Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3731245imm;
        Mon, 8 Oct 2018 08:38:38 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60x+PNTi/qR/g6UrgdC5/93Mlpsxj9IvqliT58yw5Fbe67YS7owvMBWKF4+PHY7jnlJCYR1
X-Received: by 2002:a63:5f05:: with SMTP id t5-v6mr21230685pgb.352.1539013118343;
        Mon, 08 Oct 2018 08:38:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539013118; cv=none;
        d=google.com; s=arc-20160816;
        b=nMLn6/nxYJt0Z3g9gMG2SlV27agsu46KBOKFNwuLTqGtuGWP9VpXb29pJw//IgHSkR
         Yrq/UH2Mv/Pnd3DzHM1/c+5tS5sN6sV+u1ZdaffX0bqvNOb/VK4f4kyCU4aeY5Z1Imci
         L0HzmvuYmWumliJ/d/dvpTLEV4IS4QAdHaJibmHYbmnMGN/CpEDdbmrfM7FNiVhlv8sC
         XzGn3ejerDYWpk+enPnh80IzwF1N3X79Wp9B/o1DuNW4/5U6Sc8MTM1W+6eRo16JuocF
         JIlUjS3ngvMyHZGcJ38j9/FmwCys2ThehIYh5BAOJSiyfNoMkB8z/zOVM6ka2Wzn1Vb/
         32jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature;
        bh=foYeWVdkJVxpNF2WBnviKDZwrQ1U4Ymr/EqMb0gzjOE=;
        b=fsXrqtVRqW3Wpanhxx50Cui6tjZyVBLR92WAPZgBIkwr8lit+IZJhyoDt9rdV/HXR7
         ciZFBbWCx8Be5Y7Uj+GbqXxdExLlvR7GfpcTsvm94yhewCq/69cgv9s1LKrStxZfcQJ7
         B5B/cZeYeT/ncKljb1bn8eL/PBJQRJAnwWs8cvY9Qcq0TW7oC6bpREkx3yVsXCnwCQx5
         jRtbh8+TEpH3YIr1RobuLagQzZGOh3UEJk7HdATe4C3D5DOczIcH8LvrmgGHbzr8EY0G
         5vGlWhjCC6WhvHLLWKv3W5IPQqn+H56P4xI657ugzpYpewy6C7/H6T9yF3hI/N+xTLBQ
         hJcA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ZYomEFic;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k29-v6si18983581pfk.194.2018.10.08.08.38.23;
        Mon, 08 Oct 2018 08:38:38 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ZYomEFic;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726946AbeJHWhx (ORCPT <rfc822;chauncqc@gmail.com> + 99 others);
        Mon, 8 Oct 2018 18:37:53 -0400
Received: from mail.kernel.org ([198.145.29.99]:55918 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726679AbeJHWhw (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Oct 2018 18:37:52 -0400
Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 7AB262087D;
        Mon,  8 Oct 2018 15:25:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1539012337;
        bh=95/kXnyefgizR4uCipF8CGPFeWe+y41mzyWQQFcxJbE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ZYomEFicLJDSS22EpC4/ir/9uL+GmHnLg801++o50b74Hr0jxOZZDRhpzGOEptehe
         eMrp6/OmdmTQmEAhVUXFC4E4Sqnwykr+Gpl1tR+5suc2gphz1igxmcJgdES5CHEhgV
         cI1KjRwKkWqlDL6l0RsC0u32/80ujM+tCaXu9jLk=
From:   Sasha Levin <sashal@kernel.org>
To:     stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc:     Sven Eckelmann <sven@narfation.org>,
        Simon Wunderlich <sw@simonwunderlich.de>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.18 10/58] batman-adv: Prevent duplicated nc_node entry
Date:   Mon,  8 Oct 2018 11:24:35 -0400
Message-Id: <20181008152523.70705-10-sashal@kernel.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20181008152523.70705-1-sashal@kernel.org>
References: <20181008152523.70705-1-sashal@kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sven Eckelmann <sven@narfation.org>

[ Upstream commit fa122fec8640eb7186ce5a41b83a4c1744ceef8f ]

The function batadv_nc_get_nc_node is responsible for adding new nc_nodes
to the in_coding_list and out_coding_list. It first checks whether the
entry already is in the list or not. If it is, then the creation of a new
entry is aborted.

But the lock for the list is only held when the list is really modified.
This could lead to duplicated entries because another context could create
an entry with the same key between the check and the list manipulation.

The check and the manipulation of the list must therefore be in the same
locked code section.

Fixes: d56b1705e28c ("batman-adv: network coding - detect coding nodes and remove these after timeout")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 net/batman-adv/network-coding.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c
index c3578444f3cb..34caf129a9bf 100644
--- a/net/batman-adv/network-coding.c
+++ b/net/batman-adv/network-coding.c
@@ -854,16 +854,27 @@ batadv_nc_get_nc_node(struct batadv_priv *bat_priv,
 	spinlock_t *lock; /* Used to lock list selected by "int in_coding" */
 	struct list_head *list;
 
+	/* Select ingoing or outgoing coding node */
+	if (in_coding) {
+		lock = &orig_neigh_node->in_coding_list_lock;
+		list = &orig_neigh_node->in_coding_list;
+	} else {
+		lock = &orig_neigh_node->out_coding_list_lock;
+		list = &orig_neigh_node->out_coding_list;
+	}
+
+	spin_lock_bh(lock);
+
 	/* Check if nc_node is already added */
 	nc_node = batadv_nc_find_nc_node(orig_node, orig_neigh_node, in_coding);
 
 	/* Node found */
 	if (nc_node)
-		return nc_node;
+		goto unlock;
 
 	nc_node = kzalloc(sizeof(*nc_node), GFP_ATOMIC);
 	if (!nc_node)
-		return NULL;
+		goto unlock;
 
 	/* Initialize nc_node */
 	INIT_LIST_HEAD(&nc_node->list);
@@ -872,22 +883,14 @@ batadv_nc_get_nc_node(struct batadv_priv *bat_priv,
 	kref_get(&orig_neigh_node->refcount);
 	nc_node->orig_node = orig_neigh_node;
 
-	/* Select ingoing or outgoing coding node */
-	if (in_coding) {
-		lock = &orig_neigh_node->in_coding_list_lock;
-		list = &orig_neigh_node->in_coding_list;
-	} else {
-		lock = &orig_neigh_node->out_coding_list_lock;
-		list = &orig_neigh_node->out_coding_list;
-	}
-
 	batadv_dbg(BATADV_DBG_NC, bat_priv, "Adding nc_node %pM -> %pM\n",
 		   nc_node->addr, nc_node->orig_node->orig);
 
 	/* Add nc_node to orig_node */
-	spin_lock_bh(lock);
 	kref_get(&nc_node->refcount);
 	list_add_tail_rcu(&nc_node->list, list);
+
+unlock:
 	spin_unlock_bh(lock);
 
 	return nc_node;
-- 
2.17.1