1 From: Sven Eckelmann <sven@narfation.org>
2 Date: Fri, 1 Jul 2016 15:49:43 +0200
3 Subject: [PATCH] batman-adv: Fix non-atomic bla_claim::backbone_gw access
5 The pointer batadv_bla_claim::backbone_gw can be changed at any time.
6 Therefore, access to it must be protected to ensure that two function
7 accessing the same backbone_gw are actually accessing the same. This is
8 especially important when the crc_lock is used or when the backbone_gw of a
11 Not doing so leads to invalid memory access and/or reference leaks.
13 Fixes: a9ce0dc43e2c ("batman-adv: add basic bridge loop avoidance code")
14 Fixes: b307e72d119f ("batman-adv: lock crc access in bridge loop avoidance")
15 Signed-off-by: Sven Eckelmann <sven@narfation.org>
16 Acked-by: Simon Wunderlich <sw@simonwunderlich.de>
17 Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
19 Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/e401297e3a393896e9b07bef8d6e2df203b60d43
21 net/batman-adv/bridge_loop_avoidance.c | 111 ++++++++++++++++++++++++++-------
22 net/batman-adv/types.h | 2 +
23 2 files changed, 90 insertions(+), 23 deletions(-)
25 diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
26 index 7129780..825a5cd 100644
27 --- a/net/batman-adv/bridge_loop_avoidance.c
28 +++ b/net/batman-adv/bridge_loop_avoidance.c
29 @@ -177,10 +177,21 @@ static void batadv_backbone_gw_put(struct batadv_bla_backbone_gw *backbone_gw)
30 static void batadv_claim_release(struct kref *ref)
32 struct batadv_bla_claim *claim;
33 + struct batadv_bla_backbone_gw *old_backbone_gw;
35 claim = container_of(ref, struct batadv_bla_claim, refcount);
37 - batadv_backbone_gw_put(claim->backbone_gw);
38 + spin_lock_bh(&claim->backbone_lock);
39 + old_backbone_gw = claim->backbone_gw;
40 + claim->backbone_gw = NULL;
41 + spin_unlock_bh(&claim->backbone_lock);
43 + spin_lock_bh(&old_backbone_gw->crc_lock);
44 + old_backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
45 + spin_unlock_bh(&old_backbone_gw->crc_lock);
47 + batadv_backbone_gw_put(old_backbone_gw);
49 kfree_rcu(claim, rcu);
52 @@ -677,8 +688,10 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv,
53 const u8 *mac, const unsigned short vid,
54 struct batadv_bla_backbone_gw *backbone_gw)
56 + struct batadv_bla_backbone_gw *old_backbone_gw;
57 struct batadv_bla_claim *claim;
58 struct batadv_bla_claim search_claim;
59 + bool remove_crc = false;
62 ether_addr_copy(search_claim.addr, mac);
63 @@ -692,8 +705,10 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv,
66 ether_addr_copy(claim->addr, mac);
67 + spin_lock_init(&claim->backbone_lock);
69 claim->lasttime = jiffies;
70 + kref_get(&backbone_gw->refcount);
71 claim->backbone_gw = backbone_gw;
73 kref_init(&claim->refcount);
74 @@ -721,15 +736,26 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv,
75 "bla_add_claim(): changing ownership for %pM, vid %d\n",
76 mac, BATADV_PRINT_VID(vid));
78 - spin_lock_bh(&claim->backbone_gw->crc_lock);
79 - claim->backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
80 - spin_unlock_bh(&claim->backbone_gw->crc_lock);
81 - batadv_backbone_gw_put(claim->backbone_gw);
84 - /* set (new) backbone gw */
86 + /* replace backbone_gw atomically and adjust reference counters */
87 + spin_lock_bh(&claim->backbone_lock);
88 + old_backbone_gw = claim->backbone_gw;
89 kref_get(&backbone_gw->refcount);
90 claim->backbone_gw = backbone_gw;
91 + spin_unlock_bh(&claim->backbone_lock);
94 + /* remove claim address from old backbone_gw */
95 + spin_lock_bh(&old_backbone_gw->crc_lock);
96 + old_backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
97 + spin_unlock_bh(&old_backbone_gw->crc_lock);
100 + batadv_backbone_gw_put(old_backbone_gw);
102 + /* add claim address to new backbone_gw */
103 spin_lock_bh(&backbone_gw->crc_lock);
104 backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
105 spin_unlock_bh(&backbone_gw->crc_lock);
106 @@ -740,6 +766,26 @@ claim_free_ref:
110 + * batadv_bla_claim_get_backbone_gw - Get valid reference for backbone_gw of
112 + * @claim: claim whose backbone_gw should be returned
114 + * Return: valid reference to claim::backbone_gw
116 +static struct batadv_bla_backbone_gw *
117 +batadv_bla_claim_get_backbone_gw(struct batadv_bla_claim *claim)
119 + struct batadv_bla_backbone_gw *backbone_gw;
121 + spin_lock_bh(&claim->backbone_lock);
122 + backbone_gw = claim->backbone_gw;
123 + kref_get(&backbone_gw->refcount);
124 + spin_unlock_bh(&claim->backbone_lock);
126 + return backbone_gw;
130 * batadv_bla_del_claim - delete a claim from the claim hash
131 * @bat_priv: the bat priv with all the soft interface information
132 * @mac: mac address of the claim to be removed
133 @@ -763,10 +809,6 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
134 batadv_choose_claim, claim);
135 batadv_claim_put(claim); /* reference from the hash is gone */
137 - spin_lock_bh(&claim->backbone_gw->crc_lock);
138 - claim->backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
139 - spin_unlock_bh(&claim->backbone_gw->crc_lock);
