From: Sven Eckelmann <sven@narfation.org>
To: "Linus Lüssing" <linus.luessing@c0d3.blue>
Cc: b.a.t.m.a.n@lists.open-mesh.org
Subject: Re: [PATCH RFC batadv] batman-adv: mcast: fix use-after-free in orig_node RCU release
Date: Sun, 17 May 2026 20:08:27 +0200 [thread overview]
Message-ID: <3412939.aeNJFYEL58@sven-l14> (raw)
In-Reply-To: <agoBLITjEyVPScvd@sellars>
[-- Attachment #1: Type: text/plain, Size: 1651 bytes --]
On Sunday, 17 May 2026 19:55:56 CEST Linus Lüssing wrote:
[...]
> Maybe this might make more sense as a fixes line then, though?
>
> Fixes: 500ea14940f8 ("batman-adv: Add multicast-to-unicast support for multiple targets")
>
>
> I think before that commit we only used these atomic counters in
> fast path?
I don't really care about the fast path. I care about things which could be
called in parallel and is only RCU protected. For example in 1c090349e2f6,
we have the reader:
static struct batadv_orig_node *
batadv_mcast_forw_unsnoop_node_get(struct batadv_priv *bat_priv)
{
struct batadv_orig_node *orig_node;
rcu_read_lock();
hlist_for_each_entry_rcu(orig_node,
&bat_priv->mcast.want_all_unsnoopables_list,
mcast_want_all_unsnoopables_node) {
if (atomic_inc_not_zero(&orig_node->refcount))
goto unlock;
}
orig_node = NULL;
unlock:
rcu_read_unlock();
return orig_node;
}
And here the cleanup code in 1c090349e2f6
static void batadv_mcast_want_unsnoop_update(struct batadv_priv *bat_priv,
struct batadv_orig_node *orig,
uint8_t mcast_flags)
{
[...]
hlist_add_head_rcu(&orig->mcast_want_all_unsnoopables_node,
&bat_priv->mcast.want_all_unsnoopables_list);
[...]
hlist_del_rcu(&orig->mcast_want_all_unsnoopables_node);
[...]
}
/**
* batadv_mcast_purge_orig - reset originator global mcast state modifications
* @orig: the originator which is going to get purged
*/
void batadv_mcast_purge_orig(struct batadv_orig_node *orig)
{
[...]
batadv_mcast_want_unsnoop_update(bat_priv, orig, BATADV_NO_FLAGS);
}
Regards,
Sven
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2026-05-17 18:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 17:41 [PATCH RFC batadv] batman-adv: mcast: fix use-after-free in orig_node RCU release Sven Eckelmann
2026-05-17 16:38 ` Linus Lüssing
2026-05-17 16:54 ` Sven Eckelmann
2026-05-17 17:55 ` Linus Lüssing
2026-05-17 18:08 ` Sven Eckelmann [this message]
2026-05-17 21:08 ` Linus Lüssing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3412939.aeNJFYEL58@sven-l14 \
--to=sven@narfation.org \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
--cc=linus.luessing@c0d3.blue \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.