From: Ying Xue <ying.xue@windriver.com>
Date: Tue, 2 Dec 2014 07:00:27 +0000 (+0800)
Subject: tipc: any name table member must be protected under name table lock
X-Git-Tag: firefly_0821_release~176^2~2717^2~87^2~3
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=3493d25cfb5eee9d0045c2720878a26dcbeafa73;p=firefly-linux-kernel-4.4.55.git

tipc: any name table member must be protected under name table lock

As tipc_nametbl_lock is used to protect name_table structure, the lock
must be held while all members of name_table structure are accessed.
However, the lock is not obtained while a member of name_table
structure - local_publ_count is read in tipc_nametbl_publish(), as
a consequence, an inconsistent value of local_publ_count might be got.

Signed-off-by: Ying Xue <ying.xue@windriver.com>
Reviewed-by: Erik Hugne <erik.hugne@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
Tested-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/tipc/name_table.c b/net/tipc/name_table.c
index 0d61f5826407..93bac40292c1 100644
--- a/net/tipc/name_table.c
+++ b/net/tipc/name_table.c
@@ -656,13 +656,14 @@ struct publication *tipc_nametbl_publish(u32 type, u32 lower, u32 upper,
 	struct publication *publ;
 	struct sk_buff *buf = NULL;
 
+	write_lock_bh(&tipc_nametbl_lock);
 	if (tipc_nametbl->local_publ_count >= TIPC_MAX_PUBLICATIONS) {
 		pr_warn("Publication failed, local publication limit reached (%u)\n",
 			TIPC_MAX_PUBLICATIONS);
+		write_unlock_bh(&tipc_nametbl_lock);
 		return NULL;
 	}
 
-	write_lock_bh(&tipc_nametbl_lock);
 	publ = tipc_nametbl_insert_publ(type, lower, upper, scope,
 				   tipc_own_addr, port_ref, key);
 	if (likely(publ)) {