batman-adv: Correct rcu refcounting for neigh_node

[firefly-linux-kernel-4.4.55.git] / net / batman-adv / unicast.c

diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c
index 00bfeaf9ece37097eb0d4a3639048ecfcf916246..7ca994ccac1d04adc276f215c99cc4981995f12a 100644 (file)
--- a/net/batman-adv/unicast.c
+++ b/net/batman-adv/unicast.c
@@ -285,38 +285,42 @@ int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv)
        struct unicast_packet *unicast_packet;
        struct orig_node *orig_node = NULL;
        struct batman_if *batman_if;
-       struct neigh_node *router;
+       struct neigh_node *neigh_node;
        int data_len = skb->len;
        uint8_t dstaddr[6];
+       int ret = 1;
 
        spin_lock_bh(&bat_priv->orig_hash_lock);
 
        /* get routing information */
        if (is_multicast_ether_addr(ethhdr->h_dest))
                orig_node = (struct orig_node *)gw_get_selected(bat_priv);
+               if (orig_node) {
+                       kref_get(&orig_node->refcount);
+                       goto find_router;
+       }
 
-       /* check for hna host */
-       if (!orig_node)
-               orig_node = transtable_search(bat_priv, ethhdr->h_dest);
+       /* check for hna host - increases orig_node refcount */
+       orig_node = transtable_search(bat_priv, ethhdr->h_dest);
 
+find_router:
        /* find_router() increases neigh_nodes refcount if found. */
-       router = find_router(bat_priv, orig_node, NULL);
+       neigh_node = find_router(bat_priv, orig_node, NULL);
 
-       if (!router)
+       if (!neigh_node)
                goto unlock;
 
-       /* don't lock while sending the packets ... we therefore
-               * copy the required data before sending */
-       batman_if = router->if_incoming;
-       memcpy(dstaddr, router->addr, ETH_ALEN);
-
-       spin_unlock_bh(&bat_priv->orig_hash_lock);
-
-       if (batman_if->if_status != IF_ACTIVE)
-               goto dropped;
+       if (neigh_node->if_incoming->if_status != IF_ACTIVE)
+               goto unlock;
 
        if (my_skb_head_push(skb, sizeof(struct unicast_packet)) < 0)
-               goto dropped;
+               goto unlock;
+
+       /* don't lock while sending the packets ... we therefore
+        * copy the required data before sending */
+       batman_if = neigh_node->if_incoming;
+       memcpy(dstaddr, neigh_node->addr, ETH_ALEN);
+       spin_unlock_bh(&bat_priv->orig_hash_lock);
 
        unicast_packet = (struct unicast_packet *)skb->data;
 
@@ -330,18 +334,25 @@ int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv)
 
        if (atomic_read(&bat_priv->fragmentation) &&
            data_len + sizeof(struct unicast_packet) >
-           batman_if->net_dev->mtu) {
+                                               batman_if->net_dev->mtu) {
                /* send frag skb decreases ttl */
                unicast_packet->ttl++;
-               return frag_send_skb(skb, bat_priv, batman_if,
-                                    dstaddr);
+               ret = frag_send_skb(skb, bat_priv, batman_if, dstaddr);
+               goto out;
        }
+
        send_skb_packet(skb, batman_if, dstaddr);
-       return 0;
+       ret = 0;
+       goto out;
 
 unlock:
        spin_unlock_bh(&bat_priv->orig_hash_lock);
-dropped:
-       kfree_skb(skb);
-       return 1;
+out:
+       if (neigh_node)
+               neigh_node_free_ref(neigh_node);
+       if (orig_node)
+               kref_put(&orig_node->refcount, orig_node_free_ref);
+       if (ret == 1)
+               kfree_skb(skb);
+       return ret;
 }