On Tue, 2016-01-19 at 09:04 +0100, Henning Rogge wrote:
>
> +static void mpp_flush_by_proxy(struct ieee80211_sub_if_data *sdata,
> + const u8 *proxy)
> +{
> + struct mesh_table *tbl;
> + struct mesh_path *mpp;
> + struct mpath_node *node;
> + int i;
> +
> + rcu_read_lock();
> + read_lock_bh(&pathtbl_resize_lock);
> + tbl = resize_dereference_mpp_paths();
> + for_each_mesh_entry(tbl, node, i) {
It does not seem to me that the rcu_read_lock() above is necessary or
correct, though it's probably not hurting it should be removed to avoid
having misleading code.
> + mpp = node->mpath;
> + if (ether_addr_equal(mpp->mpp, proxy)) {
> + spin_lock(&tbl->hashwlock[i]);
> + __mesh_path_del(tbl, node);
> + spin_unlock(&tbl->hashwlock[i]);
It also doesn't seem like for_each_mesh_entry() can deal with "node"
getting deleted from underneath it? It accesses it through
hlist_next_rcu() after the deletion, so you have a use-after-free here
afaict.
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
