On Tue, 2016-01-26 at 13:36 -0500, Bob Copeland wrote:
> On Tue, Jan 26, 2016 at 12:41:25PM +0100, Johannes Berg wrote:
> > > + mpp = node->mpath;
> > > + if (ether_addr_equal(mpp->mpp, proxy)) {
> > > + spin_lock(&tbl->hashwlock[i]);
> > > + __mesh_path_del(tbl, node);
> > > + spin_unlock(&tbl->hashwlock[i]);
> >
> > It also doesn't seem like for_each_mesh_entry() can deal with
> > "node"
> > getting deleted from underneath it? It accesses it through
> > hlist_next_rcu() after the deletion, so you have a use-after-free
> > here
> > afaict.
>
> But __mesh_path_del() doesn't free it immediately: it does:
>
> hlist_del_rcu(&node->list);
> call_rcu(&node->rcu, mesh_path_node_reclaim);
>
> ...so this should be ok if in an rcu read-side critical section,
> right?
Oh. Interesting. Yeah, I guess that should be OK then.
It's not *nice*, since that's pretty much unexpected, and you then do
need the rcu_read_lock() ... hmm.
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
