batman-adv: Check hard_iface refcnt when receiving skb
authorSven Eckelmann <sven@narfation.org>
Sat, 5 Mar 2016 15:09:17 +0000 (16:09 +0100)
committerAntonio Quartulli <a@unstable.cc>
Tue, 10 May 2016 10:28:29 +0000 (18:28 +0800)
The receive function may start processing an incoming packet while the
hard_iface is shut down in a different context. All called functions called
with the batadv_hard_iface object belonging to the incoming interface would
have to check whether the reference counter is still > 0.

This is rather error-prone because this check can be forgotten easily.
Instead check the reference counter when receiving the object to make sure
that all called functions have a valid reference.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
net/batman-adv/main.c

index 78c05a91ae6fa62a0d898b5316c2312aabfb4044..c8d8bc78a518e6be6c9825dfb592c5769062f588 100644 (file)
@@ -401,11 +401,19 @@ int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
 
        hard_iface = container_of(ptype, struct batadv_hard_iface,
                                  batman_adv_ptype);
+
+       /* Prevent processing a packet received on an interface which is getting
+        * shut down otherwise the packet may trigger de-reference errors
+        * further down in the receive path.
+        */
+       if (!kref_get_unless_zero(&hard_iface->refcount))
+               goto err_out;
+
        skb = skb_share_check(skb, GFP_ATOMIC);
 
        /* skb was released by skb_share_check() */
        if (!skb)
-               goto err_out;
+               goto err_put;
 
        /* packet should hold at least type and version */
        if (unlikely(!pskb_may_pull(skb, 2)))
@@ -448,6 +456,8 @@ int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
        if (ret == NET_RX_DROP)
                kfree_skb(skb);
 
+       batadv_hardif_put(hard_iface);
+
        /* return NET_RX_SUCCESS in any case as we
         * most probably dropped the packet for
         * routing-logical reasons.
@@ -456,6 +466,8 @@ int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
 
 err_free:
        kfree_skb(skb);
+err_put:
+       batadv_hardif_put(hard_iface);
 err_out:
        return NET_RX_DROP;
 }