141 /* don't need the reference from hash_find() anymore */
142 batadv_claim_put(claim);
144 @@ -1219,6 +1261,7 @@ static void batadv_bla_purge_claims(struct batadv_priv *bat_priv,
145 struct batadv_hard_iface *primary_if,
148 + struct batadv_bla_backbone_gw *backbone_gw;
149 struct batadv_bla_claim *claim;
150 struct hlist_head *head;
151 struct batadv_hashtable *hash;
152 @@ -1233,14 +1276,17 @@ static void batadv_bla_purge_claims(struct batadv_priv *bat_priv,
155 hlist_for_each_entry_rcu(claim, head, hash_entry) {
156 + backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
159 - if (!batadv_compare_eth(claim->backbone_gw->orig,
161 + if (!batadv_compare_eth(backbone_gw->orig,
162 primary_if->net_dev->dev_addr))
166 if (!batadv_has_timed_out(claim->lasttime,
167 BATADV_BLA_CLAIM_TIMEOUT))
171 batadv_dbg(BATADV_DBG_BLA, bat_priv,
172 "bla_purge_claims(): %pM, vid %d, time out\n",
173 @@ -1248,8 +1294,10 @@ static void batadv_bla_purge_claims(struct batadv_priv *bat_priv,
176 batadv_handle_unclaim(bat_priv, primary_if,
177 - claim->backbone_gw->orig,
179 claim->addr, claim->vid);
181 + batadv_backbone_gw_put(backbone_gw);
185 @@ -1760,9 +1808,11 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
186 bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
187 unsigned short vid, bool is_bcast)
189 + struct batadv_bla_backbone_gw *backbone_gw;
190 struct ethhdr *ethhdr;
191 struct batadv_bla_claim search_claim, *claim = NULL;
192 struct batadv_hard_iface *primary_if;
196 ethhdr = eth_hdr(skb);
197 @@ -1797,8 +1847,12 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
200 /* if it is our own claim ... */
201 - if (batadv_compare_eth(claim->backbone_gw->orig,
202 - primary_if->net_dev->dev_addr)) {
203 + backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
204 + own_claim = batadv_compare_eth(backbone_gw->orig,
205 + primary_if->net_dev->dev_addr);
206 + batadv_backbone_gw_put(backbone_gw);
209 /* ... allow it in any case */
210 claim->lasttime = jiffies;
212 @@ -1862,7 +1916,9 @@ bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
214 struct ethhdr *ethhdr;
215 struct batadv_bla_claim search_claim, *claim = NULL;
216 + struct batadv_bla_backbone_gw *backbone_gw;
217 struct batadv_hard_iface *primary_if;
218 + bool client_roamed;
221 primary_if = batadv_primary_if_get_selected(bat_priv);
222 @@ -1892,8 +1948,12 @@ bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
225 /* check if we are responsible. */
226 - if (batadv_compare_eth(claim->backbone_gw->orig,
227 - primary_if->net_dev->dev_addr)) {
228 + backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
229 + client_roamed = batadv_compare_eth(backbone_gw->orig,
230 + primary_if->net_dev->dev_addr);
231 + batadv_backbone_gw_put(backbone_gw);
233 + if (client_roamed) {
234 /* if yes, the client has roamed and we have
237 @@ -1941,6 +2001,7 @@ int batadv_bla_claim_table_seq_print_text(struct seq_file *seq, void *offset)
238 struct net_device *net_dev = (struct net_device *)seq->private;
239 struct batadv_priv *bat_priv = netdev_priv(net_dev);
240 struct batadv_hashtable *hash = bat_priv->bla.claim_hash;
241 + struct batadv_bla_backbone_gw *backbone_gw;
242 struct batadv_bla_claim *claim;
243 struct batadv_hard_iface *primary_if;
244 struct hlist_head *head;
245 @@ -1965,17 +2026,21 @@ int batadv_bla_claim_table_seq_print_text(struct seq_file *seq, void *offset)
248 hlist_for_each_entry_rcu(claim, head, hash_entry) {
249 - is_own = batadv_compare_eth(claim->backbone_gw->orig,
250 + backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
252 + is_own = batadv_compare_eth(backbone_gw->orig,
255 - spin_lock_bh(&claim->backbone_gw->crc_lock);
256 - backbone_crc = claim->backbone_gw->crc;
257 - spin_unlock_bh(&claim->backbone_gw->crc_lock);
258 + spin_lock_bh(&backbone_gw->crc_lock);
259 + backbone_crc = backbone_gw->crc;
260 + spin_unlock_bh(&backbone_gw->crc_lock);
261 seq_printf(seq, " * %pM on %5d by %pM [%c] (%#.4x)\n",
262 claim->addr, BATADV_PRINT_VID(claim->vid),
263 - claim->backbone_gw->orig,
265 (is_own ? 'x' : ' '),
268 + batadv_backbone_gw_put(backbone_gw);
272 diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
273 index ba846b0..0051222 100644
274 --- a/net/batman-adv/types.h
275 +++ b/net/batman-adv/types.h
276 @@ -1042,6 +1042,7 @@ struct batadv_bla_backbone_gw {
277 * @addr: mac address of claimed non-mesh client
278 * @vid: vlan id this client was detected on
279 * @backbone_gw: pointer to backbone gw claiming this client
280 + * @backbone_lock: lock protecting backbone_gw pointer
281 * @lasttime: last time we heard of claim (locals only)
282 * @hash_entry: hlist node for batadv_priv_bla::claim_hash
283 * @refcount: number of contexts the object is used
284 @@ -1051,6 +1052,7 @@ struct batadv_bla_claim {
287 struct batadv_bla_backbone_gw *backbone_gw;
288 + spinlock_t backbone_lock; /* protects backbone_gw */
289 unsigned long lasttime;
290 struct hlist_node hash_entry;
projects / feed / routing.git / blob