Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2232101imm;
        Thu, 18 Oct 2018 11:06:01 -0700 (PDT)
X-Google-Smtp-Source: ACcGV61Cj7zYfHKoiNHao2anREyLpawMGfuxa5bl1i0nrxYu65xa0HsrSLZYJ4Z3IrcQauNgM/0W
X-Received: by 2002:a63:81c6:: with SMTP id t189-v6mr2339176pgd.230.1539885961672;
        Thu, 18 Oct 2018 11:06:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539885961; cv=none;
        d=google.com; s=arc-20160816;
        b=ljTzEAN7H9yb9n5ogSAmtVqVn7W02kEzMrzrwanNoIcnLckoDukZtgxv0y8dYRwbmS
         vnHVEgGEyzxKIkqVJ2h/pmyId5MET3olQiBdNsOS9z/KirBK50tiEsfUnGVpcCyOAbXn
         YkBlz17qiPLQMHgH+NmJ8fO3wfmFQtiXYowsEIM2nQrPol+SQe75ua53OfvdpAvCeqw2
         CWXtgvzIQZMERktQj8lA4/P3ScMNTWYhvpbiE9o9jXhnVVJ9kvs9mvwXiMV8ujd9nWQw
         ln583x93+oFdLxuQVb85hz7kb/8bbm0o9UHVrNbQSS/C8GIIpYltLec36H69KTD2/Qbg
         2t3w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ReYvgU89y8+sdm5AyqkXLTJfAqYJu73eo1AVItzu+0Y=;
        b=c6MVgKBC+zlwam0IysoSvKIyHkzgz+uEHoE/1lseZyFatvv7LV3xJlfVSJ0cD6lbMG
         HNmnK8fSZc6n1ATxgutioqJXZkc3pOGUyEgBbdORP61qvPodYf3IwUadUeAYm02eu0gw
         Exyhj0qzHTfkWAAAx6S8euMrqAYg9sMIlERv426eaaQg3AivL8BYDUH+BXoN7rP0NBK4
         +j2hqZH7HG+CkBuTV/L7EMJdxNm87Evv8hLB9Tlgtf204M98W9z1oBVQxHbX/EYUCwgD
         uugM70NJi9O6whvUoqkowqPudHqyvFcUIftAx+I/M2BMO3zvSOk0j70GsDtqgIOeOMoR
         fqVw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=mBe6UYs4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k6-v6si22282225pla.156.2018.10.18.11.05.45;
        Thu, 18 Oct 2018 11:06:01 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=mBe6UYs4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730072AbeJSCGY (ORCPT <rfc822;zjuysxie86@gmail.com>
        + 99 others); Thu, 18 Oct 2018 22:06:24 -0400
Received: from mail.kernel.org ([198.145.29.99]:54708 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728416AbeJSCGX (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Oct 2018 22:06:23 -0400
Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id EE2CF21476;
        Thu, 18 Oct 2018 18:04:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1539885856;
        bh=pa7Km0qXxdMCaFF8C+tBCQApzwRE8BQXdZDGHz1eeDg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=mBe6UYs486eoPRuFIlGKnf9PeiVL1sDlg0Bo2qGAkonPE3WXVMcCaHcJwGbrbjUtu
         yd+otIBnRxT8jzr2KLH83M6UcSlLzhNbYL7ZpsXlB9JpGf9GBOItX08GRkv3ekOtng
         TTPZXcuATUTlvA5uYq0TBevjPx5asKSiM33u11X4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Sven Eckelmann <sven@narfation.org>,
        Marek Lindner <mareklindner@neomailbox.ch>,
        Simon Wunderlich <sw@simonwunderlich.de>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.9 04/35] batman-adv: Prevent duplicated nc_node entry
Date:   Thu, 18 Oct 2018 19:54:33 +0200
Message-Id: <20181018175423.118670097@linuxfoundation.org>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181018175422.506152522@linuxfoundation.org>
References: <20181018175422.506152522@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

[ Upstream commit fa122fec8640eb7186ce5a41b83a4c1744ceef8f ]

The function batadv_nc_get_nc_node is responsible for adding new nc_nodes
to the in_coding_list and out_coding_list. It first checks whether the
entry already is in the list or not. If it is, then the creation of a new
entry is aborted.

But the lock for the list is only held when the list is really modified.
This could lead to duplicated entries because another context could create
an entry with the same key between the check and the list manipulation.

The check and the manipulation of the list must therefore be in the same
locked code section.

Fixes: d56b1705e28c ("batman-adv: network coding - detect coding nodes and remove these after timeout")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/batman-adv/network-coding.c |   27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

--- a/net/batman-adv/network-coding.c
+++ b/net/batman-adv/network-coding.c
@@ -845,16 +845,27 @@ batadv_nc_get_nc_node(struct batadv_priv
 	spinlock_t *lock; /* Used to lock list selected by "int in_coding" */
 	struct list_head *list;
 
+	/* Select ingoing or outgoing coding node */
+	if (in_coding) {
+		lock = &orig_neigh_node->in_coding_list_lock;
+		list = &orig_neigh_node->in_coding_list;
+	} else {
+		lock = &orig_neigh_node->out_coding_list_lock;
+		list = &orig_neigh_node->out_coding_list;
+	}
+
+	spin_lock_bh(lock);
+
 	/* Check if nc_node is already added */
 	nc_node = batadv_nc_find_nc_node(orig_node, orig_neigh_node, in_coding);
 
 	/* Node found */
 	if (nc_node)
-		return nc_node;
+		goto unlock;
 
 	nc_node = kzalloc(sizeof(*nc_node), GFP_ATOMIC);
 	if (!nc_node)
-		return NULL;
+		goto unlock;
 
 	/* Initialize nc_node */
 	INIT_LIST_HEAD(&nc_node->list);
@@ -863,22 +874,14 @@ batadv_nc_get_nc_node(struct batadv_priv
 	kref_get(&orig_neigh_node->refcount);
 	nc_node->orig_node = orig_neigh_node;
 
-	/* Select ingoing or outgoing coding node */
-	if (in_coding) {
-		lock = &orig_neigh_node->in_coding_list_lock;
-		list = &orig_neigh_node->in_coding_list;
-	} else {
-		lock = &orig_neigh_node->out_coding_list_lock;
-		list = &orig_neigh_node->out_coding_list;
-	}
-
 	batadv_dbg(BATADV_DBG_NC, bat_priv, "Adding nc_node %pM -> %pM\n",
 		   nc_node->addr, nc_node->orig_node->orig);
 
 	/* Add nc_node to orig_node */
-	spin_lock_bh(lock);
 	kref_get(&nc_node->refcount);
 	list_add_tail_rcu(&nc_node->list, list);
+
+unlock:
 	spin_unlock_bh(lock);
 
 	return nc_node;