Hi,
i tried to prevent the race condition [1] that I mentioned yesterday. The patchset was also slightly extended to use a refcnt a little bit more.
Best regards, Sven
[1] 201009170317.28338.sven.eckelmann@gmx.de
Sven Eckelmann (9): batman-adv: Introduce if_list_lock to protect if_list batman-adv: Protect update side of gw_list batman-adv: Always protect list_for_each_entry_rcu with RCU batman-adv: Remove unneeded rcu_read_lock batman-adv: Use synchronize_rcu instead of call_rcu batman-adv: Use refcnt to track usage count of gw_node batman-adv: Use refcnt to track usage count of batman_if batman-adv: count election of gateway as reference batman-adv: count batman_if list queries as reference
batman-adv/bat_sysfs.c | 37 ++++++++++++++++++------- batman-adv/gateway_client.c | 64 ++++++++++++++++++++++++++++++------------- batman-adv/hard-interface.c | 59 +++++++++++++++++++++++++++++----------- batman-adv/hard-interface.h | 13 +++++++++ batman-adv/originator.c | 2 - batman-adv/routing.c | 2 + batman-adv/types.h | 4 +- 7 files changed, 132 insertions(+), 49 deletions(-)
The update critical sections of if_list must be protected by a locking primitive other than RCU. The iterator must also be protected by the chosen locking mechanism.
The rtnl_lock in hardif_remove_interfaces must also be moved outside the iterator primitive to ensure that we don't deadlock the kernel due to differently nested locks in hardif_remove_interfaces and hard_if_event.
Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- batman-adv/hard-interface.c | 17 +++++++++++++++-- 1 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/batman-adv/hard-interface.c b/batman-adv/hard-interface.c index edbfddf..3cd7cb1 100644 --- a/batman-adv/hard-interface.c +++ b/batman-adv/hard-interface.c @@ -35,6 +35,9 @@
#define MIN(x, y) ((x) < (y) ? (x) : (y))
+/* protect update critical side of if_list - but not the content */ +static DEFINE_SPINLOCK(if_list_lock); + struct batman_if *get_batman_if_by_netdev(struct net_device *net_dev) { struct batman_if *batman_if; @@ -402,7 +405,11 @@ static struct batman_if *hardif_add_interface(struct net_device *net_dev) INIT_LIST_HEAD(&batman_if->list);
check_known_mac_addr(batman_if->net_dev->dev_addr); + + spin_lock(&if_list_lock); list_add_tail_rcu(&batman_if->list, &if_list); + spin_unlock(&if_list_lock); + return batman_if;
free_if: @@ -430,6 +437,8 @@ static void hardif_remove_interface(struct batman_if *batman_if) return;
batman_if->if_status = IF_TO_BE_REMOVED; + + /* caller must take if_list_lock */ list_del_rcu(&batman_if->list); sysfs_del_hardif(&batman_if->hardif_obj); dev_put(batman_if->net_dev); @@ -440,11 +449,13 @@ void hardif_remove_interfaces(void) { struct batman_if *batman_if, *batman_if_tmp;
+ rtnl_lock(); + spin_lock(&if_list_lock); list_for_each_entry_safe(batman_if, batman_if_tmp, &if_list, list) { - rtnl_lock(); hardif_remove_interface(batman_if); - rtnl_unlock(); } + spin_unlock(&if_list_lock); + rtnl_unlock(); }
static int hard_if_event(struct notifier_block *this, @@ -469,7 +480,9 @@ static int hard_if_event(struct notifier_block *this, hardif_deactivate_interface(batman_if); break; case NETDEV_UNREGISTER: + spin_lock(&if_list_lock); hardif_remove_interface(batman_if); + spin_unlock(&if_list_lock); break; case NETDEV_CHANGEMTU: if (batman_if->soft_iface)
hlist_add_head_rcu must be protected using gw_list_lock of the current bat_priv like already done with hlist_del_rcu.
It is important that this lock is now always done using spin_lock_irqsave because gw_node_add can also be called indirectly from parts of the kernel with interrupts disabled.
Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- batman-adv/gateway_client.c | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/batman-adv/gateway_client.c b/batman-adv/gateway_client.c index 6721398..dd96d99 100644 --- a/batman-adv/gateway_client.c +++ b/batman-adv/gateway_client.c @@ -196,6 +196,7 @@ static void gw_node_add(struct bat_priv *bat_priv, { struct gw_node *gw_node; int down, up; + unsigned long flags;
gw_node = kmalloc(sizeof(struct gw_node), GFP_ATOMIC); if (!gw_node) @@ -205,7 +206,9 @@ static void gw_node_add(struct bat_priv *bat_priv, INIT_HLIST_NODE(&gw_node->list); gw_node->orig_node = orig_node;
+ spin_lock_irqsave(&bat_priv->gw_list_lock, flags); hlist_add_head_rcu(&gw_node->list, &bat_priv->gw_list); + spin_unlock_irqrestore(&bat_priv->gw_list_lock, flags);
gw_srv_class_to_kbit(new_gwflags, &down, &up); bat_dbg(DBG_BATMAN, bat_priv, @@ -273,8 +276,9 @@ void gw_node_purge_deleted(struct bat_priv *bat_priv) struct gw_node *gw_node; struct hlist_node *node, *node_tmp; unsigned long timeout = 2 * PURGE_TIMEOUT * HZ; + unsigned long flags;
- spin_lock(&bat_priv->gw_list_lock); + spin_lock_irqsave(&bat_priv->gw_list_lock, flags);
hlist_for_each_entry_safe(gw_node, node, node_tmp, &bat_priv->gw_list, list) { @@ -286,15 +290,16 @@ void gw_node_purge_deleted(struct bat_priv *bat_priv) } }
- spin_unlock(&bat_priv->gw_list_lock); + spin_unlock_irqrestore(&bat_priv->gw_list_lock, flags); }
void gw_node_list_free(struct bat_priv *bat_priv) { struct gw_node *gw_node; struct hlist_node *node, *node_tmp; + unsigned long flags;
- spin_lock(&bat_priv->gw_list_lock); + spin_lock_irqsave(&bat_priv->gw_list_lock, flags);
hlist_for_each_entry_safe(gw_node, node, node_tmp, &bat_priv->gw_list, list) { @@ -303,7 +308,7 @@ void gw_node_list_free(struct bat_priv *bat_priv) }
gw_deselect(bat_priv); - spin_unlock(&bat_priv->gw_list_lock); + spin_unlock_irqrestore(&bat_priv->gw_list_lock, flags); }
static int _write_buffer_text(struct bat_priv *bat_priv,
receive_bat_packet is not called with rcu_read_lock so we must ensure by ourself that we protect list_for_each_entry_rcu using the correct RCU locks.
Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- batman-adv/routing.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/batman-adv/routing.c b/batman-adv/routing.c index 603a932..1781b7e 100644 --- a/batman-adv/routing.c +++ b/batman-adv/routing.c @@ -575,6 +575,7 @@ void receive_bat_packet(struct ethhdr *ethhdr, batman_packet->tq, batman_packet->ttl, batman_packet->version, has_directlink_flag);
+ rcu_read_lock(); list_for_each_entry_rcu(batman_if, &if_list, list) { if (batman_if->if_status != IF_ACTIVE) continue; @@ -597,6 +598,7 @@ void receive_bat_packet(struct ethhdr *ethhdr, if (compare_orig(ethhdr->h_source, broadcast_addr)) is_broadcast = 1; } + rcu_read_unlock();
if (batman_packet->version != COMPAT_VERSION) { bat_dbg(DBG_BATMAN, bat_priv,
Regions which do not use rcu functions don't need to protected by rcu_read_lock. If we want to protect data from being freed than it must be covered by the same read-side critical section or otherwise the grace period may already ended and freed the memory before we called rcu_read_lock again.
Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- batman-adv/gateway_client.c | 4 ---- batman-adv/originator.c | 2 -- 2 files changed, 0 insertions(+), 6 deletions(-)
diff --git a/batman-adv/gateway_client.c b/batman-adv/gateway_client.c index dd96d99..bfac0ff 100644 --- a/batman-adv/gateway_client.c +++ b/batman-adv/gateway_client.c @@ -342,9 +342,7 @@ int gw_client_seq_print_text(struct seq_file *seq, void *offset) struct hlist_node *node; int gw_count = 0;
- rcu_read_lock(); if (!bat_priv->primary_if) { - rcu_read_unlock();
return seq_printf(seq, "BATMAN mesh %s disabled - please " "specify interfaces to enable it\n", @@ -352,7 +350,6 @@ int gw_client_seq_print_text(struct seq_file *seq, void *offset) }
if (bat_priv->primary_if->if_status != IF_ACTIVE) { - rcu_read_unlock();
return seq_printf(seq, "BATMAN mesh %s disabled - " "primary interface not active\n", @@ -365,7 +362,6 @@ int gw_client_seq_print_text(struct seq_file *seq, void *offset) "outgoingIF", SOURCE_VERSION, REVISION_VERSION_STR, bat_priv->primary_if->net_dev->name, bat_priv->primary_if->addr_str, net_dev->name); - rcu_read_unlock();
rcu_read_lock(); hlist_for_each_entry_rcu(gw_node, node, &bat_priv->gw_list, list) { diff --git a/batman-adv/originator.c b/batman-adv/originator.c index 2250266..3424ac2 100644 --- a/batman-adv/originator.c +++ b/batman-adv/originator.c @@ -335,7 +335,6 @@ int orig_seq_print_text(struct seq_file *seq, void *offset) net_dev->name); }
- rcu_read_lock(); seq_printf(seq, "[B.A.T.M.A.N. adv %s%s, MainIF/MAC: %s/%s (%s)]\n", SOURCE_VERSION, REVISION_VERSION_STR, bat_priv->primary_if->net_dev->name, @@ -343,7 +342,6 @@ int orig_seq_print_text(struct seq_file *seq, void *offset) seq_printf(seq, " %-15s %s (%s/%i) %17s [%10s]: %20s ...\n", "Originator", "last-seen", "#", TQ_MAX_VALUE, "Nexthop", "outgoingIF", "Potential nexthops"); - rcu_read_unlock();
spin_lock_irqsave(&bat_priv->orig_hash_lock, flags);
It is recommended [1] to use synchronize_rcu to simplify the code - especially when otherwise extra locking is needed to protect other code from picking stale elements. It also protects us for emitting to many callbacks which may results in OOM conditions.
The only reason not to use it, would be in performance critical sections or when we are not allowed to block.
[1] Documentation/RCU/checklist.txt
Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- batman-adv/gateway_client.c | 12 ++++-------- batman-adv/hard-interface.c | 10 ++-------- batman-adv/types.h | 2 -- 3 files changed, 6 insertions(+), 18 deletions(-)
diff --git a/batman-adv/gateway_client.c b/batman-adv/gateway_client.c index bfac0ff..8bc1cb0 100644 --- a/batman-adv/gateway_client.c +++ b/batman-adv/gateway_client.c @@ -265,12 +265,6 @@ void gw_node_delete(struct bat_priv *bat_priv, struct orig_node *orig_node) return gw_node_update(bat_priv, orig_node, 0); }
-static void gw_node_free(struct rcu_head *rcu) -{ - struct gw_node *gw_node = container_of(rcu, struct gw_node, rcu); - kfree(gw_node); -} - void gw_node_purge_deleted(struct bat_priv *bat_priv) { struct gw_node *gw_node; @@ -286,7 +280,8 @@ void gw_node_purge_deleted(struct bat_priv *bat_priv) (time_after(jiffies, gw_node->deleted + timeout))) {
hlist_del_rcu(&gw_node->list); - call_rcu(&gw_node->rcu, gw_node_free); + synchronize_rcu(); + kfree(gw_node); } }
@@ -304,7 +299,8 @@ void gw_node_list_free(struct bat_priv *bat_priv) hlist_for_each_entry_safe(gw_node, node, node_tmp, &bat_priv->gw_list, list) { hlist_del_rcu(&gw_node->list); - call_rcu(&gw_node->rcu, gw_node_free); + synchronize_rcu(); + kfree(gw_node); }
gw_deselect(bat_priv); diff --git a/batman-adv/hard-interface.c b/batman-adv/hard-interface.c index 3cd7cb1..0b3ee6b 100644 --- a/batman-adv/hard-interface.c +++ b/batman-adv/hard-interface.c @@ -420,13 +420,6 @@ out: return NULL; }
-static void hardif_free_interface(struct rcu_head *rcu) -{ - struct batman_if *batman_if = container_of(rcu, struct batman_if, rcu); - - kfree(batman_if); -} - static void hardif_remove_interface(struct batman_if *batman_if) { /* first deactivate interface */ @@ -440,9 +433,10 @@ static void hardif_remove_interface(struct batman_if *batman_if)
/* caller must take if_list_lock */ list_del_rcu(&batman_if->list); + synchronize_rcu(); sysfs_del_hardif(&batman_if->hardif_obj); dev_put(batman_if->net_dev); - call_rcu(&batman_if->rcu, hardif_free_interface); + kfree(batman_if); }
void hardif_remove_interfaces(void) diff --git a/batman-adv/types.h b/batman-adv/types.h index e7b53a4..1940404 100644 --- a/batman-adv/types.h +++ b/batman-adv/types.h @@ -44,7 +44,6 @@ struct batman_if { unsigned char *packet_buff; int packet_len; struct kobject *hardif_obj; - struct rcu_head rcu; struct packet_type batman_adv_ptype; struct net_device *soft_iface; }; @@ -96,7 +95,6 @@ struct gw_node { struct hlist_node list; struct orig_node *orig_node; unsigned long deleted; - struct rcu_head rcu; };
/**
gw_election may leak data from the rcu protected list of all gateway nodes outside the read-side critical area. This is not valid as we may free the data using a call_rcu created callback after we unlock using rcu_read_unlock. A workaround is to provide a reference count to be sure that the memory isn't freed to early.
