summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAntonio Quartulli <ordex@autistici.org>2012-06-20 14:12:56 +0200
committerAntonio Quartulli <ordex@autistici.org>2012-06-23 17:21:35 +0200
commit8b8e4bc0391f8abbcdb9e1c54415bcc0f4f5a2a0 (patch)
treebd8c2e47bb0cbc05e1ec5f79f8fd3f6410463d5b
parent5870adc68fc39d81089f1e80efdf64b97e5c37a1 (diff)
batman-adv: fix race condition in TT full-table replacement
bug introduced with cea194d90b11aff7fc289149e4c7f305fad3535a In the current TT code, when a TT_Response containing a full table is received from an originator, first the node purges all the clients for that originator in the global translation-table and then merges the newly received table. During the purging phase each client deletion is done by means of a call_rcu() invocation and at the end of this phase the global entry counter for that originator is set to 0. However the invoked rcu function decreases the global entry counter for that originator by one too and since the rcu invocation is likely to be postponed, the node will end up in first setting the counter to 0 and then decreasing it one by one for each deleted client. This bug leads to having a wrong global entry counter for the related node, say X. Then when the node with the broken counter will answer to a TT_REQUEST on behalf of node X, it will create faulty TT_RESPONSE that will generate an unrecoverable situation on the node that asked for the full table recover. The non-recoverability is given by the fact that the node with the broken counter will keep answering on behalf of X because its knowledge about X's state (ttvn + tt_crc) is correct. To solve this problem the counter is not explicitly set to 0 anymore and the counter decrement is performed right before the invocation of call_rcu(). Signed-off-by: Antonio Quartulli <ordex@autistici.org>
-rw-r--r--net/batman-adv/translation-table.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 660c40fe13ea..2ab83d7fb1f8 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -141,13 +141,14 @@ static void tt_orig_list_entry_free_rcu(struct rcu_head *rcu)
struct tt_orig_list_entry *orig_entry;
orig_entry = container_of(rcu, struct tt_orig_list_entry, rcu);
- atomic_dec(&orig_entry->orig_node->tt_size);
orig_node_free_ref(orig_entry->orig_node);
kfree(orig_entry);
}
static void tt_orig_list_entry_free_ref(struct tt_orig_list_entry *orig_entry)
{
+ /* to avoid race conditions, immediately decrease the tt counter */
+ atomic_dec(&orig_entry->orig_node->tt_size);
call_rcu(&orig_entry->rcu, tt_orig_list_entry_free_rcu);
}
@@ -910,7 +911,6 @@ void tt_global_del_orig(struct bat_priv *bat_priv,
}
spin_unlock_bh(list_lock);
}
- atomic_set(&orig_node->tt_size, 0);
orig_node->tt_initialised = false;
}