batman-adv: Make bat_priv->primary_if an rcu protected pointer

The rcu protected macros rcu_dereference() and rcu_assign_pointer()
for the bat_priv->primary_if need to be used, as well as spin/rcu locking.

Otherwise we might end up using a primary_if pointer pointing to already
freed memory.

Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Sven Eckelmann <sven@narfation.org>

1 files changed, 12 insertions, 6 deletions

diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 2d77bd3a3e9a..49f571553050 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -904,6 +904,7 @@ int recv_bat_packet(struct sk_buff *skb, struct hard_iface *hard_iface)
 static int recv_my_icmp_packet(struct bat_priv *bat_priv,
                                struct sk_buff *skb, size_t icmp_len)
 {
+        struct hard_iface *primary_if = NULL;
         struct orig_node *orig_node = NULL;
         struct neigh_node *router = NULL;
         struct icmp_packet_rr *icmp_packet;
@@ -917,7 +918,8 @@ static int recv_my_icmp_packet(struct bat_priv *bat_priv,
                 goto out;
         }
 
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
                 goto out;
 
         /* answer echo request (ping) */
@@ -937,8 +939,7 @@ static int recv_my_icmp_packet(struct bat_priv *bat_priv,
         icmp_packet = (struct icmp_packet_rr *)skb->data;
 
         memcpy(icmp_packet->dst, icmp_packet->orig, ETH_ALEN);
-        memcpy(icmp_packet->orig,
-                bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+        memcpy(icmp_packet->orig, primary_if->net_dev->dev_addr, ETH_ALEN);
         icmp_packet->msg_type = ECHO_REPLY;
         icmp_packet->ttl = TTL;
 
@@ -946,6 +947,8 @@ static int recv_my_icmp_packet(struct bat_priv *bat_priv,
         ret = NET_RX_SUCCESS;
 
 out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
         if (router)
                 neigh_node_free_ref(router);
         if (orig_node)
@@ -956,6 +959,7 @@ out:
 static int recv_icmp_ttl_exceeded(struct bat_priv *bat_priv,
                                   struct sk_buff *skb)
 {
+        struct hard_iface *primary_if = NULL;
         struct orig_node *orig_node = NULL;
         struct neigh_node *router = NULL;
         struct icmp_packet *icmp_packet;
@@ -971,7 +975,8 @@ static int recv_icmp_ttl_exceeded(struct bat_priv *bat_priv,
                 goto out;
         }
 
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
                 goto out;
 
         /* get routing information */
@@ -990,8 +995,7 @@ static int recv_icmp_ttl_exceeded(struct bat_priv *bat_priv,
         icmp_packet = (struct icmp_packet *)skb->data;
 
         memcpy(icmp_packet->dst, icmp_packet->orig, ETH_ALEN);
-        memcpy(icmp_packet->orig,
-                bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+        memcpy(icmp_packet->orig, primary_if->net_dev->dev_addr, ETH_ALEN);
         icmp_packet->msg_type = TTL_EXCEEDED;
         icmp_packet->ttl = TTL;
 
@@ -999,6 +1003,8 @@ static int recv_icmp_ttl_exceeded(struct bat_priv *bat_priv,
         ret = NET_RX_SUCCESS;
 
 out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
         if (router)
                 neigh_node_free_ref(router);
         if (orig_node)