From: Marek Lindner <lindner_marek@yahoo.de>
To: b.a.t.m.a.n@lists.open-mesh.org
Cc: netdev@vger.kernel.org,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Simon Wunderlich <siwu@hrz.tu-chemnitz.de>,
Dave Jones <davej@redhat.com>,
Sasha Levin <sasha.levin@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [B.A.T.M.A.N.] batman-adv: gpf in batadv_slide_own_bcast_window
Date: Tue, 26 Feb 2013 13:52:46 +0800 [thread overview]
Message-ID: <201302261352.47191.lindner_marek@yahoo.de> (raw)
In-Reply-To: <5127BAD2.1040007@oracle.com>
On Saturday, February 23, 2013 02:37:06 Sasha Levin wrote:
> I'm confused about how batadv_orig_hash_del_if removes an interface from
> the hashtable. I see the hashtable is using rcu to protect it, but when we
> delete an entry we free it straight away by calling
> batadv_orig_node_del_if() and not going through kfree_rcu().
>
> Is there a reason behind doing that, or might it be the cause of the
> problem we're seeing here?
Maybe I am overlooking something but it seems to me access to this memory is
protected by the same lock: orig_node->ogm_cnt_lock
Before batadv_orig_node_del_if() is called this lock is acquired and
batadv_slide_own_bcast_window() also attempts acquire the orig_node-
>ogm_cnt_lock spinlock before writing to this chunk of memory.
Do we know for certain that batadv_orig_hash_del_if() is involved or is that a
guess at this point ? If you ask me the next for-loop in
batadv_orig_hash_del_if() looks more suspicious than the first one. The
interfaces get renumbered without any protection. Could be a regression from
the orig_hash_lock removal (the comments refer to a now inexisting lock).
Cheers,
Marek
WARNING: multiple messages have this Message-ID (diff)
From: Marek Lindner <lindner_marek@yahoo.de>
To: b.a.t.m.a.n@lists.open-mesh.org
Cc: Sasha Levin <sasha.levin@oracle.com>,
Antonio Quartulli <ordex@autistici.org>,
netdev@vger.kernel.org,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Simon Wunderlich <siwu@hrz.tu-chemnitz.de>,
Dave Jones <davej@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [B.A.T.M.A.N.] batman-adv: gpf in batadv_slide_own_bcast_window
Date: Tue, 26 Feb 2013 13:52:46 +0800 [thread overview]
Message-ID: <201302261352.47191.lindner_marek@yahoo.de> (raw)
In-Reply-To: <5127BAD2.1040007@oracle.com>
On Saturday, February 23, 2013 02:37:06 Sasha Levin wrote:
> I'm confused about how batadv_orig_hash_del_if removes an interface from
> the hashtable. I see the hashtable is using rcu to protect it, but when we
> delete an entry we free it straight away by calling
> batadv_orig_node_del_if() and not going through kfree_rcu().
>
> Is there a reason behind doing that, or might it be the cause of the
> problem we're seeing here?
Maybe I am overlooking something but it seems to me access to this memory is
protected by the same lock: orig_node->ogm_cnt_lock
Before batadv_orig_node_del_if() is called this lock is acquired and
batadv_slide_own_bcast_window() also attempts acquire the orig_node-
>ogm_cnt_lock spinlock before writing to this chunk of memory.
Do we know for certain that batadv_orig_hash_del_if() is involved or is that a
guess at this point ? If you ask me the next for-loop in
batadv_orig_hash_del_if() looks more suspicious than the first one. The
interfaces get renumbered without any protection. Could be a regression from
the orig_hash_lock removal (the comments refer to a now inexisting lock).
Cheers,
Marek
WARNING: multiple messages have this Message-ID (diff)
From: Marek Lindner <lindner_marek-LWAfsSFWpa4@public.gmane.org>
To: b.a.t.m.a.n-ZwoEplunGu2X36UT3dwllkB+6BGkLq7r@public.gmane.org
Cc: netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Simon Wunderlich
<siwu-MaAgPAbsBIVS8oHt8HbXEIQuADTiUCJX@public.gmane.org>,
Dave Jones <davej-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
"David S. Miller" <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
Subject: Re: batman-adv: gpf in batadv_slide_own_bcast_window
Date: Tue, 26 Feb 2013 13:52:46 +0800 [thread overview]
Message-ID: <201302261352.47191.lindner_marek@yahoo.de> (raw)
In-Reply-To: <5127BAD2.1040007-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
On Saturday, February 23, 2013 02:37:06 Sasha Levin wrote:
> I'm confused about how batadv_orig_hash_del_if removes an interface from
> the hashtable. I see the hashtable is using rcu to protect it, but when we
> delete an entry we free it straight away by calling
> batadv_orig_node_del_if() and not going through kfree_rcu().
>
> Is there a reason behind doing that, or might it be the cause of the
> problem we're seeing here?
Maybe I am overlooking something but it seems to me access to this memory is
protected by the same lock: orig_node->ogm_cnt_lock
Before batadv_orig_node_del_if() is called this lock is acquired and
batadv_slide_own_bcast_window() also attempts acquire the orig_node-
>ogm_cnt_lock spinlock before writing to this chunk of memory.
Do we know for certain that batadv_orig_hash_del_if() is involved or is that a
guess at this point ? If you ask me the next for-loop in
batadv_orig_hash_del_if() looks more suspicious than the first one. The
interfaces get renumbered without any protection. Could be a regression from
the orig_hash_lock removal (the comments refer to a now inexisting lock).
Cheers,
Marek
next prev parent reply other threads:[~2013-02-26 5:52 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-22 16:54 [B.A.T.M.A.N.] batman-adv: gpf in batadv_slide_own_bcast_window Sasha Levin
2013-02-22 16:54 ` Sasha Levin
2013-02-22 17:06 ` [B.A.T.M.A.N.] " Antonio Quartulli
2013-02-22 17:06 ` Antonio Quartulli
2013-02-22 18:37 ` [B.A.T.M.A.N.] " Sasha Levin
2013-02-22 18:37 ` Sasha Levin
2013-02-26 5:52 ` Marek Lindner [this message]
2013-02-26 5:52 ` Marek Lindner
2013-02-26 5:52 ` [B.A.T.M.A.N.] " Marek Lindner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201302261352.47191.lindner_marek@yahoo.de \
--to=lindner_marek@yahoo.de \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sasha.levin@oracle.com \
--cc=siwu@hrz.tu-chemnitz.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.