[2/2] batman-adv: prevent potential hlist double deletion

Message ID 1434904223-10227-2-git-send-email-mareklindner@neomailbox.ch (mailing list archive)
State Accepted, archived
Commit 4729a33528e05ea858d8337769584cb49961fc0e
Headers

Commit Message

Marek Lindner June 21, 2015, 4:30 p.m. UTC
  The hlist_del_rcu() call in batadv_tt_global_size_mod() does not check
if the element still is part of the list prior to deletion. The atomic
list counter should prevent the worst but converting to
hlist_del_init_rcu() ensures the element can't be deleted more than
once.

Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
---
 net/batman-adv/translation-table.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
  

Comments

Antonio Quartulli June 22, 2015, 4:44 p.m. UTC | #1
On 21/06/15 18:30, Marek Lindner wrote:
> The hlist_del_rcu() call in batadv_tt_global_size_mod() does not check
> if the element still is part of the list prior to deletion. The atomic
> list counter should prevent the worst but converting to
> hlist_del_init_rcu() ensures the element can't be deleted more than
> once.
> 
> Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>

Acked-by: Antonio Quartulli <antonio@meshcoding.com>

However, as discussed offline after Sven's suggestion in ticket #217,
the entire if-loop still needs to be protected with the vlan_list_lock
and not just its body.

Cheers,

> ---
>  net/batman-adv/translation-table.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
> index ca0bcac..e29c9e1 100644
> --- a/net/batman-adv/translation-table.c
> +++ b/net/batman-adv/translation-table.c
> @@ -315,7 +315,7 @@ static void batadv_tt_global_size_mod(struct batadv_orig_node *orig_node,
>  
>  	if (atomic_add_return(v, &vlan->tt.num_entries) == 0) {
>  		spin_lock_bh(&orig_node->vlan_list_lock);
> -		hlist_del_rcu(&vlan->list);
> +		hlist_del_init_rcu(&vlan->list);
>  		spin_unlock_bh(&orig_node->vlan_list_lock);
>  		batadv_orig_node_vlan_free_ref(vlan);
>  	}
>
  
Marek Lindner June 28, 2015, 2:11 p.m. UTC | #2
On Monday, June 22, 2015 18:44:20 Antonio Quartulli wrote:
> On 21/06/15 18:30, Marek Lindner wrote:
> > The hlist_del_rcu() call in batadv_tt_global_size_mod() does not check
> > if the element still is part of the list prior to deletion. The atomic
> > list counter should prevent the worst but converting to
> > hlist_del_init_rcu() ensures the element can't be deleted more than
> > once.
> >
> > Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
> 
> Acked-by: Antonio Quartulli <antonio@meshcoding.com>

Applied in revision 4729a33.

 
> However, as discussed offline after Sven's suggestion in ticket #217,
> the entire if-loop still needs to be protected with the vlan_list_lock
> and not just its body.

I'll take care of that in a separate patch.

Regards,
Marek
  

Patch

diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index ca0bcac..e29c9e1 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -315,7 +315,7 @@  static void batadv_tt_global_size_mod(struct batadv_orig_node *orig_node,
 
 	if (atomic_add_return(v, &vlan->tt.num_entries) == 0) {
 		spin_lock_bh(&orig_node->vlan_list_lock);
-		hlist_del_rcu(&vlan->list);
+		hlist_del_init_rcu(&vlan->list);
 		spin_unlock_bh(&orig_node->vlan_list_lock);
 		batadv_orig_node_vlan_free_ref(vlan);
 	}