(&bat_priv->tt.req_list_lock); - /* hlist_del_init() verifies tt_req_node still is in the list */ - hlist_del_init(&tt_req_node->list); - batadv_tt_req_node_put(tt_req_node); + if (!hlist_unhashed(&tt_req_node->list)) { + hlist_del_init(&tt_req_node->list); + batadv_tt_req_node_put(tt_req_node); + } spin_unlock_bh(&bat_priv->tt.req_list_lock); }