From bde860c48a217a9b71fda841090afab693ccb2b6 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Sun, 16 Oct 2011 18:53:37 +0200 Subject: batman-adv: fix tt_local_reset_flags() function commit 31901264511cf20c5ed33b8649a3ca9ce28df60b upstream. Currently the counter of tt_local_entry structures (tt_local_num) is incremented each time the tt_local_reset_flags() is invoked causing the node to send wrong TT_REPONSE packets containing a copy of non-initialised memory thus corrupting other nodes global translation table and making higher level communication impossible. Reported-by: Junkeun Song Signed-off-by: Antonio Quartulli Acked-by: Junkeun Song Signed-off-by: Marek Lindner Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/translation-table.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'net/batman-adv/translation-table.c') diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index fb6931d00cd..f599db9dbec 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -1668,6 +1668,8 @@ static void tt_local_reset_flags(struct bat_priv *bat_priv, uint16_t flags) rcu_read_lock(); hlist_for_each_entry_rcu(tt_local_entry, node, head, hash_entry) { + if (!(tt_local_entry->flags & flags)) + continue; tt_local_entry->flags &= ~flags; atomic_inc(&bat_priv->num_local_tt); } -- cgit v1.2.3 From 02460fcf18a10059eb52a223cc62d7d9b43ac3c0 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Mon, 17 Oct 2011 14:25:13 +0200 Subject: batman-adv: correctly set the data field in the TT_REPONSE packet commit 9d8523931f7f5eb8900077f0da0fbe6b8ad0010b upstream. In the TT_RESPONSE packet, the number of carried entries is not correctly set. This leads to a wrong interpretation of the packet payload on the receiver side causing random entries to be added to the global translation table. Therefore the latter gets always corrupted, triggering a table recovery all the time. Signed-off-by: Antonio Quartulli Signed-off-by: Marek Lindner Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/translation-table.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'net/batman-adv/translation-table.c') diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index f599db9dbec..ef1acfd7653 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -999,7 +999,6 @@ static struct sk_buff *tt_response_fill_table(uint16_t tt_len, uint8_t ttvn, tt_response = (struct tt_query_packet *)skb_put(skb, tt_query_size + tt_len); tt_response->ttvn = ttvn; - tt_response->tt_data = htons(tt_tot); tt_change = (struct tt_change *)(skb->data + tt_query_size); tt_count = 0; @@ -1025,6 +1024,10 @@ static struct sk_buff *tt_response_fill_table(uint16_t tt_len, uint8_t ttvn, } rcu_read_unlock(); + /* store in the message the number of entries we have successfully + * copied */ + tt_response->tt_data = htons(tt_count); + out: return skb; } -- cgit v1.2.3 From 7766f4ed0b29204dc9248dea3bc547a8c93d18cb Mon Sep 17 00:00:00 2001 From: Simon Wunderlich Date: Wed, 19 Oct 2011 11:02:25 +0200 Subject: batman-adv: remove references for global tt entries commit 531027fcddbcf81c9937dd04f08a7e8f11fd47d2 upstream. struct tt_global_entry holds a reference to an orig_node which must be decremented before deallocating the structure. Signed-off-by: Simon Wunderlich Tested-by: Alexey Fisher Signed-off-by: Marek Lindner Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/translation-table.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'net/batman-adv/translation-table.c') diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index ef1acfd7653..ca537ed2dd0 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -137,10 +137,22 @@ static void tt_local_entry_free_ref(struct tt_local_entry *tt_local_entry) kfree_rcu(tt_local_entry, rcu); } +static void tt_global_entry_free_rcu(struct rcu_head *rcu) +{ + struct tt_global_entry *tt_global_entry; + + tt_global_entry = container_of(rcu, struct tt_global_entry, rcu); + + if (tt_global_entry->orig_node) + orig_node_free_ref(tt_global_entry->orig_node); + + kfree(tt_global_entry); +} + static void tt_global_entry_free_ref(struct tt_global_entry *tt_global_entry) { if (atomic_dec_and_test(&tt_global_entry->refcount)) - kfree_rcu(tt_global_entry, rcu); + call_rcu(&tt_global_entry->rcu, tt_global_entry_free_rcu); } static void tt_local_event(struct bat_priv *bat_priv, const uint8_t *addr, -- cgit v1.2.3 From 9bab392e4a2120bba4f6fbe8676a5baf16756926 Mon Sep 17 00:00:00 2001 From: Simon Wunderlich Date: Wed, 19 Oct 2011 10:28:26 +0200 Subject: batman-adv: add sanity check when removing global tts commit 6e8014947d6469df1566e9e253805557c5c0e4e0 upstream. After removing the batman-adv module, the hash may be already gone when tt_global_del_orig() tries to clean the hash. This patch adds a sanity check to avoid this. Signed-off-by: Simon Wunderlich Tested-by: Alexey Fisher Signed-off-by: Marek Lindner Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/translation-table.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'net/batman-adv/translation-table.c') diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index ca537ed2dd0..d58fd8b9c81 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -698,6 +698,9 @@ void tt_global_del_orig(struct bat_priv *bat_priv, struct hlist_head *head; spinlock_t *list_lock; /* protects write access to the hash lists */ + if (!hash) + return; + for (i = 0; i < hash->size; i++) { head = &hash->table[i]; list_lock = &hash->list_locks[i]; -- cgit v1.2.3