10 Jun
2015
10 Jun
'15
8:52 a.m.
On Saturday 15 February 2014 17:47:53 Linus Lüssing wrote:
+static void batadv_mcast_want_unsnoop_update(struct
batadv_priv *bat_priv,
+ struct batadv_orig_node *orig,
+ uint8_t mcast_flags)
+{
+ /* switched from flag unset to set */
+ if (mcast_flags & BATADV_MCAST_WANT_ALL_UNSNOOPABLES &&
+ !(orig->mcast_flags & BATADV_MCAST_WANT_ALL_UNSNOOPABLES)) {
+ atomic_inc(&bat_priv->mcast.num_want_all_unsnoopables);
+
+ spin_lock_bh(&bat_priv->mcast.want_lists_lock);
+ hlist_add_head_rcu(&orig->mcast_want_all_unsnoopables_node,
+ &bat_priv->mcast.want_all_unsnoopables_list);
+ spin_unlock_bh(&bat_priv->mcast.want_lists_lock);
+ /* switched from flag set to unset */
+ } else if (!(mcast_flags & BATADV_MCAST_WANT_ALL_UNSNOOPABLES) &&
+ orig->mcast_flags & BATADV_MCAST_WANT_ALL_UNSNOOPABLES) {
+ atomic_dec(&bat_priv->mcast.num_want_all_unsnoopables);
+
+ spin_lock_bh(&bat_priv->mcast.want_lists_lock);
+ hlist_del_rcu(&orig->mcast_want_all_unsnoopables_node);
+ spin_unlock_bh(&bat_priv->mcast.want_lists_lock);
+ }
Looks unsafe. How do you make sure that it is still in the list and not
already already removed in the meantime? hlist_del_rcu does not re-initialize
the pointers (only POISON them when CONFIG_DEBUG_LIST is activated). Thus
calling hlist_del_rcu again on an object not in the list either kills other
data structures or causes an Oops.
There are more *list_del* related problems of that type in your code. This is
just one example I've picked.
See http://www.open-mesh.org/issues/217#note-5
Kind regards,
Sven