From 340b6e59fbc6ac97469253315c96e952908c9c0d Mon Sep 17 00:00:00 2001 From: Richard Alpe Date: Wed, 10 Dec 2014 09:46:54 +0100 Subject: [PATCH] tipc: fix broadcast wakeup contention after congestion commit 908344cdda80 ("tipc: fix bug in multicast congestion handling") introduced a race in the broadcast link wakeup functionality. This patch eliminates this broadcast link wakeup race caused by operation on the wakeup list without proper locking. If this race hit and corrupted the list all subsequent wakeup messages would be lost, resulting in a considerable memory leak. Signed-off-by: Richard Alpe Signed-off-by: Erik Hugne Signed-off-by: David S. Miller --- net/tipc/link.c | 8 ++++---- net/tipc/node.c | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/net/tipc/link.c b/net/tipc/link.c index 34bf15c90c78..23bcc1132365 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c @@ -293,7 +293,7 @@ struct tipc_link *tipc_link_create(struct tipc_node *n_ptr, l_ptr->next_out_no = 1; __skb_queue_head_init(&l_ptr->outqueue); __skb_queue_head_init(&l_ptr->deferred_queue); - __skb_queue_head_init(&l_ptr->waiting_sks); + skb_queue_head_init(&l_ptr->waiting_sks); link_reset_statistics(l_ptr); @@ -358,7 +358,7 @@ static bool link_schedule_user(struct tipc_link *link, u32 oport, return false; TIPC_SKB_CB(buf)->chain_sz = chain_sz; TIPC_SKB_CB(buf)->chain_imp = imp; - __skb_queue_tail(&link->waiting_sks, buf); + skb_queue_tail(&link->waiting_sks, buf); link->stats.link_congs++; return true; } @@ -378,8 +378,8 @@ static void link_prepare_wakeup(struct tipc_link *link) if (pend_qsz >= link->queue_limit[TIPC_SKB_CB(skb)->chain_imp]) break; pend_qsz += TIPC_SKB_CB(skb)->chain_sz; - __skb_unlink(skb, &link->waiting_sks); - __skb_queue_tail(&link->owner->waiting_sks, skb); + skb_unlink(skb, &link->waiting_sks); + skb_queue_tail(&link->owner->waiting_sks, skb); } } diff --git a/net/tipc/node.c b/net/tipc/node.c index 69b96be09a86..8d353ec77a66 100644 --- a/net/tipc/node.c +++ b/net/tipc/node.c @@ -115,7 +115,7 @@ struct tipc_node *tipc_node_create(u32 addr) INIT_LIST_HEAD(&n_ptr->list); INIT_LIST_HEAD(&n_ptr->publ_list); INIT_LIST_HEAD(&n_ptr->conn_sks); - __skb_queue_head_init(&n_ptr->waiting_sks); + skb_queue_head_init(&n_ptr->waiting_sks); __skb_queue_head_init(&n_ptr->bclink.deferred_queue); hlist_add_head_rcu(&n_ptr->hash, &node_htable[tipc_hashfn(addr)]); -- 2.39.5