It is currently only to implement the already existing functionality and doesn't provide the full tracking of all usage cases.
Additionally, we must gw_node_hold inside the rcu_read_lock()..rcu_read_unlock() before we attach to the structure which "leaks" it. When another function now removed it from its usage context (curr_gw, usage on stack, ...) then we must gw_node_put it. If it is decremented to zero then we can issue the call_rcu to the freeing function. So "put" is not allowed inside an rcu_read_lock.
Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- batman-adv/gateway_client.c | 17 +++++++++++++++-- batman-adv/types.h | 1 + 2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/batman-adv/gateway_client.c b/batman-adv/gateway_client.c index 8bc1cb0..16f0757 100644 --- a/batman-adv/gateway_client.c +++ b/batman-adv/gateway_client.c @@ -28,6 +28,17 @@ #include <linux/udp.h> #include <linux/if_vlan.h>
+static void gw_node_hold(struct gw_node *gw_node) +{ + atomic_inc(&gw_node->refcnt); +} + +static void gw_node_put(struct gw_node *gw_node) +{ + if (atomic_dec_and_test(&gw_node->refcnt)) + kfree(gw_node); +} + void *gw_get_selected(struct bat_priv *bat_priv) { struct gw_node *curr_gateway_tmp = bat_priv->curr_gw; @@ -205,6 +216,8 @@ static void gw_node_add(struct bat_priv *bat_priv, memset(gw_node, 0, sizeof(struct gw_node)); INIT_HLIST_NODE(&gw_node->list); gw_node->orig_node = orig_node; + atomic_set(&gw_node->refcnt, 0); + gw_node_hold(gw_node);
spin_lock_irqsave(&bat_priv->gw_list_lock, flags); hlist_add_head_rcu(&gw_node->list, &bat_priv->gw_list); @@ -281,7 +294,7 @@ void gw_node_purge_deleted(struct bat_priv *bat_priv)
hlist_del_rcu(&gw_node->list); synchronize_rcu(); - kfree(gw_node); + gw_node_put(gw_node); } }
@@ -300,7 +313,7 @@ void gw_node_list_free(struct bat_priv *bat_priv) &bat_priv->gw_list, list) { hlist_del_rcu(&gw_node->list); synchronize_rcu(); - kfree(gw_node); + gw_node_put(gw_node); }
gw_deselect(bat_priv); diff --git a/batman-adv/types.h b/batman-adv/types.h index 1940404..ecc4365 100644 --- a/batman-adv/types.h +++ b/batman-adv/types.h @@ -95,6 +95,7 @@ struct gw_node { struct hlist_node list; struct orig_node *orig_node; unsigned long deleted; + atomic_t refcnt; };
/**
get_batman_if_by_netdev and get_active_batman_if may leak data from the rcu protected list of interfaces. The rcu protected list of all gateway nodes leaks the actual data outside the read-side critical area. This is not valid as we may free the data using a call_rcu created callback after we unlock using rcu_read_unlock. A workaround is to provide a reference count to be sure that the memory isn't freed to early.
It is currently only to implement the already existing functionality and doesn't provide the full tracking of all usage cases.
Additionally, we must hardif_hold inside the rcu_read_lock()..rcu_read_unlock() before we attach to the structure which "leaks" it. When another function now removed it from its usage context (primary_if, usage on stack, ...) then we must hardif_put it. If it is decremented to zero then we can issue the call_rcu to the freeing function. So "put" is not allowed inside an rcu_read_lock.
Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- batman-adv/hard-interface.c | 5 +++-- batman-adv/hard-interface.h | 13 +++++++++++++ batman-adv/types.h | 1 + 3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/batman-adv/hard-interface.c b/batman-adv/hard-interface.c index 0b3ee6b..445498c 100644 --- a/batman-adv/hard-interface.c +++ b/batman-adv/hard-interface.c @@ -403,6 +403,8 @@ static struct batman_if *hardif_add_interface(struct net_device *net_dev) batman_if->soft_iface = NULL; batman_if->if_status = IF_NOT_IN_USE; INIT_LIST_HEAD(&batman_if->list); + atomic_set(&batman_if->refcnt, 0); + hardif_hold(batman_if);
check_known_mac_addr(batman_if->net_dev->dev_addr);
@@ -435,8 +437,7 @@ static void hardif_remove_interface(struct batman_if *batman_if) list_del_rcu(&batman_if->list); synchronize_rcu(); sysfs_del_hardif(&batman_if->hardif_obj); - dev_put(batman_if->net_dev); - kfree(batman_if); + hardif_put(batman_if); }
void hardif_remove_interfaces(void) diff --git a/batman-adv/hard-interface.h b/batman-adv/hard-interface.h index 4b49527..d550889 100644 --- a/batman-adv/hard-interface.h +++ b/batman-adv/hard-interface.h @@ -42,4 +42,17 @@ int batman_skb_recv(struct sk_buff *skb, int hardif_min_mtu(struct net_device *soft_iface); void update_min_mtu(struct net_device *soft_iface);
+static inline void hardif_hold(struct batman_if *batman_if) +{ + atomic_inc(&batman_if->refcnt); +} + +static inline void hardif_put(struct batman_if *batman_if) +{ + if (atomic_dec_and_test(&batman_if->refcnt)) { + dev_put(batman_if->net_dev); + kfree(batman_if); + } +} + #endif /* _NET_BATMAN_ADV_HARD_INTERFACE_H_ */ diff --git a/batman-adv/types.h b/batman-adv/types.h index ecc4365..a609100 100644 --- a/batman-adv/types.h +++ b/batman-adv/types.h @@ -44,6 +44,7 @@ struct batman_if { unsigned char *packet_buff; int packet_len; struct kobject *hardif_obj; + atomic_t refcnt; struct packet_type batman_adv_ptype; struct net_device *soft_iface; };
We reference the gw_nodes as curr_gw for each bat_priv. They are tracked inside a rcu protected list gw_list which may free the memory after it gets removed from the list. Nevertheless it could still be referenced by curr_gw and access to it would result in a kernel oops.
Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- batman-adv/gateway_client.c | 22 +++++++++++++++++++--- 1 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/batman-adv/gateway_client.c b/batman-adv/gateway_client.c index 16f0757..1cad4f8 100644 --- a/batman-adv/gateway_client.c +++ b/batman-adv/gateway_client.c @@ -51,13 +51,18 @@ void *gw_get_selected(struct bat_priv *bat_priv)
void gw_deselect(struct bat_priv *bat_priv) { + struct gw_node *gw_node = bat_priv->curr_gw; + bat_priv->curr_gw = NULL; + + if (gw_node) + gw_node_put(gw_node); }
void gw_election(struct bat_priv *bat_priv) { struct hlist_node *node; - struct gw_node *gw_node, *curr_gw_tmp = NULL; + struct gw_node *gw_node, *curr_gw_tmp = NULL, *old_gw_node = NULL; uint8_t max_tq = 0; uint32_t max_gw_factor = 0, tmp_gw_factor = 0; int down, up; @@ -131,7 +136,6 @@ void gw_election(struct bat_priv *bat_priv) if (tmp_gw_factor > max_gw_factor) max_gw_factor = tmp_gw_factor; } - rcu_read_unlock();
if (bat_priv->curr_gw != curr_gw_tmp) { if ((bat_priv->curr_gw) && (!curr_gw_tmp)) @@ -153,8 +157,17 @@ void gw_election(struct bat_priv *bat_priv) curr_gw_tmp->orig_node->gw_flags, curr_gw_tmp->orig_node->router->tq_avg);
+ old_gw_node = bat_priv->curr_gw; + if (curr_gw_tmp) + gw_node_hold(curr_gw_tmp); + bat_priv->curr_gw = curr_gw_tmp; } + + rcu_read_unlock(); + + if (old_gw_node) + gw_node_put(old_gw_node); }
void gw_check_election(struct bat_priv *bat_priv, struct orig_node *orig_node) @@ -258,8 +271,11 @@ void gw_node_update(struct bat_priv *bat_priv, "Gateway %pM removed from gateway list\n", orig_node->orig);
- if (gw_node == bat_priv->curr_gw) + if (gw_node == bat_priv->curr_gw) { + rcu_read_unlock(); gw_deselect(bat_priv); + return; + } }
rcu_read_unlock();
The return of get_batman_if_by_netdev and get_active_batman_if leaks a pointer from the rcu protected list of interfaces. We must protect it to prevent a too early release of the memory. Those functions must increase the reference counter before rcu_read_unlock or it may be to late to prevent a free.
hardif_add_interface must also increase the reference count for the returned batman_if to make the behaviour consistent.
Reported-by: Paul E. McKenney paulmck@linux.vnet.ibm.com Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- batman-adv/bat_sysfs.c | 37 +++++++++++++++++++++++++++---------- batman-adv/hard-interface.c | 29 ++++++++++++++++++++++++----- 2 files changed, 51 insertions(+), 15 deletions(-)
diff --git a/batman-adv/bat_sysfs.c b/batman-adv/bat_sysfs.c index 8e180ba..79090c9 100644 --- a/batman-adv/bat_sysfs.c +++ b/batman-adv/bat_sysfs.c @@ -453,13 +453,17 @@ static ssize_t show_mesh_iface(struct kobject *kobj, struct attribute *attr, struct device *dev = to_dev(kobj->parent); struct net_device *net_dev = to_net_dev(dev); struct batman_if *batman_if = get_batman_if_by_netdev(net_dev); + ssize_t length;
if (!batman_if) return 0;
- return sprintf(buff, "%s\n", - batman_if->if_status == IF_NOT_IN_USE ? - "none" : batman_if->soft_iface->name); + length = sprintf(buff, "%s\n", batman_if->if_status == IF_NOT_IN_USE ? + "none" : batman_if->soft_iface->name); + + hardif_put(batman_if); + + return length; }
static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, @@ -469,6 +473,7 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, struct net_device *net_dev = to_net_dev(dev); struct batman_if *batman_if = get_batman_if_by_netdev(net_dev); int status_tmp = -1; + int ret;
if (!batman_if) return count; @@ -479,6 +484,7 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, if (strlen(buff) >= IFNAMSIZ) { pr_err("Invalid parameter for 'mesh_iface' setting received: " "interface name too long '%s'\n", buff); + hardif_put(batman_if); return -EINVAL; }
@@ -488,13 +494,16 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, status_tmp = IF_I_WANT_YOU;
if ((batman_if->if_status == status_tmp) || ((batman_if->soft_iface) && - (strncmp(batman_if->soft_iface->name, buff, IFNAMSIZ) == 0))) + (strncmp(batman_if->soft_iface->name, buff, IFNAMSIZ) == 0))) { + hardif_put(batman_if); return count; + }
if (status_tmp == IF_NOT_IN_USE) { rtnl_lock(); hardif_disable_interface(batman_if); rtnl_unlock(); + hardif_put(batman_if); return count; }
@@ -505,7 +514,10 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, rtnl_unlock(); }
