summaryrefslogtreecommitdiffstats
path: root/net/tipc/bearer.c
diff options
context:
space:
mode:
authorYing Xue <ying.xue@windriver.com>2014-04-21 10:55:52 +0800
committerDavid S. Miller <davem@davemloft.net>2014-04-22 21:17:53 -0400
commita8b9b96e959f3c035af20b1bd2ba67b0b7269b19 (patch)
tree02d52832745176ee6d63579f50d375caddd1fc62 /net/tipc/bearer.c
parent28dd94187afd660a350d01d6bad4a915a6d570b8 (diff)
downloadlinux-a8b9b96e959f3c035af20b1bd2ba67b0b7269b19.tar.bz2
tipc: fix race in disc create/delete
Commit a21a584d6720ce349b05795b9bcfab3de8e58419 (tipc: fix neighbor detection problem after hw address change) introduces a race condition involving tipc_disc_delete() and tipc_disc_add/remove_dest that can cause TIPC to dereference the pointer to the bearer discovery request structure after it has been freed since a stray pointer is left in the bearer structure. In order to fix the issue, the process of resetting the discovery request handler is optimized: the discovery request handler and request buffer are just reset instead of being freed, allocated and initialized. As the request point is always valid and the request's lock is taken while the request handler is reset, the race doesn't happen any more. Reported-by: Erik Hugne <erik.hugne@ericsson.com> Signed-off-by: Ying Xue <ying.xue@windriver.com> Reviewed-by: Erik Hugne <erik.hugne@ericsson.com> Tested-by: Erik Hugne <erik.hugne@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc/bearer.c')
-rw-r--r--net/tipc/bearer.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 3abd9702b887..f3259d4133b6 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -365,9 +365,8 @@ restart:
static int tipc_reset_bearer(struct tipc_bearer *b_ptr)
{
pr_info("Resetting bearer <%s>\n", b_ptr->name);
- tipc_disc_delete(b_ptr->link_req);
tipc_link_reset_list(b_ptr->identity);
- tipc_disc_create(b_ptr, &b_ptr->bcast_addr);
+ tipc_disc_reset(b_ptr);
return 0;
}