| Message ID | 1462566429-26709-1-git-send-email-sven@narfation.org (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Commit | fc3e79d9ef2a1006f94e441d9613749cbbe7176a |
| Delegated to: | Marek Lindner |
| Headers |
Return-Path: <b.a.t.m.a.n-bounces@lists.open-mesh.org> X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from open-mesh.org (localhost [IPv6:::1]) by open-mesh.org (Postfix) with ESMTP id 039BF826B9; Fri, 6 May 2016 22:27:14 +0200 (CEST) Authentication-Results: open-mesh.org; dmarc=none header.from=narfation.org Authentication-Results: open-mesh.org; dkim=fail reason="verification failed; unprotected key" header.d=narfation.org header.i=@narfation.org header.b=Dj4TwkQq; dkim-adsp=fail (unprotected policy); dkim-atps=neutral Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=79.140.41.39; helo=v3-1039.vlinux.de; envelope-from=sven@narfation.org; receiver=b.a.t.m.a.n@lists.open-mesh.org Authentication-Results: open-mesh.org; dmarc=pass header.from=narfation.org Received: from v3-1039.vlinux.de (narfation.org [79.140.41.39]) by open-mesh.org (Postfix) with ESMTPS id 55127826B6 for <b.a.t.m.a.n@lists.open-mesh.org>; Fri, 6 May 2016 22:27:13 +0200 (CEST) Received: from sven-desktop.home.narfation.org (p200300C593C4FDFD0000000000002E16.dip0.t-ipconnect.de [IPv6:2003:c5:93c4:fdfd::2e16]) by v3-1039.vlinux.de (Postfix) with ESMTPSA id CE4291C8001; Fri, 6 May 2016 22:27:12 +0200 (CEST) Authentication-Results: v3-1039.vlinux.de; dmarc=none header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=narfation.org; s=20121; t=1462566432; bh=YES6YhUylJO7eQWK73dAQ5WZS+u2xPG9ez74sPwVQ78=; h=From:To:Cc:Subject:Date:From; b=Dj4TwkQqCCMa+TmKiNZ3SZqc4GZqMWKt9mSnJLEqt2zxSAGIsCY3ZxI9tPb/82X45 zYFoW+ed9K19FfB9b2RUF1jMDc0VmyP6Ymkl59mB4Mugn7zrYzRmRsDtzletJni4A3 AB+QOwHAlc2ASNREop5Ha1zRgB5IY0/patqW3Nhs= From: Sven Eckelmann <sven@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Date: Fri, 6 May 2016 22:27:09 +0200 Message-Id: <1462566429-26709-1-git-send-email-sven@narfation.org> X-Mailer: git-send-email 2.8.1 Subject: [B.A.T.M.A.N.] [PATCH maint] batman-adv: Fix double neigh_node_put in batadv_v_ogm_route_update X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking <b.a.t.m.a.n.lists.open-mesh.org> List-Unsubscribe: <https://lists.open-mesh.org/mm/options/b.a.t.m.a.n>, <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=unsubscribe> List-Archive: <http://lists.open-mesh.org/pipermail/b.a.t.m.a.n/> List-Post: <mailto:b.a.t.m.a.n@lists.open-mesh.org> List-Help: <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=help> List-Subscribe: <https://lists.open-mesh.org/mm/listinfo/b.a.t.m.a.n>, <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=subscribe> Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking <b.a.t.m.a.n@lists.open-mesh.org> Errors-To: b.a.t.m.a.n-bounces@lists.open-mesh.org Sender: "B.A.T.M.A.N" <b.a.t.m.a.n-bounces@lists.open-mesh.org> |
Commit Message
Sven Eckelmann
May 6, 2016, 8:27 p.m. UTC
The router is put down twice when it was non-NULL and either orig_ifinfo is
NULL afterwards or batman-adv receives a packet with the same sequence
number. This will end up in a use-after-free when the batadv_neigh_node is
removed because the reference counter ended up too early at 0.
Fixes: 667996ebeab4 ("batman-adv: OGMv2 - implement originators logic")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
It looks like this bug was solved in next/master by refactoring in
30c96bc7870f ("batman-adv: move and restructure batadv_v_ogm_forward")
only compile tested. Please add so many reported by as you want -
just don't know it it is *the* bug and who actually reported it.
---
net/batman-adv/bat_v_ogm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Comments
On Fri, May 06, 2016 at 10:27:09PM +0200, Sven Eckelmann wrote: > The router is put down twice when it was non-NULL and either orig_ifinfo is > NULL afterwards or batman-adv receives a packet with the same sequence > number. This will end up in a use-after-free when the batadv_neigh_node is > removed because the reference counter ended up too early at 0. > > Fixes: 667996ebeab4 ("batman-adv: OGMv2 - implement originators logic") > Signed-off-by: Sven Eckelmann <sven@narfation.org> Tested-by: Antonio Quartulli <a@unstable.cc> it fixes the crash reported in "Kernel panic by BATMAN_V @WBMv9" for me. @Marek: can you also test this patch in your environment to see if you still see the crash? Cheers,
On Friday, May 06, 2016 22:27:09 Sven Eckelmann wrote: > The router is put down twice when it was non-NULL and either orig_ifinfo is > NULL afterwards or batman-adv receives a packet with the same sequence > number. This will end up in a use-after-free when the batadv_neigh_node is > removed because the reference counter ended up too early at 0. > > Fixes: 667996ebeab4 ("batman-adv: OGMv2 - implement originators logic") > Signed-off-by: Sven Eckelmann <sven@narfation.org> > --- > It looks like this bug was solved in next/master by refactoring in > 30c96bc7870f ("batman-adv: move and restructure batadv_v_ogm_forward") > > only compile tested. Please add so many reported by as you want - > just don't know it it is *the* bug and who actually reported it. > --- > net/batman-adv/bat_v_ogm.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) Applied in revision fc3e79d. Thanks, Marek
Hello, I just got openwrt 15.05.1 with batman-adv 2016.1 on 3 picostation HP, this time a selected before the build of openwrt batman V option, I can see it when it ask for available routing algo , root@OpenWrt:/etc/init.d# cat /sys/kernel/debug/batman_adv/routing_algos Available routing algorithms: * BATMAN_IV * BATMAN_V but when I do : echo BATMAN_V > /sys/module/batman_adv/parameters/routing_algo It does nothing, still on BATMAN_IV during session and on reboot ? Best Regards, Laurent
On Saturday 07 May 2016 14:29:17 contact wrote: > I just got openwrt 15.05.1 with batman-adv 2016.1 on 3 picostation HP, > this time a selected before the build of openwrt batman V option, I can > see it when it ask for available routing algo , > > root@OpenWrt:/etc/init.d# cat /sys/kernel/debug/batman_adv/routing_algos > Available routing algorithms: > * BATMAN_IV > * BATMAN_V > > but when I do : > > echo BATMAN_V > /sys/module/batman_adv/parameters/routing_algo > > It does nothing, still on BATMAN_IV during session and on reboot ? Please don't hijack other (unrelated) threads, Kind regards, Sven
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c index d9bcbe6..91df28a 100644 --- a/net/batman-adv/bat_v_ogm.c +++ b/net/batman-adv/bat_v_ogm.c @@ -529,8 +529,10 @@ static void batadv_v_ogm_route_update(struct batadv_priv *bat_priv, goto out; } - if (router) + if (router) { batadv_neigh_node_put(router); + router = NULL; + } /* Update routes, and check if the OGM is from the best next hop */ batadv_v_ogm_orig_update(bat_priv, orig_node, neigh_node, ogm2,