1. 04 7月, 2016 1 次提交
  2. 30 6月, 2016 5 次提交
  3. 29 6月, 2016 3 次提交
    • B
      batman-adv: Fix double-put of vlan object · baceced9
      Ben Hutchings 提交于
      Each batadv_tt_local_entry hold a single reference to a
      batadv_softif_vlan.  In case a new entry cannot be added to the hash
      table, the error path puts the reference, but the reference will also
      now be dropped by batadv_tt_local_entry_release().
      
      Fixes: a33d970d ("batman-adv: Fix reference counting of vlan object for tt_local_entry")
      Signed-off-by: NBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      baceced9
    • S
      batman-adv: Fix use-after-free/double-free of tt_req_node · 9c4604a2
      Sven Eckelmann 提交于
      The tt_req_node is added and removed from a list inside a spinlock. But the
      locking is sometimes removed even when the object is still referenced and
      will be used later via this reference. For example batadv_send_tt_request
      can create a new tt_req_node (including add to a list) and later
      re-acquires the lock to remove it from the list and to free it. But at this
      time another context could have already removed this tt_req_node from the
      list and freed it.
      
      CPU#0
      
          batadv_batman_skb_recv from net_device 0
          -> batadv_iv_ogm_receive
            -> batadv_iv_ogm_process
              -> batadv_iv_ogm_process_per_outif
                -> batadv_tvlv_ogm_receive
                  -> batadv_tvlv_ogm_receive
                    -> batadv_tvlv_containers_process
                      -> batadv_tvlv_call_handler
                        -> batadv_tt_tvlv_ogm_handler_v1
                          -> batadv_tt_update_orig
                            -> batadv_send_tt_request
                              -> batadv_tt_req_node_new
                                 spin_lock(...)
                                 allocates new tt_req_node and adds it to list
                                 spin_unlock(...)
                                 return tt_req_node
      
      CPU#1
      
          batadv_batman_skb_recv from net_device 1
          -> batadv_recv_unicast_tvlv
            -> batadv_tvlv_containers_process
              -> batadv_tvlv_call_handler
                -> batadv_tt_tvlv_unicast_handler_v1
                  -> batadv_handle_tt_response
                     spin_lock(...)
                     tt_req_node gets removed from list and is freed
                     spin_unlock(...)
      
      CPU#0
      
                            <- returned to batadv_send_tt_request
                               spin_lock(...)
                               tt_req_node gets removed from list and is freed
                               MEMORY CORRUPTION/SEGFAULT/...
                               spin_unlock(...)
      
      This can only be solved via reference counting to allow multiple contexts
      to handle the list manipulation while making sure that only the last
      context holding a reference will free the object.
      
      Fixes: a73105b8 ("batman-adv: improved client announcement mechanism")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Tested-by: NMartin Weinelt <martin@darmstadt.freifunk.net>
      Tested-by: NAmadeus Alfa <amadeus@chemnitz.freifunk.net>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9c4604a2
    • S
      batman-adv: replace WARN with rate limited output on non-existing VLAN · 0b3dd7df
      Simon Wunderlich 提交于
      If a VLAN tagged frame is received and the corresponding VLAN is not
      configured on the soft interface, it will splat a WARN on every packet
      received. This is a quite annoying behaviour for some scenarios, e.g. if
      bat0 is bridged with eth0, and there are arbitrary VLAN tagged frames
      from Ethernet coming in without having any VLAN configuration on bat0.
      
      The code should probably create vlan objects on the fly and
      transparently transport these VLAN-tagged Ethernet frames, but until
      this is done, at least the WARN splat should be replaced by a rate
      limited output.
      
      Fixes: 354136bc ("batman-adv: fix kernel crash due to missing NULL checks")
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0b3dd7df
  4. 10 5月, 2016 2 次提交
  5. 04 5月, 2016 2 次提交
  6. 29 4月, 2016 1 次提交
    • S
      batman-adv: Fix reference counting of vlan object for tt_local_entry · a33d970d
      Sven Eckelmann 提交于
      The batadv_tt_local_entry was specific to a batadv_softif_vlan and held an
      implicit reference to it. But this reference was never stored in form of a
      pointer in the tt_local_entry itself. Instead batadv_tt_local_remove,
      batadv_tt_local_table_free and batadv_tt_local_purge_pending_clients depend
      on a consistent state of bat_priv->softif_vlan_list and that
      batadv_softif_vlan_get always returns the batadv_softif_vlan object which
      it has a reference for. But batadv_softif_vlan_get cannot guarantee that
      because it is working only with rcu_read_lock on this list. It can
      therefore happen that an vid is in this list twice or that
      batadv_softif_vlan_get cannot find the batadv_softif_vlan for an vid due to
      some other list operations taking place at the same time.
      
      Instead add a batadv_softif_vlan pointer directly in batadv_tt_local_entry
      which will be used for the reference counter decremented on release of
      batadv_tt_local_entry.
      
      Fixes: 35df3b29 ("batman-adv: fix TT VLAN inconsistency on VLAN re-add")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Acked-by: NAntonio Quartulli <a@unstable.cc>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <a@unstable.cc>
      a33d970d
  7. 23 2月, 2016 8 次提交
  8. 16 2月, 2016 1 次提交
    • S
      batman-adv: Only put orig_node_vlan list reference when removed · 3db15209
      Sven Eckelmann 提交于
      The batadv_orig_node_vlan reference counter in batadv_tt_global_size_mod
      can only be reduced when the list entry was actually removed. Otherwise the
      reference counter may reach zero when batadv_tt_global_size_mod is called
      from two different contexts for the same orig_node_vlan but only one
      context is actually removing the entry from the list.
      
      The release function for this orig_node_vlan is not called inside the
      vlan_list_lock spinlock protected region because the function
      batadv_tt_global_size_mod still holds a orig_node_vlan reference for the
      object pointer on the stack. Thus the actual release function (when
      required) will be called only at the end of the function.
      
      Fixes: 7ea7b4a1 ("batman-adv: make the TT CRC logic VLAN specific")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <a@unstable.cc>
      3db15209
  9. 10 2月, 2016 3 次提交
  10. 02 2月, 2016 5 次提交
  11. 16 1月, 2016 1 次提交
    • S
      batman-adv: Drop immediate orig_node free function · 42eff6a6
      Sven Eckelmann 提交于
      It is not allowed to free the memory of an object which is part of a list
      which is protected by rcu-read-side-critical sections without making sure
      that no other context is accessing the object anymore. This usually happens
      by removing the references to this object and then waiting until the rcu
      grace period is over and no one (allowedly) accesses it anymore.
      
      But the _now functions ignore this completely. They free the object
      directly even when a different context still tries to access it. This has
      to be avoided and thus these functions must be removed and all functions
      have to use batadv_orig_node_free_ref.
      
      Fixes: 72822225 ("batman-adv: Fix rcu_barrier() miss due to double call_rcu() in TT code")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <a@unstable.cc>
      42eff6a6
  12. 09 1月, 2016 2 次提交
  13. 16 12月, 2015 2 次提交
  14. 07 12月, 2015 2 次提交
  15. 25 8月, 2015 2 次提交