tipc: Prevent null pointer error when removing a node subscription

Prevents a null pointer dereference from occurring if a node subscription is triggered at the same time that the subscribing port or publication is terminating the subscription. The problem arises if the triggering routine asynchronously activates and deregisters the node subscription while deregistration is already underway -- the deregistration routine may find that the pointer it has just verified to be non-NULL is now NULL. To avoid this race condition the triggering routine now simply marks the node subscription as defunct (to prevent it from re-activating) instead of deregistering it. The subscription is now both deregistered and destroyed only when the subscribing port or publication code terminates the node subscription. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
author: Allan Stephens <Allan.Stephens@windriver.com> 2011-02-23 13:51:15 -0500
committer: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-03-13 16:35:16 -0400
commit: 431697eb60d2d36614096aff12bd1b826a9f9bc1 (patch)
tree: b9923f1d8b90438920fe16b6f3650a3ce40d6147
parent: a3796f895ff2917aea331a8d40036c73452b2203 (diff)
2 files changed, 10 insertions, 8 deletions
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 483c226c9581..1d4a18aa9ccc 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -2,7 +2,7 @@
 * net/tipc/name_distr.c: TIPC name distribution code
 *
 * Copyright (c) 2000-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -221,7 +221,6 @@ exit:
 * In rare cases the link may have come back up again when this
 * function is called, and we have two items representing the same
 * publication. Nudge this item's key to distinguish it from the other.
- * (Note: Publication's node subscription is already unsubscribed.)
 */
 static void node_is_down(struct publication *publ)
@@ -232,6 +231,8 @@ static void node_is_down(struct publication *publ)
        publ->key += 1222345;
        p = tipc_nametbl_remove_publ(publ->type, publ->lower,
                                     publ->node, publ->ref, publ->key);
+        if (p)
+                tipc_nodesub_unsubscribe(&p->subscr);
        write_unlock_bh(&tipc_nametbl_lock);
        if (p != publ) {
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 14f98c81d313..8926caaf1fc5 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -327,7 +327,7 @@ static void node_cleanup_finished(unsigned long node_addr)
 static void node_lost_contact(struct tipc_node *n_ptr)
 {
-        struct tipc_node_subscr *ns, *tns;
+        struct tipc_node_subscr *ns;
        char addr_string[16];
        u32 i;
@@ -365,11 +365,12 @@ static void node_lost_contact(struct tipc_node *n_ptr)
        }
        /* Notify subscribers */
-        list_for_each_entry_safe(ns, tns, &n_ptr->nsub, nodesub_list) {
+        list_for_each_entry(ns, &n_ptr->nsub, nodesub_list) {
-                ns->node = NULL;
+                if (ns->handle_node_down) {
-                list_del_init(&ns->nodesub_list);
+                        tipc_k_signal((Handler)ns->handle_node_down,
-                tipc_k_signal((Handler)ns->handle_node_down,
+                                      (unsigned long)ns->usr_handle);
-                              (unsigned long)ns->usr_handle);
+                        ns->handle_node_down = NULL;
+                }
        }
        /* Prevent re-contact with node until all cleanup is done */
author	Allan Stephens <Allan.Stephens@windriver.com>	2011-02-23 13:51:15 -0500
committer	Paul Gortmaker <paul.gortmaker@windriver.com>	2011-03-13 16:35:16 -0400
commit	431697eb60d2d36614096aff12bd1b826a9f9bc1 (patch)
tree	b9923f1d8b90438920fe16b6f3650a3ce40d6147
parent	a3796f895ff2917aea331a8d40036c73452b2203 (diff)