git.openwrt.org Git - openwrt/staging/blogic.git/commit

author	Sven Eckelmann <sven@narfation.org>
	Mon, 3 Nov 2014 22:38:47 +0000 (23:38 +0100)
committer	Hauke Mehrtens <hauke@hauke-m.de>
	Sun, 16 Nov 2014 15:09:27 +0000 (16:09 +0100)
commit	3a1429a6e59f0e61720bb523e3b93d015a9fa63a
tree	3edc0ecfadcb622111f0de525aad313bd9d0b842	tree \| snapshot
parent	3ac54b41f6a65e88da6d5ed6703778dc50a60590	commit \| diff

backport: Fix double fetch in hlist_for_each_entry*_rcu

The backported (<3.9) version of hlist_for_each_entry_rcu and
hlist_for_each_entry_safe uses the new macro hlist_entry_safe. It is called
with an ACCESS_ONCE parameter for the first parameter ptr. This disallows
merging of the two loads which the current version of the macro uses.

This is problematic because this macro must only generate one load. Otherwise
with two contexts (or CPUs) following could happen:

1. context 1 fetches the ptr to the last entry in hlist_entry_safe() and
   accepts this non-NULL ptr

2. context 2 deletes the last entry and terminates the list with NULL

3. context 1 re-fetches the pointer, doesn't check for zero, calculates the
   entry based on a NULL pointer

4. context 1 crashes because it tries to load/write data from/to the invalid
   address

Instead use a single load to a temporary variable and do the NULL-check and
calculation based on that one. This is also the approach used in the current
Linux versions and was introduced by Paul E. McKenney.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>