batman-adv: Correct rcu refcounting for orig_node

It might be possible that 2 threads access the same data in the same
rcu grace period. The first thread calls call_rcu() to decrement the
refcount and free the data while the second thread increases the
refcount to use the data. To avoid this race condition all refcount
operations have to be atomic.

Reported-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>

1 files changed, 9 insertions, 6 deletions

diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index cd8a58396d26..8d15b48d1692 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -589,17 +589,20 @@ void hna_global_free(struct bat_priv *bat_priv)
 struct orig_node *transtable_search(struct bat_priv *bat_priv, uint8_t *addr)
 {
         struct hna_global_entry *hna_global_entry;
+        struct orig_node *orig_node = NULL;
 
         spin_lock_bh(&bat_priv->hna_ghash_lock);
         hna_global_entry = hna_global_hash_find(bat_priv, addr);
 
-        if (hna_global_entry)
-                kref_get(&hna_global_entry->orig_node->refcount);
+        if (!hna_global_entry)
+                goto out;
 
-        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+        if (!atomic_inc_not_zero(&hna_global_entry->orig_node->refcount))
+                goto out;
 
-        if (!hna_global_entry)
-                return NULL;
+        orig_node = hna_global_entry->orig_node;
 
-        return hna_global_entry->orig_node;
+out:
+        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+        return orig_node;
 }