- return hardif_enable_interface(batman_if, buff); + ret = hardif_enable_interface(batman_if, buff); + hardif_put(batman_if); + + return ret; }
static ssize_t show_iface_status(struct kobject *kobj, struct attribute *attr, @@ -514,23 +526,28 @@ static ssize_t show_iface_status(struct kobject *kobj, struct attribute *attr, struct device *dev = to_dev(kobj->parent); struct net_device *net_dev = to_net_dev(dev); struct batman_if *batman_if = get_batman_if_by_netdev(net_dev); + ssize_t length;
if (!batman_if) return 0;
switch (batman_if->if_status) { case IF_TO_BE_REMOVED: - return sprintf(buff, "disabling\n"); + length = sprintf(buff, "disabling\n"); case IF_INACTIVE: - return sprintf(buff, "inactive\n"); + length = sprintf(buff, "inactive\n"); case IF_ACTIVE: - return sprintf(buff, "active\n"); + length = sprintf(buff, "active\n"); case IF_TO_BE_ACTIVATED: - return sprintf(buff, "enabling\n"); + length = sprintf(buff, "enabling\n"); case IF_NOT_IN_USE: default: - return sprintf(buff, "not in use\n"); + length = sprintf(buff, "not in use\n"); } + + hardif_put(batman_if); + + return length; }
static BAT_ATTR(mesh_iface, S_IRUGO | S_IWUSR, diff --git a/batman-adv/hard-interface.c b/batman-adv/hard-interface.c index 445498c..f519b4b 100644 --- a/batman-adv/hard-interface.c +++ b/batman-adv/hard-interface.c @@ -51,6 +51,9 @@ struct batman_if *get_batman_if_by_netdev(struct net_device *net_dev) batman_if = NULL;
out: + if (batman_if) + hardif_hold(batman_if); + rcu_read_unlock(); return batman_if; } @@ -98,6 +101,9 @@ static struct batman_if *get_active_batman_if(struct net_device *soft_iface) batman_if = NULL;
out: + if (batman_if) + hardif_hold(batman_if); + rcu_read_unlock(); return batman_if; } @@ -294,6 +300,7 @@ int hardif_enable_interface(struct batman_if *batman_if, char *iface_name) batman_if->batman_adv_ptype.type = __constant_htons(ETH_P_BATMAN); batman_if->batman_adv_ptype.func = batman_skb_recv; batman_if->batman_adv_ptype.dev = batman_if->net_dev; + hardif_hold(batman_if); dev_add_pack(&batman_if->batman_adv_ptype);
atomic_set(&batman_if->seqno, 1); @@ -352,13 +359,20 @@ void hardif_disable_interface(struct batman_if *batman_if) bat_info(batman_if->soft_iface, "Removing interface: %s\n", batman_if->net_dev->name); dev_remove_pack(&batman_if->batman_adv_ptype); + hardif_put(batman_if);
bat_priv->num_ifaces--; orig_hash_del_if(batman_if, bat_priv->num_ifaces);
- if (batman_if == bat_priv->primary_if) - set_primary_if(bat_priv, - get_active_batman_if(batman_if->soft_iface)); + if (batman_if == bat_priv->primary_if) { + struct batman_if *new_if; + + new_if = get_active_batman_if(batman_if->soft_iface); + set_primary_if(bat_priv, new_if); + + if (new_if) + hardif_put(new_if); + }
kfree(batman_if->packet_buff); batman_if->packet_buff = NULL; @@ -412,6 +426,8 @@ static struct batman_if *hardif_add_interface(struct net_device *net_dev) list_add_tail_rcu(&batman_if->list, &if_list); spin_unlock(&if_list_lock);
+ /* extra reference for return */ + hardif_hold(batman_if); return batman_if;
free_if: @@ -461,7 +477,7 @@ static int hard_if_event(struct notifier_block *this, struct bat_priv *bat_priv;
if (!batman_if && event == NETDEV_REGISTER) - batman_if = hardif_add_interface(net_dev); + batman_if = hardif_add_interface(net_dev);
if (!batman_if) goto out; @@ -484,8 +500,10 @@ static int hard_if_event(struct notifier_block *this, update_min_mtu(batman_if->soft_iface); break; case NETDEV_CHANGEADDR: - if (batman_if->if_status == IF_NOT_IN_USE) + if (batman_if->if_status == IF_NOT_IN_USE) { + hardif_put(batman_if); goto out; + }
check_known_mac_addr(batman_if->net_dev->dev_addr); update_mac_addresses(batman_if); @@ -497,6 +515,7 @@ static int hard_if_event(struct notifier_block *this, default: break; }; + hardif_put(batman_if);
out: return NOTIFY_DONE;
The return of get_batman_if_by_netdev and get_active_batman_if leaks a pointer from the rcu protected list of interfaces. We must protect it to prevent a too early release of the memory. Those functions must increase the reference counter before rcu_read_unlock or it may be to late to prevent a free.
hardif_add_interface must also increase the reference count for the returned batman_if to make the behaviour consistent.
Reported-by: Paul E. McKenney paulmck@linux.vnet.ibm.com Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- Forgot some breaks in a switch statements.
