summaryrefslogtreecommitdiffstats
path: root/net/batman-adv
diff options
context:
space:
mode:
authorSven Eckelmann <sven@narfation.org>2016-03-05 16:09:17 +0100
committerAntonio Quartulli <a@unstable.cc>2016-05-10 18:28:29 +0800
commit4fe56e60ac1be4d103f64743d0a36fd31a70657c (patch)
tree655b231a0971e2b1a39404af5e37b9b9577e12e3 /net/batman-adv
parent273534468f050744b32054f84a1e20ee6b5bd329 (diff)
downloadlinux-4fe56e60ac1be4d103f64743d0a36fd31a70657c.tar.gz
linux-4fe56e60ac1be4d103f64743d0a36fd31a70657c.tar.bz2
linux-4fe56e60ac1be4d103f64743d0a36fd31a70657c.zip
batman-adv: Check hard_iface refcnt when receiving skb
The receive function may start processing an incoming packet while the hard_iface is shut down in a different context. All called functions called with the batadv_hard_iface object belonging to the incoming interface would have to check whether the reference counter is still > 0. This is rather error-prone because this check can be forgotten easily. Instead check the reference counter when receiving the object to make sure that all called functions have a valid reference. Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch> Signed-off-by: Antonio Quartulli <a@unstable.cc>
Diffstat (limited to 'net/batman-adv')
-rw-r--r--net/batman-adv/main.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c
index 78c05a91ae6f..c8d8bc78a518 100644
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -401,11 +401,19 @@ int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
hard_iface = container_of(ptype, struct batadv_hard_iface,
batman_adv_ptype);
+
+ /* Prevent processing a packet received on an interface which is getting
+ * shut down otherwise the packet may trigger de-reference errors
+ * further down in the receive path.
+ */
+ if (!kref_get_unless_zero(&hard_iface->refcount))
+ goto err_out;
+
skb = skb_share_check(skb, GFP_ATOMIC);
/* skb was released by skb_share_check() */
if (!skb)
- goto err_out;
+ goto err_put;
/* packet should hold at least type and version */
if (unlikely(!pskb_may_pull(skb, 2)))
@@ -448,6 +456,8 @@ int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
if (ret == NET_RX_DROP)
kfree_skb(skb);
+ batadv_hardif_put(hard_iface);
+
/* return NET_RX_SUCCESS in any case as we
* most probably dropped the packet for
* routing-logical reasons.
@@ -456,6 +466,8 @@ int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
err_free:
kfree_skb(skb);
+err_put:
+ batadv_hardif_put(hard_iface);
err_out:
return NET_RX_DROP;
}