tipc: acquire necessary locks in named_cluster_distribute routine
authorYing Xue <ying.xue@windriver.com>
Thu, 27 Mar 2014 04:54:32 +0000 (12:54 +0800)
committerDavid S. Miller <davem@davemloft.net>
Thu, 27 Mar 2014 17:08:36 +0000 (13:08 -0400)
The 'tipc_node_list' is guarded by tipc_net_lock and 'links' array
defined in 'tipc_node' structure is protected by node lock as well.
Without acquiring the two locks in named_cluster_distribute() a fatal
oops may happen in case that a destroyed link might be got and then
accessed. Therefore, above mentioned two locks must be held in
named_cluster_distribute() to prevent the issue from happening
accidentally.

As 'links' array in node struct must be protected by node lock,
we have to move the code of selecting an active link from
tipc_link_xmit() to named_cluster_distribute() and then call
__tipc_link_xmit() with the selected link to deliver name messages.

Signed-off-by: Ying Xue <ying.xue@windriver.com>
Reviewed-by: Erik Hugne <erik.hugne@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/tipc/name_distr.c

index 893c49a3d98a240120a8255e9e18780d465574c3..c5904d196cd3f522d4c4a17893135adac0b48650 100644 (file)
@@ -131,16 +131,24 @@ static void named_cluster_distribute(struct sk_buff *buf)
 {
        struct sk_buff *buf_copy;
        struct tipc_node *n_ptr;
+       struct tipc_link *l_ptr;
 
+       read_lock_bh(&tipc_net_lock);
        list_for_each_entry(n_ptr, &tipc_node_list, list) {
-               if (tipc_node_active_links(n_ptr)) {
+               spin_lock_bh(&n_ptr->lock);
+               l_ptr = n_ptr->active_links[n_ptr->addr & 1];
+               if (l_ptr) {
                        buf_copy = skb_copy(buf, GFP_ATOMIC);
-                       if (!buf_copy)
+                       if (!buf_copy) {
+                               spin_unlock_bh(&n_ptr->lock);
                                break;
+                       }
                        msg_set_destnode(buf_msg(buf_copy), n_ptr->addr);
-                       tipc_link_xmit(buf_copy, n_ptr->addr, n_ptr->addr);
+                       __tipc_link_xmit(l_ptr, buf_copy);
                }
+               spin_unlock_bh(&n_ptr->lock);
        }
+       read_unlock_bh(&tipc_net_lock);
 
        kfree_skb(buf);
 }