• Linus Lüssing's avatar
    batman-adv: Fix potential synchronization issues in mcast tvlv handler · e1de5802
    Linus Lüssing authored
    commit 8a4023c5 upstream.
    
    So far the mcast tvlv handler did not anticipate the processing of
    multiple incoming OGMs from the same originator at the same time. This
    can lead to various issues:
    
    * Broken refcounting: For instance two mcast handlers might both assume
      that an originator just got multicast capabilities and will together
      wrongly decrease mcast.num_disabled by two, potentially leading to
      an integer underflow.
    
    * Potential kernel panic on hlist_del_rcu(): Two mcast handlers might
      one after another try to do an
      hlist_del_rcu(&orig->mcast_want_all_*_node). The second one will
      cause memory corruption / crashes.
      (Reported by: Sven Eckelmann <sven@narfation.org>)
    
    Right in the beginning the code path makes assumptions about the current
    multicast related state of an originator and bases all updates on that. The
    easiest and least error prune way to fix the issues in this case is to
    serialize multiple mcast handler invocations with a spinlock.
    
    Fixes: 60432d75 ("batman-adv: Announce new capability via multicast TVLV")
    Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
    Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
    Signed-off-by: default avatarAntonio Quartulli <antonio@meshcoding.com>
    [ luis: backported to 3.16: adjusted context ]
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    e1de5802
originator.c 32.5 KB