• Johannes Berg's avatar
    mac80211: mesh: fix call_rcu() usage · c2e703a5
    Johannes Berg authored
    When using call_rcu(), the called function may be delayed quite
    significantly, and without a matching rcu_barrier() there's no
    way to be sure it has finished.
    Therefore, global state that could be gone/freed/reused should
    never be touched in the callback.
    
    Fix this in mesh by moving the atomic_dec() into the caller;
    that's not really a problem since we already unlinked the path
    and it will be destroyed anyway.
    
    This fixes a crash Jouni observed when running certain tests in
    a certain order, in which the mesh interface was torn down, the
    memory reused for a function pointer (work struct) and running
    that then crashed since the pointer had been decremented by 1,
    resulting in an invalid instruction byte stream.
    
    Cc: stable@vger.kernel.org
    Fixes: eb2b9311 ("mac80211: mesh path table implementation")
    Reported-by: default avatarJouni Malinen <j@w1.fi>
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    c2e703a5
mesh_pathtbl.c 29.3 KB