Re: [B.A.T.M.A.N.] [PATCH maint 2/2] batman-adv: Fix potential synchronization issues in mcast tvlv handler

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marek Lindner <mareklindner@neomailbox.ch>
To: b.a.t.m.a.n@lists.open-mesh.org
Subject: Re: [B.A.T.M.A.N.] [PATCH maint 2/2] batman-adv: Fix potential synchronization issues in mcast tvlv handler
Date: Tue, 16 Jun 2015 15:07:48 +0800	[thread overview]
Message-ID: <4847167.bn6DxWQpdi@voltaire> (raw)
In-Reply-To: <1434349345-12854-3-git-send-email-linus.luessing@c0d3.blue>

[-- Attachment #1: Type: text/plain, Size: 1216 bytes --]

On Monday, June 15, 2015 08:22:25 Linus Lüssing wrote:
> So far the mcast tvlv handler did not anticipate the processing of
> multiple incoming OGMs from the same originator at the same time. This
> can lead to various issues:
> 
> * Broken refcounting: For instance two mcast handlers might both assume
>   that an originator just got multicast capabilities and will together
>   wrongly decrease mcast.num_disabled by two, potentially leading to
>   an integer underflow.
> 
> * Potential kernel panic on hlist_del_rcu(): Two mcast handlers might
>   one after another try to do an
>   hlist_del_rcu(&orig->mcast_want_all_*_node). The second one will
>   cause memory corruption / crashes.
>   (Reported by: Sven Eckelmann <sven@narfation.org>)

As far as I can tell from looking at the code your patch does not address the 
issue raised by Sven.

The first problem is that the mcast code calls hlist_del_rcu() without 
verifying whether or not the element is still in the list. Adding a spinlock 
is not going to change that. You can still have a purge event going on while 
we just receive a new OGM because the purge caller does not need to hold the 
newly added lock.

Cheers,
Marek

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

     prev parent reply	other threads:[~2015-06-16  7:07 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-06-15  6:22 [B.A.T.M.A.N.] [PATCH maint 0/2] Fixes for parallel OGM processing Linus Lüssing
2015-06-15  6:22 ` [B.A.T.M.A.N.] [PATCH maint 1/2] batman-adv: Make originator capability changes atomic Linus Lüssing
2015-06-16  6:38   ` Marek Lindner
2015-06-15  6:22 ` [B.A.T.M.A.N.] [PATCH maint 2/2] batman-adv: Fix potential synchronization issues in mcast tvlv handler Linus Lüssing
2015-06-16  7:07   ` Marek Lindner [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4847167.bn6DxWQpdi@voltaire \
    --to=mareklindner@neomailbox.ch \
    --cc=b.a.t.m.a.n@lists.open-mesh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.