On Tue, Jan 26, 2016 at 7:36 PM, Bob Copeland <me@xxxxxxxxxxxxxxx> wrote:
> On Tue, Jan 26, 2016 at 12:41:25PM +0100, Johannes Berg wrote:
>> > + mpp = node->mpath;
>> > + if (ether_addr_equal(mpp->mpp, proxy)) {
>> > + spin_lock(&tbl->hashwlock[i]);
>> > + __mesh_path_del(tbl, node);
>> > + spin_unlock(&tbl->hashwlock[i]);
>>
>> It also doesn't seem like for_each_mesh_entry() can deal with "node"
>> getting deleted from underneath it? It accesses it through
>> hlist_next_rcu() after the deletion, so you have a use-after-free here
>> afaict.
>
> But __mesh_path_del() doesn't free it immediately: it does:
>
> hlist_del_rcu(&node->list);
> call_rcu(&node->rcu, mesh_path_node_reclaim);
>
> ...so this should be ok if in an rcu read-side critical section, right?
The code is a direct copy what was going on the the cleanup path of
the mpath objects... just modified to run on the mpp objects.
Henning
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
