summaryrefslogtreecommitdiff
path: root/net/tipc/name_distr.c
diff options
context:
space:
mode:
authorAllan Stephens <Allan.Stephens@windriver.com>2011-02-23 21:51:15 +0300
committerPaul Gortmaker <paul.gortmaker@windriver.com>2011-03-13 23:35:16 +0300
commit431697eb60d2d36614096aff12bd1b826a9f9bc1 (patch)
treeb9923f1d8b90438920fe16b6f3650a3ce40d6147 /net/tipc/name_distr.c
parenta3796f895ff2917aea331a8d40036c73452b2203 (diff)
downloadlinux-431697eb60d2d36614096aff12bd1b826a9f9bc1.tar.xz
tipc: Prevent null pointer error when removing a node subscription
Prevents a null pointer dereference from occurring if a node subscription is triggered at the same time that the subscribing port or publication is terminating the subscription. The problem arises if the triggering routine asynchronously activates and deregisters the node subscription while deregistration is already underway -- the deregistration routine may find that the pointer it has just verified to be non-NULL is now NULL. To avoid this race condition the triggering routine now simply marks the node subscription as defunct (to prevent it from re-activating) instead of deregistering it. The subscription is now both deregistered and destroyed only when the subscribing port or publication code terminates the node subscription. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Diffstat (limited to 'net/tipc/name_distr.c')
-rw-r--r--net/tipc/name_distr.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 483c226c9581..1d4a18aa9ccc 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -2,7 +2,7 @@
* net/tipc/name_distr.c: TIPC name distribution code
*
* Copyright (c) 2000-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -221,7 +221,6 @@ exit:
* In rare cases the link may have come back up again when this
* function is called, and we have two items representing the same
* publication. Nudge this item's key to distinguish it from the other.
- * (Note: Publication's node subscription is already unsubscribed.)
*/
static void node_is_down(struct publication *publ)
@@ -232,6 +231,8 @@ static void node_is_down(struct publication *publ)
publ->key += 1222345;
p = tipc_nametbl_remove_publ(publ->type, publ->lower,
publ->node, publ->ref, publ->key);
+ if (p)
+ tipc_nodesub_unsubscribe(&p->subscr);
write_unlock_bh(&tipc_nametbl_lock);
if (p != publ) {