On Tue, Jan 26, 2016 at 12:41:25PM +0100, Johannes Berg wrote:
> > + mpp = node->mpath;
> > + if (ether_addr_equal(mpp->mpp, proxy)) {
> > + spin_lock(&tbl->hashwlock[i]);
> > + __mesh_path_del(tbl, node);
> > + spin_unlock(&tbl->hashwlock[i]);
>
> It also doesn't seem like for_each_mesh_entry() can deal with "node"
> getting deleted from underneath it? It accesses it through
> hlist_next_rcu() after the deletion, so you have a use-after-free here
> afaict.
But __mesh_path_del() doesn't free it immediately: it does:
hlist_del_rcu(&node->list);
call_rcu(&node->rcu, mesh_path_node_reclaim);
...so this should be ok if in an rcu read-side critical section, right?
--
Bob Copeland %% http://bobcopeland.com/
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
