When unicast_send_skb() is increasing the orig_node's refcount another thread might have been freeing this orig_node already. We need to increase the refcount in the rcu read lock protected area to avoid that.
Signed-off-by: Linus Lüssing <[email protected]> --- gateway_client.c | 3 +++ unicast.c | 1 - 2 files changed, 3 insertions(+), 1 deletions(-) diff --git a/batman-adv/gateway_client.c b/batman-adv/gateway_client.c index 4624515..b3cda22 100644 --- a/batman-adv/gateway_client.c +++ b/batman-adv/gateway_client.c @@ -55,6 +55,9 @@ void *gw_get_selected(struct bat_priv *bat_priv) } orig_node = curr_gateway_tmp->orig_node; + if (orig_node) + kref_get(&orig_node->refcount); + rcu_read_unlock(); return orig_node; diff --git a/batman-adv/unicast.c b/batman-adv/unicast.c index 580b547..f4f5115 100644 --- a/batman-adv/unicast.c +++ b/batman-adv/unicast.c @@ -298,7 +298,6 @@ int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv) if (!orig_node) goto trans_search; - kref_get(&orig_node->refcount); goto find_router; } else { rcu_read_lock(); -- 1.7.2.3
