On Tuesday, June 16, 2015 17:10:26 Linus Lüssing wrote: > So far the mcast tvlv handler did not anticipate the processing of > multiple incoming OGMs from the same originator at the same time. This > can lead to various issues: > > * Broken refcounting: For instance two mcast handlers might both assume > that an originator just got multicast capabilities and will together > wrongly decrease mcast.num_disabled by two, potentially leading to > an integer underflow. > > * Potential kernel panic on hlist_del_rcu(): Two mcast handlers might > one after another try to do an > hlist_del_rcu(&orig->mcast_want_all_*_node). The second one will > cause memory corruption / crashes. > (Reported by: Sven Eckelmann <[email protected]>) > > Right in the beginning the code path makes assumptions about the current > multicast related state of an originator and bases all updates on that. The > easiest and least error prune way to fix the issues in this case is to > serialize multiple mcast handler invocations with a spinlock. > > Fixes: 77ec494490d6 ("batman-adv: Announce new capability via multicast > TVLV") Signed-off-by: Linus Lüssing <[email protected]> > --- > multicast.c | 62 > ++++++++++++++++++++++++++++++++++++++++++++++------------ originator.c > | 4 ++++ > types.h | 3 +++ > 3 files changed, 56 insertions(+), 13 deletions(-)
Applied in revision 7f220ed. Thanks, Marek
signature.asc
Description: This is a digitally signed message part.
