mirror of
https://github.com/torvalds/linux
synced 2024-10-18 01:08:35 +00:00
9c4604a298
The tt_req_node is added and removed from a list inside a spinlock. But the
locking is sometimes removed even when the object is still referenced and
will be used later via this reference. For example batadv_send_tt_request
can create a new tt_req_node (including add to a list) and later
re-acquires the lock to remove it from the list and to free it. But at this
time another context could have already removed this tt_req_node from the
list and freed it.
CPU#0
batadv_batman_skb_recv from net_device 0
-> batadv_iv_ogm_receive
-> batadv_iv_ogm_process
-> batadv_iv_ogm_process_per_outif
-> batadv_tvlv_ogm_receive
-> batadv_tvlv_ogm_receive
-> batadv_tvlv_containers_process
-> batadv_tvlv_call_handler
-> batadv_tt_tvlv_ogm_handler_v1
-> batadv_tt_update_orig
-> batadv_send_tt_request
-> batadv_tt_req_node_new
spin_lock(...)
allocates new tt_req_node and adds it to list
spin_unlock(...)
return tt_req_node
CPU#1
batadv_batman_skb_recv from net_device 1
-> batadv_recv_unicast_tvlv
-> batadv_tvlv_containers_process
-> batadv_tvlv_call_handler
-> batadv_tt_tvlv_unicast_handler_v1
-> batadv_handle_tt_response
spin_lock(...)
tt_req_node gets removed from list and is freed
spin_unlock(...)
CPU#0
<- returned to batadv_send_tt_request
spin_lock(...)
tt_req_node gets removed from list and is freed
MEMORY CORRUPTION/SEGFAULT/...
spin_unlock(...)
This can only be solved via reference counting to allow multiple contexts
to handle the list manipulation while making sure that only the last
context holding a reference will free the object.
Fixes:
|
||
|---|---|---|
| .. | ||
| bat_algo.h | ||
| bat_iv_ogm.c | ||
| bat_v.c | ||
| bat_v_elp.c | ||
| bat_v_elp.h | ||
| bat_v_ogm.c | ||
| bat_v_ogm.h | ||
| bitarray.c | ||
| bitarray.h | ||
| bridge_loop_avoidance.c | ||
| bridge_loop_avoidance.h | ||
| debugfs.c | ||
| debugfs.h | ||
| distributed-arp-table.c | ||
| distributed-arp-table.h | ||
| fragmentation.c | ||
| fragmentation.h | ||
| gateway_client.c | ||
| gateway_client.h | ||
| gateway_common.c | ||
| gateway_common.h | ||
| hard-interface.c | ||
| hard-interface.h | ||
| hash.c | ||
| hash.h | ||
| icmp_socket.c | ||
| icmp_socket.h | ||
| Kconfig | ||
| main.c | ||
| main.h | ||
| Makefile | ||
| multicast.c | ||
| multicast.h | ||
| network-coding.c | ||
| network-coding.h | ||
| originator.c | ||
| originator.h | ||
| packet.h | ||
| routing.c | ||
| routing.h | ||
| send.c | ||
| send.h | ||
| soft-interface.c | ||
| soft-interface.h | ||
| sysfs.c | ||
| sysfs.h | ||
| translation-table.c | ||
| translation-table.h | ||
| types.h | ||