batman-adv/bat_sysfs.c | 42 ++++++++++++++++++++++++++++++++---------- batman-adv/hard-interface.c | 29 ++++++++++++++++++++++++----- 2 files changed, 56 insertions(+), 15 deletions(-)
diff --git a/batman-adv/bat_sysfs.c b/batman-adv/bat_sysfs.c index 8e180ba..9ab2bfe 100644 --- a/batman-adv/bat_sysfs.c +++ b/batman-adv/bat_sysfs.c @@ -453,13 +453,17 @@ static ssize_t show_mesh_iface(struct kobject *kobj, struct attribute *attr, struct device *dev = to_dev(kobj->parent); struct net_device *net_dev = to_net_dev(dev); struct batman_if *batman_if = get_batman_if_by_netdev(net_dev); + ssize_t length;
if (!batman_if) return 0;
- return sprintf(buff, "%s\n", - batman_if->if_status == IF_NOT_IN_USE ? - "none" : batman_if->soft_iface->name); + length = sprintf(buff, "%s\n", batman_if->if_status == IF_NOT_IN_USE ? + "none" : batman_if->soft_iface->name); + + hardif_put(batman_if); + + return length; }
static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, @@ -469,6 +473,7 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, struct net_device *net_dev = to_net_dev(dev); struct batman_if *batman_if = get_batman_if_by_netdev(net_dev); int status_tmp = -1; + int ret;
if (!batman_if) return count; @@ -479,6 +484,7 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, if (strlen(buff) >= IFNAMSIZ) { pr_err("Invalid parameter for 'mesh_iface' setting received: " "interface name too long '%s'\n", buff); + hardif_put(batman_if); return -EINVAL; }
@@ -488,13 +494,16 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, status_tmp = IF_I_WANT_YOU;
if ((batman_if->if_status == status_tmp) || ((batman_if->soft_iface) && - (strncmp(batman_if->soft_iface->name, buff, IFNAMSIZ) == 0))) + (strncmp(batman_if->soft_iface->name, buff, IFNAMSIZ) == 0))) { + hardif_put(batman_if); return count; + }
if (status_tmp == IF_NOT_IN_USE) { rtnl_lock(); hardif_disable_interface(batman_if); rtnl_unlock(); + hardif_put(batman_if); return count; }
@@ -505,7 +514,10 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, rtnl_unlock(); }
- return hardif_enable_interface(batman_if, buff); + ret = hardif_enable_interface(batman_if, buff); + hardif_put(batman_if); + + return ret; }
static ssize_t show_iface_status(struct kobject *kobj, struct attribute *attr, @@ -514,23 +526,33 @@ static ssize_t show_iface_status(struct kobject *kobj, struct attribute *attr, struct device *dev = to_dev(kobj->parent); struct net_device *net_dev = to_net_dev(dev); struct batman_if *batman_if = get_batman_if_by_netdev(net_dev); + ssize_t length;
if (!batman_if) return 0;
switch (batman_if->if_status) { case IF_TO_BE_REMOVED: - return sprintf(buff, "disabling\n"); + length = sprintf(buff, "disabling\n"); + break; case IF_INACTIVE: - return sprintf(buff, "inactive\n"); + length = sprintf(buff, "inactive\n"); + break; case IF_ACTIVE: - return sprintf(buff, "active\n"); + length = sprintf(buff, "active\n"); + break; case IF_TO_BE_ACTIVATED: - return sprintf(buff, "enabling\n"); + length = sprintf(buff, "enabling\n"); + break; case IF_NOT_IN_USE: default: - return sprintf(buff, "not in use\n"); + length = sprintf(buff, "not in use\n"); + break; } + + hardif_put(batman_if); + + return length; }
static BAT_ATTR(mesh_iface, S_IRUGO | S_IWUSR, diff --git a/batman-adv/hard-interface.c b/batman-adv/hard-interface.c index 445498c..f519b4b 100644 --- a/batman-adv/hard-interface.c +++ b/batman-adv/hard-interface.c @@ -51,6 +51,9 @@ struct batman_if *get_batman_if_by_netdev(struct net_device *net_dev) batman_if = NULL;
out: + if (batman_if) + hardif_hold(batman_if); + rcu_read_unlock(); return batman_if; } @@ -98,6 +101,9 @@ static struct batman_if *get_active_batman_if(struct net_device *soft_iface) batman_if = NULL;
out: + if (batman_if) + hardif_hold(batman_if); + rcu_read_unlock(); return batman_if; } @@ -294,6 +300,7 @@ int hardif_enable_interface(struct batman_if *batman_if, char *iface_name) batman_if->batman_adv_ptype.type = __constant_htons(ETH_P_BATMAN); batman_if->batman_adv_ptype.func = batman_skb_recv; batman_if->batman_adv_ptype.dev = batman_if->net_dev; + hardif_hold(batman_if); dev_add_pack(&batman_if->batman_adv_ptype);
atomic_set(&batman_if->seqno, 1); @@ -352,13 +359,20 @@ void hardif_disable_interface(struct batman_if *batman_if) bat_info(batman_if->soft_iface, "Removing interface: %s\n", batman_if->net_dev->name); dev_remove_pack(&batman_if->batman_adv_ptype); + hardif_put(batman_if);
bat_priv->num_ifaces--; orig_hash_del_if(batman_if, bat_priv->num_ifaces);
- if (batman_if == bat_priv->primary_if) - set_primary_if(bat_priv, - get_active_batman_if(batman_if->soft_iface)); + if (batman_if == bat_priv->primary_if) { + struct batman_if *new_if; + + new_if = get_active_batman_if(batman_if->soft_iface); + set_primary_if(bat_priv, new_if); + + if (new_if) + hardif_put(new_if); + }
kfree(batman_if->packet_buff); batman_if->packet_buff = NULL; @@ -412,6 +426,8 @@ static struct batman_if *hardif_add_interface(struct net_device *net_dev) list_add_tail_rcu(&batman_if->list, &if_list); spin_unlock(&if_list_lock);
+ /* extra reference for return */ + hardif_hold(batman_if); return batman_if;
free_if: @@ -461,7 +477,7 @@ static int hard_if_event(struct notifier_block *this, struct bat_priv *bat_priv;
if (!batman_if && event == NETDEV_REGISTER) - batman_if = hardif_add_interface(net_dev); + batman_if = hardif_add_interface(net_dev);
if (!batman_if) goto out; @@ -484,8 +500,10 @@ static int hard_if_event(struct notifier_block *this, update_min_mtu(batman_if->soft_iface); break; case NETDEV_CHANGEADDR: - if (batman_if->if_status == IF_NOT_IN_USE) + if (batman_if->if_status == IF_NOT_IN_USE) { + hardif_put(batman_if); goto out; + }
check_known_mac_addr(batman_if->net_dev->dev_addr); update_mac_addresses(batman_if); @@ -497,6 +515,7 @@ static int hard_if_event(struct notifier_block *this, default: break; }; + hardif_put(batman_if);
out: return NOTIFY_DONE;
On Friday 17 September 2010 19:27:06 Sven Eckelmann wrote:
The return of get_batman_if_by_netdev and get_active_batman_if leaks a pointer from the rcu protected list of interfaces. We must protect it to prevent a too early release of the memory. Those functions must increase the reference counter before rcu_read_unlock or it may be to late to prevent a free.
It seems this patch does not properly deal with bat_priv->primary_if. Please review my revised patch and let me know if you think it is ok.
