2017-11-19 15:05:11 +01:00
// SPDX-License-Identifier: GPL-2.0
2021-01-01 00:00:01 +01:00
/* Copyright (C) B.A.T.M.A.N. contributors:
2010-12-13 11:19:28 +00:00
*
* Marek Lindner , Simon Wunderlich
*/
2015-04-17 19:40:28 +02:00
# include "send.h"
2010-12-13 11:19:28 +00:00
# include "main.h"
2015-04-17 19:40:28 +02:00
# include <linux/atomic.h>
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
# include <linux/bug.h>
2015-04-17 19:40:28 +02:00
# include <linux/byteorder/generic.h>
2016-05-18 11:38:48 +02:00
# include <linux/errno.h>
2015-04-17 19:40:28 +02:00
# include <linux/etherdevice.h>
2017-11-19 17:12:02 +01:00
# include <linux/gfp.h>
2015-04-17 19:40:28 +02:00
# include <linux/if.h>
2016-05-15 11:07:42 +02:00
# include <linux/if_ether.h>
2015-04-17 19:40:28 +02:00
# include <linux/jiffies.h>
# include <linux/kernel.h>
2016-03-05 16:09:16 +01:00
# include <linux/kref.h>
2015-04-17 19:40:28 +02:00
# include <linux/list.h>
# include <linux/netdevice.h>
# include <linux/printk.h>
# include <linux/rculist.h>
# include <linux/rcupdate.h>
# include <linux/skbuff.h>
# include <linux/slab.h>
# include <linux/spinlock.h>
# include <linux/stddef.h>
# include <linux/workqueue.h>
2011-06-26 03:37:18 +02:00
# include "distributed-arp-table.h"
2015-04-17 19:40:28 +02:00
# include "fragmentation.h"
2013-05-23 16:53:01 +02:00
# include "gateway_client.h"
2015-04-17 19:40:28 +02:00
# include "hard-interface.h"
2016-05-15 23:48:31 +02:00
# include "log.h"
2013-01-25 11:12:42 +01:00
# include "network-coding.h"
2015-04-17 19:40:28 +02:00
# include "originator.h"
# include "routing.h"
# include "soft-interface.h"
# include "translation-table.h"
2012-11-26 00:38:50 +01:00
2012-05-16 20:23:14 +02:00
static void batadv_send_outstanding_bcast_packet ( struct work_struct * work ) ;
2010-12-13 11:19:28 +00:00
2016-01-16 16:40:15 +08:00
/**
2017-12-02 19:51:47 +01:00
* batadv_send_skb_packet ( ) - send an already prepared packet
2016-01-16 16:40:15 +08:00
* @ skb : the packet to send
* @ hard_iface : the interface to use to send the broadcast packet
* @ dst_addr : the payload destination
*
* Send out an already prepared packet to the given neighbor or broadcast it
* using the specified interface . Either hard_iface or neigh_node must be not
* NULL .
* If neigh_node is NULL , then the packet is broadcasted using hard_iface ,
* otherwise it is sent as unicast to the given neighbor .
*
2016-07-17 21:04:05 +02:00
* Regardless of the return value , the skb is consumed .
*
* Return : A negative errno code is returned on a failure . A success does not
* guarantee the frame will be transmitted as it may be dropped due
* to congestion or traffic shaping .
