Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2972388imu; Sun, 9 Dec 2018 14:01:31 -0800 (PST) X-Google-Smtp-Source: AFSGD/WEjGwN7Hk1CQrEQEGgXY2xnnByr+q27isYmr9zE6lPpAq82lbQpKmF4SO9eetoej0Caop2 X-Received: by 2002:a63:4101:: with SMTP id o1mr8713436pga.447.1544392890946; Sun, 09 Dec 2018 14:01:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544392890; cv=none; d=google.com; s=arc-20160816; b=hRI9JxYx5CYtIehJYR3FYDt6HJLTcSR3vEL5rRQD/s2QZVoc7r7FWru8Ifh7/HSqEl KV26/ncropLIfqVXO6xHAkL4QrP1i9hrxuL/2Le1iurI8jz43MBOzjaLGMoqj1FfJcQw SGL9CBPz6cR33v1+zAy5nhElUL637RxwzhqJ0jeb/kje4CLb92tzpQ/DENghbXrfFAfu 1BGN0I2GBCQMfqEtWS5mURgg3FKdmDTtmgwJXAa7E6vlSHsawCTZ7SSXZnhMvm7S+PFv klyedXaO9fE3Cm0dVQk4O11/hm9rLcIxxhMmcnAwys6Bc39z7JtkwPJ1CbOcYTn3Q9xN 8jyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=7BV6GD6C8Wtu/urwWD76E4o4EyPcyrHtzljquVxArQ8=; b=miozVJXNaqlaMSKXABw6OnMhTsh3xagr1cGWca8RaYkfNslK1yHoIh+v4F6OcKCst2 b8PfRzmgl3dZm0WDasH3sZEo7FPgrdKiwtOVXs2KcUd8HLtmNkT+oLn1TuQWyy1zAbxh IokwUQ4BL4N0EyGyjZAdEqr717tIf6VY/MueZSA6lbrig6pFOR5C9JDfZuz/6UTd2WQA SZd2XcRzNC5WW4l/l9glDXMQpd6rXAUnmSXPcROOLKpdGlIr0hMRudMf0kNOtv8dkP/i sZPI2ijkpBbTWpq/y5rX2AaZ8cuAvDEchAvtoPpmuK16JTXFkdrzuwXTcPhXRwN9z/Vu HR7g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 14si8292137pgo.511.2018.12.09.14.01.15; Sun, 09 Dec 2018 14:01:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726832AbeLIV6t (ORCPT + 99 others); Sun, 9 Dec 2018 16:58:49 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:36220 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726750AbeLIVzj (ORCPT ); Sun, 9 Dec 2018 16:55:39 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW730-0002ie-RO; Sun, 09 Dec 2018 21:55:35 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72g-0003X4-Tp; Sun, 09 Dec 2018 21:55:14 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Sven Eckelmann" , "Simon Wunderlich" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 218/328] batman-adv: Prevent duplicated softif_vlan entry In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Sven Eckelmann commit 94cb82f594ed86be303398d6dfc7640a6f1d45d4 upstream. The function batadv_softif_vlan_get is responsible for adding new softif_vlan to the softif_vlan_list. It first checks whether the entry already is in the list or not. If it is, then the creation of a new entry is aborted. But the lock for the list is only held when the list is really modified. This could lead to duplicated entries because another context could create an entry with the same key between the check and the list manipulation. The check and the manipulation of the list must therefore be in the same locked code section. Fixes: 5d2c05b21337 ("batman-adv: add per VLAN interface attribute framework") Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich [bwh: Backported to 3.16: - s/kref_get/atomic_inc/ - s/_put/_free_ref/] Signed-off-by: Ben Hutchings --- --- a/net/batman-adv/soft-interface.c +++ b/net/batman-adv/soft-interface.c @@ -506,15 +506,20 @@ int batadv_softif_create_vlan(struct bat struct batadv_softif_vlan *vlan; int err; + spin_lock_bh(&bat_priv->softif_vlan_list_lock); + vlan = batadv_softif_vlan_get(bat_priv, vid); if (vlan) { batadv_softif_vlan_free_ref(vlan); + spin_unlock_bh(&bat_priv->softif_vlan_list_lock); return -EEXIST; } vlan = kzalloc(sizeof(*vlan), GFP_ATOMIC); - if (!vlan) + if (!vlan) { + spin_unlock_bh(&bat_priv->softif_vlan_list_lock); return -ENOMEM; + } vlan->bat_priv = bat_priv; vlan->vid = vid; @@ -522,17 +527,23 @@ int batadv_softif_create_vlan(struct bat atomic_set(&vlan->ap_isolation, 0); + atomic_inc(&vlan->refcount); + hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list); + spin_unlock_bh(&bat_priv->softif_vlan_list_lock); + + /* batadv_sysfs_add_vlan cannot be in the spinlock section due to the + * sleeping behavior of the sysfs functions and the fs_reclaim lock + */ err = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan); if (err) { - kfree(vlan); + /* ref for the function */ + batadv_softif_vlan_free_ref(vlan); + + /* ref for the list */ + batadv_softif_vlan_free_ref(vlan); return err; } - spin_lock_bh(&bat_priv->softif_vlan_list_lock); - atomic_inc(&vlan->refcount); - hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list); - spin_unlock_bh(&bat_priv->softif_vlan_list_lock); - /* add a new TT local entry. This one will be marked with the NOPURGE * flag */