Cheers, Marek
From: Sven Eckelmann sven.eckelmann@gmx.de
The return of get_batman_if_by_netdev and get_active_batman_if leaks a pointer from the rcu protected list of interfaces. We must protect it to prevent a too early release of the memory. Those functions must increase the reference counter before rcu_read_unlock or it may be to late to prevent a free.
hardif_add_interface must also increase the reference count for the returned batman_if to make the behaviour consistent.
Reported-by: Paul E. McKenney paulmck@linux.vnet.ibm.com Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de Signed-off-by: Marek Lindner lindner_marek@yahoo.de --- batman-adv/bat_sysfs.c | 42 +++++++++++++++++++++++++++++++--------- batman-adv/hard-interface.c | 44 +++++++++++++++++++++++++++++++++--------- 2 files changed, 66 insertions(+), 20 deletions(-)
diff --git a/batman-adv/bat_sysfs.c b/batman-adv/bat_sysfs.c index 8e180ba..9ab2bfe 100644 --- a/batman-adv/bat_sysfs.c +++ b/batman-adv/bat_sysfs.c @@ -453,13 +453,17 @@ static ssize_t show_mesh_iface(struct kobject *kobj, struct attribute *attr, struct device *dev = to_dev(kobj->parent); struct net_device *net_dev = to_net_dev(dev); struct batman_if *batman_if = get_batman_if_by_netdev(net_dev); + ssize_t length;
if (!batman_if) return 0;
- return sprintf(buff, "%s\n", - batman_if->if_status == IF_NOT_IN_USE ? - "none" : batman_if->soft_iface->name); + length = sprintf(buff, "%s\n", batman_if->if_status == IF_NOT_IN_USE ? + "none" : batman_if->soft_iface->name); + + hardif_put(batman_if); + + return length; }
static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, @@ -469,6 +473,7 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, struct net_device *net_dev = to_net_dev(dev); struct batman_if *batman_if = get_batman_if_by_netdev(net_dev); int status_tmp = -1; + int ret;
if (!batman_if) return count; @@ -479,6 +484,7 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, if (strlen(buff) >= IFNAMSIZ) { pr_err("Invalid parameter for 'mesh_iface' setting received: " "interface name too long '%s'\n", buff); + hardif_put(batman_if); return -EINVAL; }
@@ -488,13 +494,16 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, status_tmp = IF_I_WANT_YOU;
if ((batman_if->if_status == status_tmp) || ((batman_if->soft_iface) && - (strncmp(batman_if->soft_iface->name, buff, IFNAMSIZ) == 0))) + (strncmp(batman_if->soft_iface->name, buff, IFNAMSIZ) == 0))) { + hardif_put(batman_if); return count; + }
if (status_tmp == IF_NOT_IN_USE) { rtnl_lock(); hardif_disable_interface(batman_if); rtnl_unlock(); + hardif_put(batman_if); return count; }
@@ -505,7 +514,10 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr, rtnl_unlock(); }
- return hardif_enable_interface(batman_if, buff); + ret = hardif_enable_interface(batman_if, buff); + hardif_put(batman_if); + + return ret; }
static ssize_t show_iface_status(struct kobject *kobj, struct attribute *attr, @@ -514,23 +526,33 @@ static ssize_t show_iface_status(struct kobject *kobj, struct attribute *attr, struct device *dev = to_dev(kobj->parent); struct net_device *net_dev = to_net_dev(dev); struct batman_if *batman_if = get_batman_if_by_netdev(net_dev); + ssize_t length;
if (!batman_if) return 0;
switch (batman_if->if_status) { case IF_TO_BE_REMOVED: - return sprintf(buff, "disabling\n"); + length = sprintf(buff, "disabling\n"); + break; case IF_INACTIVE: - return sprintf(buff, "inactive\n"); + length = sprintf(buff, "inactive\n"); + break; case IF_ACTIVE: - return sprintf(buff, "active\n"); + length = sprintf(buff, "active\n"); + break; case IF_TO_BE_ACTIVATED: - return sprintf(buff, "enabling\n"); + length = sprintf(buff, "enabling\n"); + break; case IF_NOT_IN_USE: default: - return sprintf(buff, "not in use\n"); + length = sprintf(buff, "not in use\n"); + break; } + + hardif_put(batman_if); + + return length; }
static BAT_ATTR(mesh_iface, S_IRUGO | S_IWUSR, diff --git a/batman-adv/hard-interface.c b/batman-adv/hard-interface.c index 445498c..64ff53d 100644 --- a/batman-adv/hard-interface.c +++ b/batman-adv/hard-interface.c @@ -51,6 +51,9 @@ struct batman_if *get_batman_if_by_netdev(struct net_device *net_dev) batman_if = NULL;
out: + if (batman_if) + hardif_hold(batman_if); + rcu_read_unlock(); return batman_if; } @@ -98,31 +101,45 @@ static struct batman_if *get_active_batman_if(struct net_device *soft_iface) batman_if = NULL;
out: + if (batman_if) + hardif_hold(batman_if); + rcu_read_unlock(); return batman_if; }
+static void update_primary_addr(struct bat_priv *bat_priv) +{ + struct vis_packet *vis_packet; + + vis_packet = (struct vis_packet *) + bat_priv->my_vis_info->skb_packet->data; + memcpy(vis_packet->vis_orig, + bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN); + memcpy(vis_packet->sender_orig, + bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN); +} + static void set_primary_if(struct bat_priv *bat_priv, struct batman_if *batman_if) { struct batman_packet *batman_packet; - struct vis_packet *vis_packet; + + if (bat_priv->primary_if) + hardif_put(bat_priv->primary_if);
bat_priv->primary_if = batman_if;
if (!bat_priv->primary_if) return;
+ hardif_hold(bat_priv->primary_if); + batman_packet = (struct batman_packet *)(batman_if->packet_buff); batman_packet->flags = PRIMARIES_FIRST_HOP; batman_packet->ttl = TTL;
- vis_packet = (struct vis_packet *) - bat_priv->my_vis_info->skb_packet->data; - memcpy(vis_packet->vis_orig, - bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN); - memcpy(vis_packet->sender_orig, - bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN); + update_primary_addr(bat_priv);
/*** * hacky trick to make sure that we send the HNA information via @@ -294,6 +311,7 @@ int hardif_enable_interface(struct batman_if *batman_if, char *iface_name) batman_if->batman_adv_ptype.type = __constant_htons(ETH_P_BATMAN); batman_if->batman_adv_ptype.func = batman_skb_recv; batman_if->batman_adv_ptype.dev = batman_if->net_dev; + hardif_hold(batman_if); dev_add_pack(&batman_if->batman_adv_ptype);
