Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2972292imu; Sun, 9 Dec 2018 14:01:22 -0800 (PST) X-Google-Smtp-Source: AFSGD/WIwUAv2vGxx231KX6Km+lEklOSlmEn/YPXV212FM6rbh6/+LCgSiTDKVC5nYIZamgwsC2J X-Received: by 2002:a62:931a:: with SMTP id b26mr10496356pfe.65.1544392882702; Sun, 09 Dec 2018 14:01:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544392882; cv=none; d=google.com; s=arc-20160816; b=vZ8JHQ1bfK9K86V2SiK7cTmT1oIaJfwRNZdRCR69lpYdiyR4a7l1/+cIR9OQPhqcVx ij3W6OW9e/MA5LjQxGyNgUrXpp8ud9GE0xG69oT9oxMSER5yOztB1deTM4cUWN3vUurv UgsIO0biWQ2hdCXawFm2zLzdtzMKgjFfKRNzLIPNoNB4F9nTs0UldmYWATBTZZXV5U6e U6pe1mfwKrF1eRH1VgFzXpC9aRrNsV/Ffx0ssHnoK0gwp8Gw4GfkHTsvzg8BMwxkURQG 8bOHBt4T6HeURPdKudq6jD2IB7RUt30+dgCCjV9muO1IsPc3sEN5Nndz6I7RxI8An7kw t+wQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=qUqfQjJUI/L7ctN/UVfkZCpavT+FHcvJlTxtxVfAhlo=; b=MWnUJuz+w10JUVpdMcyz4UUArLe1v/eAaCMWY+vfBtWIVG84H4MefO25JGOc99gQfK 8Np6dmpF1Shq5T1u/6qvWB6UChqV3b3GKusjM/J7EgjWwNLrovAlHLO3FyILTRnAWQXC RIDcb5yaqoy5VgKDChzWHRGwolRexEb2jgA9LgquVMzQTCHjtxGTRnsHMlW5eCxEwTeP HKnBxBtorOV9+15FHKqio5s3HTIb9dRm9uf5G/xiaFdxySk55pi2ZhWv8hccMgD1FDHz /Wz4IfpQbM67iIHXTHzs0XpshKc3X25v9VMYunoX+S3FPwTy0jL+MpA/SWIArk23IYZb 0wHQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k6si8578840pla.350.2018.12.09.14.01.07; Sun, 09 Dec 2018 14:01:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727111AbeLIV6l (ORCPT + 99 others); Sun, 9 Dec 2018 16:58:41 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:36228 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726752AbeLIVzj (ORCPT ); Sun, 9 Dec 2018 16:55:39 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW730-0002pp-QQ; Sun, 09 Dec 2018 21:55:35 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72g-0003XF-W6; Sun, 09 Dec 2018 21:55:15 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Sven Eckelmann" , "Simon Wunderlich" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 220/328] batman-adv: Prevent duplicated tvlv handler In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Sven Eckelmann commit ae3cdc97dc10c7a3b31f297dab429bfb774c9ccb upstream. The function batadv_tvlv_handler_register is responsible for adding new tvlv_handler to the handler_list. It first checks whether the entry already is in the list or not. If it is, then the creation of a new entry is aborted. But the lock for the list is only held when the list is really modified. This could lead to duplicated entries because another context could create an entry with the same key between the check and the list manipulation. The check and the manipulation of the list must therefore be in the same locked code section. Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure") Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings --- net/batman-adv/main.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/net/batman-adv/main.c +++ b/net/batman-adv/main.c @@ -1058,15 +1058,20 @@ void batadv_tvlv_handler_register(struct { struct batadv_tvlv_handler *tvlv_handler; + spin_lock_bh(&bat_priv->tvlv.handler_list_lock); + tvlv_handler = batadv_tvlv_handler_get(bat_priv, type, version); if (tvlv_handler) { + spin_unlock_bh(&bat_priv->tvlv.handler_list_lock); batadv_tvlv_handler_free_ref(tvlv_handler); return; } tvlv_handler = kzalloc(sizeof(*tvlv_handler), GFP_ATOMIC); - if (!tvlv_handler) + if (!tvlv_handler) { + spin_unlock_bh(&bat_priv->tvlv.handler_list_lock); return; + } tvlv_handler->ogm_handler = optr; tvlv_handler->unicast_handler = uptr; @@ -1076,7 +1081,6 @@ void batadv_tvlv_handler_register(struct atomic_set(&tvlv_handler->refcount, 1); INIT_HLIST_NODE(&tvlv_handler->list); - spin_lock_bh(&bat_priv->tvlv.handler_list_lock); hlist_add_head_rcu(&tvlv_handler->list, &bat_priv->tvlv.handler_list); spin_unlock_bh(&bat_priv->tvlv.handler_list_lock); }