batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown

The receiver shutdown timer handler, batadv_tp_receiver_shutdown(), is
responsible for releasing the tp_vars reference it holds. However, the
existing logic for coordinating this release with batadv_tp_stop_all() was
flawed.

timer_shutdown_sync() guarantees the timer will not fire again after it
returns, but it returns non-zero only when the timer was pending at the
time of the call. If the timer had already expired (and
batadv_tp_stop_all() would unsucessfully try to  rearm itself),
batadv_tp_stop_all() skips its batadv_tp_vars_put(), and
batadv_tp_receiver_shutdown() fails to put its own reference as well.

Fix this by introducing a new atomic variable receiving that is set to 1
when the receiver is initialized and cleared atomically with atomic_xchg()
by whichever side claims it first. Only the side that observes the
transition from 1 to 0 is responsible for releasing the tp_vars timer
reference, eliminating the uncertainty.

Cc: stable@kernel.org
Fixes: 3d3cf6a7314a ("batman-adv: stop tp_meter sessions during mesh teardown")
Signed-off-by: Sven Eckelmann <sven@narfation.org>

diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index a4397aa881dd44a89d7b139e12661da1cf182df5..ca6c3f6374bc5d7ed7df56cc7bc99c0e3dfd0ebb 100644 (file)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -8,6 +8,7 @@
 #include "main.h"
 
 #include <linux/atomic.h>
+#include <linux/bug.h>
 #include <linux/build_bug.h>
 #include <linux/byteorder/generic.h>
 #include <linux/cache.h>
@@ -1156,6 +1157,9 @@ static void batadv_tp_receiver_shutdown(struct timer_list *t)
        spin_unlock_bh(&tp_vars->unacked_lock);
 
        /* drop reference of timer */
+       if (WARN_ON(atomic_xchg(&tp_vars->receiving, 0) != 1))
+               return;
+
        batadv_tp_vars_put(tp_vars);
 }
 
@@ -1374,6 +1378,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
 
        ether_addr_copy(tp_vars->other_end, icmp->orig);
        tp_vars->role = BATADV_TP_RECEIVER;
+       atomic_set(&tp_vars->receiving, 1);
        memcpy(tp_vars->session, icmp->session, sizeof(tp_vars->session));
        tp_vars->last_recv = BATADV_TP_FIRST_SEQ;
        tp_vars->bat_priv = bat_priv;
@@ -1546,8 +1551,12 @@ void batadv_tp_stop_all(struct batadv_priv *bat_priv)
                        break;
                case BATADV_TP_RECEIVER:
                        batadv_tp_list_detach(tp_var);
-                       if (timer_shutdown_sync(&tp_var->timer))
-                               batadv_tp_vars_put(tp_var);
+                       timer_shutdown_sync(&tp_var->timer);
+
+                       if (atomic_xchg(&tp_var->receiving, 0) != 1)
+                               break;
+
+                       batadv_tp_vars_put(tp_var);
                        break;
                }
 

diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index daa06f421154290b5bed4068c225fe4f167a7b32..b9c0b777912266880f412145a4a070aded8f3026 100644 (file)
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1323,6 +1323,9 @@ struct batadv_tp_vars {
        /** @sending: sending binary semaphore: 1 if sending, 0 is not */
        atomic_t sending;
 
+       /** @receiving: receiving binary semaphore: 1 if receiving, 0 is not */
+       atomic_t receiving;
+
        /** @reason: reason for a stopped session */
        enum batadv_tp_meter_reason reason;