atomic_set(&batman_if->seqno, 1); @@ -352,6 +370,7 @@ void hardif_disable_interface(struct batman_if *batman_if) bat_info(batman_if->soft_iface, "Removing interface: %s\n", batman_if->net_dev->name); dev_remove_pack(&batman_if->batman_adv_ptype); + hardif_put(batman_if);
bat_priv->num_ifaces--; orig_hash_del_if(batman_if, bat_priv->num_ifaces); @@ -412,6 +431,8 @@ static struct batman_if *hardif_add_interface(struct net_device *net_dev) list_add_tail_rcu(&batman_if->list, &if_list); spin_unlock(&if_list_lock);
+ /* extra reference for return */ + hardif_hold(batman_if); return batman_if;
free_if: @@ -461,7 +482,7 @@ static int hard_if_event(struct notifier_block *this, struct bat_priv *bat_priv;
if (!batman_if && event == NETDEV_REGISTER) - batman_if = hardif_add_interface(net_dev); + batman_if = hardif_add_interface(net_dev);
if (!batman_if) goto out; @@ -484,19 +505,22 @@ static int hard_if_event(struct notifier_block *this, update_min_mtu(batman_if->soft_iface); break; case NETDEV_CHANGEADDR: - if (batman_if->if_status == IF_NOT_IN_USE) + if (batman_if->if_status == IF_NOT_IN_USE) { + hardif_put(batman_if); goto out; + }
check_known_mac_addr(batman_if->net_dev->dev_addr); update_mac_addresses(batman_if);
bat_priv = netdev_priv(batman_if->soft_iface); if (batman_if == bat_priv->primary_if) - set_primary_if(bat_priv, batman_if); + update_primary_addr(bat_priv); break; default: break; }; + hardif_put(batman_if);
out: return NOTIFY_DONE;
Marek Lindner wrote:
On Friday 17 September 2010 19:27:06 Sven Eckelmann wrote:
The return of get_batman_if_by_netdev and get_active_batman_if leaks a pointer from the rcu protected list of interfaces. We must protect it to prevent a too early release of the memory. Those functions must increase the reference counter before rcu_read_unlock or it may be to late to prevent a free.
It seems this patch does not properly deal with bat_priv->primary_if. Please review my revised patch and let me know if you think it is ok.
As said before, this patch should not count primary_if by design (see the commit message). I would say that your changes should be an extra patch.
I will split that stuff and send it as extra patches. Your patch itself has the problem that it increases the refcnt through get_active_batman_if, but doesn't reduce it at the end.
Best regards, Sven
set_primary_if exchanges the current primary interfaces with a new one. This is a new reference and thus we have to count it and decrease the count of the old primary interface.
Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- I would like to keep that order of hold -> exchange -> put for later changes (rcu or something like that for primary_if and curr_gw).
batman-adv/hard-interface.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/batman-adv/hard-interface.c b/batman-adv/hard-interface.c index f519b4b..942a44a 100644 --- a/batman-adv/hard-interface.c +++ b/batman-adv/hard-interface.c @@ -113,9 +113,17 @@ static void set_primary_if(struct bat_priv *bat_priv, { struct batman_packet *batman_packet; struct vis_packet *vis_packet; + struct batman_if *old_if;
+ if (batman_if) + hardif_hold(batman_if); + + old_if = bat_priv->primary_if; bat_priv->primary_if = batman_if;
+ if (old_if) + hardif_put(old_if); + if (!bat_priv->primary_if) return;
From: Marek Lindner lindner_marek@yahoo.de
set_primary_if is currently misused to update the mac address in vis packets. This unneeded and introduces overhead due to other operations which must be done when updating the primary interface.
Signed-off-by: Marek Lindner lindner_marek@yahoo.de Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de --- batman-adv/hard-interface.c | 22 ++++++++++++++-------- 1 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/batman-adv/hard-interface.c b/batman-adv/hard-interface.c index 942a44a..def74cf 100644 --- a/batman-adv/hard-interface.c +++ b/batman-adv/hard-interface.c @@ -108,11 +108,22 @@ out: return batman_if; }
+static void update_primary_addr(struct bat_priv *bat_priv) +{ + struct vis_packet *vis_packet; + + vis_packet = (struct vis_packet *) + bat_priv->my_vis_info->skb_packet->data; + memcpy(vis_packet->vis_orig, + bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN); + memcpy(vis_packet->sender_orig, + bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN); +} + static void set_primary_if(struct bat_priv *bat_priv, struct batman_if *batman_if) { struct batman_packet *batman_packet; - struct vis_packet *vis_packet; struct batman_if *old_if;
if (batman_if) @@ -131,12 +142,7 @@ static void set_primary_if(struct bat_priv *bat_priv, batman_packet->flags = PRIMARIES_FIRST_HOP; batman_packet->ttl = TTL;
- vis_packet = (struct vis_packet *) - bat_priv->my_vis_info->skb_packet->data; - memcpy(vis_packet->vis_orig, - bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN); - memcpy(vis_packet->sender_orig, - bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN); + update_primary_addr(bat_priv);
/*** * hacky trick to make sure that we send the HNA information via @@ -518,7 +524,7 @@ static int hard_if_event(struct notifier_block *this,
bat_priv = netdev_priv(batman_if->soft_iface); if (batman_if == bat_priv->primary_if) - set_primary_if(bat_priv, batman_if); + update_primary_addr(bat_priv); break; default: break;
On Saturday 18 September 2010 17:21:43 Sven Eckelmann wrote:
As said before, this patch should not count primary_if by design (see the commit message). I would say that your changes should be an extra patch.
I will split that stuff and send it as extra patches. Your patch itself has the problem that it increases the refcnt through get_active_batman_if, but doesn't reduce it at the end.
Should be ok now - I submitted your patches (revision 1799-1809).
Thanks, Marek
b.a.t.m.a.n@lists.open-mesh.org