From patchwork Sun Mar 17 04:44:58 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Linus_L=C3=BCssing?= X-Patchwork-Id: 2793 Return-Path: Received: from mout.web.de (mout.web.de [212.227.17.11]) by open-mesh.org (Postfix) with ESMTP id 73F53601E66 for ; Sun, 17 Mar 2013 05:45:09 +0100 (CET) Received: from localhost ([95.211.13.35]) by smtp.web.de (mrweb102) with ESMTPSA (Nemesis) id 0Lal2C-1V1Rqm2vv6-00kaaf; Sun, 17 Mar 2013 05:45:08 +0100 From: =?UTF-8?q?Linus=20L=C3=BCssing?= To: b.a.t.m.a.n@lists.open-mesh.org Date: Sun, 17 Mar 2013 05:44:58 +0100 Message-Id: <1363495498-17830-2-git-send-email-linus.luessing@web.de> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1363495498-17830-1-git-send-email-linus.luessing@web.de> References: <1363495498-17830-1-git-send-email-linus.luessing@web.de> MIME-Version: 1.0 X-Provags-ID: V02:K0:vV0CaHV3pOw0RTO2g8AWxt09sDWB67GejLKLkreUT1r +h+YXn/AxwcBsH564N8Z5BDh3SQKV8IiUGPCZWEu18zYFdnlyC GuN0/2+cIf/CiBbK1qlq9C6AplAH6hRwp/+iU58FV4z6riqaMM g+7sqo17q69HRFQJxSYAVi84pA5enDcigAYBfCSL4BVyYYaBLu dqNmlhwyxqHTo9jf/5DrA== Subject: [B.A.T.M.A.N.] [PATCH 2/2] batman-adv: Fix general protection fault in batadv_tt_global_del_orig() X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking List-Id: The list for a Better Approach To Mobile Ad-hoc Networking List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Mar 2013 04:45:09 -0000 On shutdown a race condition where we access a just freed global TT hash might occure. batadv_orig_node_free_rcu() callbacks might have been scheduled (especially during the shutdown procedure) and unfortunately batadv_tt_global_table_free() does not wait for them to finish first before freeing the global TT hash. This potentially results in a general protection fault in batadv_tt_global_del_orig(), called via a batadv_orig_node_free_rcu() callback, which tries to access the just freed global TT hash. This patch tries to fix this by waiting for any just scheduled batadv_orig_node_free_rcu() to finish via an extra rcu_barrier() call before freeing the global TT hash. And by moving the TT freeing call to the end of the batman cleanup routines. Signed-off-by: Linus Lüssing Acked-by: Antonio Quartulli diff --git a/main.c b/main.c index 62b1f89..8663d97 100644 --- a/main.c +++ b/main.c @@ -166,12 +166,13 @@ void batadv_mesh_free(struct net_device *soft_iface) batadv_originator_free(bat_priv); batadv_nc_free(bat_priv); - batadv_tt_free(bat_priv); - batadv_bla_free(bat_priv); batadv_dat_free(bat_priv); + /* Don't call any batadv_orig_node_free_ref() after me */ + batadv_tt_free(bat_priv); + free_percpu(bat_priv->bat_counters); atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE); diff --git a/translation-table.c b/translation-table.c index ee91cc1..279f0fd 100644 --- a/translation-table.c +++ b/translation-table.c @@ -1315,6 +1315,10 @@ static void batadv_tt_global_table_free(struct batadv_priv *bat_priv) spin_unlock_bh(list_lock); } + /* Wait for any batadv_orig_node_free_rcu() to finish, + * they access the to be freed global TT hash */ + rcu_barrier(); + batadv_hash_destroy(hash); bat_priv->tt.global_hash = NULL;