Hi,
I would like tp propose following corrections for net-next-2.6/2.6.40. Both are bug fixes. The first one fixes the regression introduced by "batman-adv: Make bat_priv->primary_if an rcu protected pointer" which prevented that the attached net_devices could be destroyed because the references to them were incorrectly counted.
The second one is a bug which may "filled" the broadcast queue when at the same time primary_if got changed and a broadcast was initiated. The queue counter were never reduced because there were no actual packets attached to the the queue.
thanks, Sven
The following changes since commit 27aea2128ec09924dfe08e97739b2bf8b15c8619:
batman-adv: remove duplicate code from function is_bidirectional_neigh() (2011-05-08 16:10:42 +0200)
are available in the git repository at: git://git.open-mesh.org/ecsv/linux-merge.git batman-adv/next
Marek Lindner (1): batman-adv: reset broadcast flood protection on error
Sven Eckelmann (1): batman-adv: Add missing hardif_free_ref in forw_packet_free
net/batman-adv/aggregation.c | 14 +++++++++++--- net/batman-adv/send.c | 19 ++++++++++++++++--- 2 files changed, 27 insertions(+), 6 deletions(-)
add_bcast_packet_to_list increases the refcount for if_incoming but the reference count is never decreased. The reference count must be increased for all kinds of forwarded packets which have the primary interface stored and forw_packet_free must decrease them. Also purge_outstanding_packets has to invoke forw_packet_free when a work item was really cancelled.
This regression was introduced in 32ae9b221e788413ce68feaae2ca39e406211a0a.
Reported-by: Antonio Quartulli ordex@autistici.org Signed-off-by: Sven Eckelmann sven@narfation.org --- net/batman-adv/aggregation.c | 14 +++++++++++--- net/batman-adv/send.c | 17 +++++++++++++++-- 2 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/net/batman-adv/aggregation.c b/net/batman-adv/aggregation.c index 9b94590..a8c3203 100644 --- a/net/batman-adv/aggregation.c +++ b/net/batman-adv/aggregation.c @@ -23,6 +23,7 @@ #include "aggregation.h" #include "send.h" #include "routing.h" +#include "hard-interface.h"
/* calculate the size of the tt information for a given packet */ static int tt_len(struct batman_packet *batman_packet) @@ -105,12 +106,15 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len, struct forw_packet *forw_packet_aggr; unsigned char *skb_buff;
+ if (!atomic_inc_not_zero(&if_incoming->refcount)) + return; + /* own packet should always be scheduled */ if (!own_packet) { if (!atomic_dec_not_zero(&bat_priv->batman_queue_left)) { bat_dbg(DBG_BATMAN, bat_priv, "batman packet queue full\n"); - return; + goto out; } }
@@ -118,7 +122,7 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len, if (!forw_packet_aggr) { if (!own_packet) atomic_inc(&bat_priv->batman_queue_left); - return; + goto out; }
if ((atomic_read(&bat_priv->aggregated_ogms)) && @@ -133,7 +137,7 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len, if (!own_packet) atomic_inc(&bat_priv->batman_queue_left); kfree(forw_packet_aggr); - return; + goto out; } skb_reserve(forw_packet_aggr->skb, sizeof(struct ethhdr));
@@ -164,6 +168,10 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len, queue_delayed_work(bat_event_workqueue, &forw_packet_aggr->delayed_work, send_time - jiffies); + + return; +out: + hardif_free_ref(if_incoming); }
/* aggregate a new packet into the existing aggregation */ diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c index f30d0c6..76daa46 100644 --- a/net/batman-adv/send.c +++ b/net/batman-adv/send.c @@ -377,6 +377,8 @@ static void forw_packet_free(struct forw_packet *forw_packet) { if (forw_packet->skb) kfree_skb(forw_packet->skb); + if (forw_packet->if_incoming) + hardif_free_ref(forw_packet->if_incoming); kfree(forw_packet); }
@@ -539,6 +541,7 @@ void purge_outstanding_packets(struct bat_priv *bat_priv, { struct forw_packet *forw_packet; struct hlist_node *tmp_node, *safe_tmp_node; + bool pending;
if (hard_iface) bat_dbg(DBG_BATMAN, bat_priv, @@ -567,8 +570,13 @@ void purge_outstanding_packets(struct bat_priv *bat_priv, * send_outstanding_bcast_packet() will lock the list to * delete the item from the list */ - cancel_delayed_work_sync(&forw_packet->delayed_work); + pending = cancel_delayed_work_sync(&forw_packet->delayed_work); spin_lock_bh(&bat_priv->forw_bcast_list_lock); + + if (pending) { + hlist_del(&forw_packet->list); + forw_packet_free(forw_packet); + } } spin_unlock_bh(&bat_priv->forw_bcast_list_lock);
@@ -591,8 +599,13 @@ void purge_outstanding_packets(struct bat_priv *bat_priv, * send_outstanding_bat_packet() will lock the list to * delete the item from the list */ - cancel_delayed_work_sync(&forw_packet->delayed_work); + pending = cancel_delayed_work_sync(&forw_packet->delayed_work); spin_lock_bh(&bat_priv->forw_bat_list_lock); + + if (pending) { + hlist_del(&forw_packet->list); + forw_packet_free(forw_packet); + } } spin_unlock_bh(&bat_priv->forw_bat_list_lock); }
From: Marek Lindner lindner_marek@yahoo.de
The broadcast flood protection should be reset to its original value if the primary interface could not be retrieved.
Signed-off-by: Marek Lindner lindner_marek@yahoo.de Signed-off-by: Sven Eckelmann sven@narfation.org --- net/batman-adv/send.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c index 76daa46..3377927 100644 --- a/net/batman-adv/send.c +++ b/net/batman-adv/send.c @@ -421,7 +421,7 @@ int add_bcast_packet_to_list(struct bat_priv *bat_priv, struct sk_buff *skb)
primary_if = primary_if_get_selected(bat_priv); if (!primary_if) - goto out; + goto out_and_inc;
forw_packet = kmalloc(sizeof(struct forw_packet), GFP_ATOMIC);
From: Sven Eckelmann sven@narfation.org Date: Sun, 15 May 2011 00:16:32 +0200
git://git.open-mesh.org/ecsv/linux-merge.git batman-adv/next
Pulled, thanks Sven.
b.a.t.m.a.n@lists.open-mesh.org