From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Marek Lindner Date: Tue, 26 Feb 2013 13:52:46 +0800 References: <5127A2AF.9030502@oracle.com> <20130222170621.GU3523@ritirata.org> <5127BAD2.1040007@oracle.com> In-Reply-To: <5127BAD2.1040007@oracle.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201302261352.47191.lindner_marek@yahoo.de> Subject: Re: [B.A.T.M.A.N.] batman-adv: gpf in batadv_slide_own_bcast_window Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking List-Id: The list for a Better Approach To Mobile Ad-hoc Networking List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: b.a.t.m.a.n@lists.open-mesh.org Cc: netdev@vger.kernel.org, "linux-kernel@vger.kernel.org" , Simon Wunderlich , Dave Jones , Sasha Levin , "David S. Miller" On Saturday, February 23, 2013 02:37:06 Sasha Levin wrote: > I'm confused about how batadv_orig_hash_del_if removes an interface from > the hashtable. I see the hashtable is using rcu to protect it, but when we > delete an entry we free it straight away by calling > batadv_orig_node_del_if() and not going through kfree_rcu(). > > Is there a reason behind doing that, or might it be the cause of the > problem we're seeing here? Maybe I am overlooking something but it seems to me access to this memory is protected by the same lock: orig_node->ogm_cnt_lock Before batadv_orig_node_del_if() is called this lock is acquired and batadv_slide_own_bcast_window() also attempts acquire the orig_node- >ogm_cnt_lock spinlock before writing to this chunk of memory. Do we know for certain that batadv_orig_hash_del_if() is involved or is that a guess at this point ? If you ask me the next for-loop in batadv_orig_hash_del_if() looks more suspicious than the first one. The interfaces get renumbered without any protection. Could be a regression from the orig_hash_lock removal (the comments refer to a now inexisting lock). Cheers, Marek From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758146Ab3BZF7P (ORCPT ); Tue, 26 Feb 2013 00:59:15 -0500 Received: from nm36-vm8.bullet.mail.sg3.yahoo.com ([106.10.151.95]:40797 "EHLO nm36-vm8.bullet.mail.sg3.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752275Ab3BZF7O (ORCPT ); Tue, 26 Feb 2013 00:59:14 -0500 X-Greylist: delayed 381 seconds by postgrey-1.27 at vger.kernel.org; Tue, 26 Feb 2013 00:59:12 EST X-Yahoo-Newman-Id: 968749.82824.bm@smtp128.mail.sg3.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: tYXNM_cVM1k33B4TvrWrOZTlHasi.Wk7bYiGHlckywuBjns 4rWg1jDOYkXiVkZuYeQVoAD0awCJtRDtUz.TPpXFzocKeErQzbismYcL72Ab qxhv83o2tSDdxQqahoMZ3PCCzwRnAImMK5NuVqKyIZCUPR_NMFda8W1ddklP yjUPWJJEiuYDO0cxHnEmMic9T81Mybz8nw7DTLVPzCdFbdQh6y1JFQzlzm0C iaJYXPr7mke4eL7slwXGW0smdWvzkkJ.L.vRC2fQsdvDG0TlNql8Lv_.3p9L ITdRNOGqXggdfVeOX.w9q.h8OUKGnVa.buFkul1B5fL6LssqjcMPiHjsHKaT BqWe0v.KltBaNi.VPe6Pr6E4Lam6J1pqMz.RNXdCZddY.QPCJb73vJuuwZ4c QKq4a0QxokQUpfpTZCfi_K2DsF2jCZGNQKjJ6F9FFnOZNPw-- X-Yahoo-SMTP: tW.h3tiswBBMXO2coYcbPigGD5Lt6zY_.Zc- From: Marek Lindner To: b.a.t.m.a.n@lists.open-mesh.org Subject: Re: [B.A.T.M.A.N.] batman-adv: gpf in batadv_slide_own_bcast_window Date: Tue, 26 Feb 2013 13:52:46 +0800 User-Agent: KMail/1.13.7 (Linux/3.2.0-4-amd64; KDE/4.8.4; x86_64; ; ) Cc: Sasha Levin , Antonio Quartulli , netdev@vger.kernel.org, "linux-kernel@vger.kernel.org" , Simon Wunderlich , Dave Jones , "David S. Miller" References: <5127A2AF.9030502@oracle.com> <20130222170621.GU3523@ritirata.org> <5127BAD2.1040007@oracle.com> In-Reply-To: <5127BAD2.1040007@oracle.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201302261352.47191.lindner_marek@yahoo.de> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Saturday, February 23, 2013 02:37:06 Sasha Levin wrote: > I'm confused about how batadv_orig_hash_del_if removes an interface from > the hashtable. I see the hashtable is using rcu to protect it, but when we > delete an entry we free it straight away by calling > batadv_orig_node_del_if() and not going through kfree_rcu(). > > Is there a reason behind doing that, or might it be the cause of the > problem we're seeing here? Maybe I am overlooking something but it seems to me access to this memory is protected by the same lock: orig_node->ogm_cnt_lock Before batadv_orig_node_del_if() is called this lock is acquired and batadv_slide_own_bcast_window() also attempts acquire the orig_node- >ogm_cnt_lock spinlock before writing to this chunk of memory. Do we know for certain that batadv_orig_hash_del_if() is involved or is that a guess at this point ? If you ask me the next for-loop in batadv_orig_hash_del_if() looks more suspicious than the first one. The interfaces get renumbered without any protection. Could be a regression from the orig_hash_lock removal (the comments refer to a now inexisting lock). Cheers, Marek From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marek Lindner Subject: Re: batman-adv: gpf in batadv_slide_own_bcast_window Date: Tue, 26 Feb 2013 13:52:46 +0800 Message-ID: <201302261352.47191.lindner_marek@yahoo.de> References: <5127A2AF.9030502@oracle.com> <20130222170621.GU3523@ritirata.org> <5127BAD2.1040007@oracle.com> Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking Mime-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Cc: netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Simon Wunderlich , Dave Jones , Sasha Levin , "David S. Miller" To: b.a.t.m.a.n-ZwoEplunGu2X36UT3dwllkB+6BGkLq7r@public.gmane.org Return-path: In-Reply-To: <5127BAD2.1040007-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: b.a.t.m.a.n-bounces-ZwoEplunGu2X36UT3dwllkB+6BGkLq7r@public.gmane.org Sender: "B.A.T.M.A.N" List-Id: netdev.vger.kernel.org On Saturday, February 23, 2013 02:37:06 Sasha Levin wrote: > I'm confused about how batadv_orig_hash_del_if removes an interface from > the hashtable. I see the hashtable is using rcu to protect it, but when we > delete an entry we free it straight away by calling > batadv_orig_node_del_if() and not going through kfree_rcu(). > > Is there a reason behind doing that, or might it be the cause of the > problem we're seeing here? Maybe I am overlooking something but it seems to me access to this memory is protected by the same lock: orig_node->ogm_cnt_lock Before batadv_orig_node_del_if() is called this lock is acquired and batadv_slide_own_bcast_window() also attempts acquire the orig_node- >ogm_cnt_lock spinlock before writing to this chunk of memory. Do we know for certain that batadv_orig_hash_del_if() is involved or is that a guess at this point ? If you ask me the next for-loop in batadv_orig_hash_del_if() looks more suspicious than the first one. The interfaces get renumbered without any protection. Could be a regression from the orig_hash_lock removal (the comments refer to a now inexisting lock). Cheers, Marek