2012-05-12 02:09:43 +02:00
*/
2012-06-05 22:31:31 +02:00
int batadv_send_skb_packet ( struct sk_buff * skb ,
struct batadv_hard_iface * hard_iface ,
2015-05-26 18:34:26 +02:00
const u8 * dst_addr )
2010-12-13 11:19:28 +00:00
{
2016-01-16 16:40:15 +08:00
struct batadv_priv * bat_priv ;
2010-12-13 11:19:28 +00:00
struct ethhdr * ethhdr ;
2017-01-28 10:12:39 +01:00
int ret ;
2010-12-13 11:19:28 +00:00
2016-01-16 16:40:15 +08:00
bat_priv = netdev_priv ( hard_iface - > soft_iface ) ;
2012-06-03 22:19:19 +02:00
if ( hard_iface - > if_status ! = BATADV_IF_ACTIVE )
2010-12-13 11:19:28 +00:00
goto send_skb_err ;
2011-02-18 12:33:20 +00:00
if ( unlikely ( ! hard_iface - > net_dev ) )
2010-12-13 11:19:28 +00:00
goto send_skb_err ;
2011-02-18 12:33:20 +00:00
if ( ! ( hard_iface - > net_dev - > flags & IFF_UP ) ) {
2012-03-26 16:22:45 +02:00
pr_warn ( " Interface %s is not up - can't send packet via that interface! \n " ,
hard_iface - > net_dev - > name ) ;
2010-12-13 11:19:28 +00:00
goto send_skb_err ;
}
/* push to the ethernet header. */
2012-05-12 02:09:38 +02:00
if ( batadv_skb_head_push ( skb , ETH_HLEN ) < 0 )
2010-12-13 11:19:28 +00:00
goto send_skb_err ;
skb_reset_mac_header ( skb ) ;
2013-04-08 15:08:18 +02:00
ethhdr = eth_hdr ( skb ) ;
2014-01-22 00:42:11 +01:00
ether_addr_copy ( ethhdr - > h_source , hard_iface - > net_dev - > dev_addr ) ;
ether_addr_copy ( ethhdr - > h_dest , dst_addr ) ;
2013-05-19 12:55:16 +02:00
ethhdr - > h_proto = htons ( ETH_P_BATMAN ) ;
2010-12-13 11:19:28 +00:00
skb_set_network_header ( skb , ETH_HLEN ) ;
2013-05-19 12:55:16 +02:00
skb - > protocol = htons ( ETH_P_BATMAN ) ;
2010-12-13 11:19:28 +00:00
2011-02-18 12:33:20 +00:00
skb - > dev = hard_iface - > net_dev ;
2010-12-13 11:19:28 +00:00
2013-01-25 11:12:42 +01:00
/* Save a clone of the skb to use when decoding coded packets */
batadv_nc_skb_store_for_decoding ( bat_priv , skb ) ;
2010-12-13 11:19:28 +00:00
/* dev_queue_xmit() returns a negative result on error. However on
* congestion and traffic shaping , it drops and returns NET_XMIT_DROP
2012-05-12 02:09:43 +02:00
* ( which is > 0 ) . This will not be treated as an error .
*/
2017-01-28 10:12:39 +01:00
ret = dev_queue_xmit ( skb ) ;
return net_xmit_eval ( ret ) ;
2010-12-13 11:19:28 +00:00
send_skb_err :
kfree_skb ( skb ) ;
return NET_XMIT_DROP ;
}
2017-12-02 19:51:53 +01:00
/**
* batadv_send_broadcast_skb ( ) - Send broadcast packet via hard interface
* @ skb : packet to be transmitted ( with batadv header and no outer eth header )
* @ hard_iface : outgoing interface
*
* Return : A negative errno code is returned on a failure . A success does not
* guarantee the frame will be transmitted as it may be dropped due
* to congestion or traffic shaping .
*/
2016-01-16 16:40:15 +08:00
int batadv_send_broadcast_skb ( struct sk_buff * skb ,
struct batadv_hard_iface * hard_iface )
{
return batadv_send_skb_packet ( skb , hard_iface , batadv_broadcast_addr ) ;
}
2017-12-02 19:51:53 +01:00
/**
* batadv_send_unicast_skb ( ) - Send unicast packet to neighbor
* @ skb : packet to be transmitted ( with batadv header and no outer eth header )
* @ neigh : neighbor which is used as next hop to destination
*
* Return : A negative errno code is returned on a failure . A success does not
* guarantee the frame will be transmitted as it may be dropped due
* to congestion or traffic shaping .
*/
2016-01-16 16:40:15 +08:00
int batadv_send_unicast_skb ( struct sk_buff * skb ,
struct batadv_neigh_node * neigh )
{
# ifdef CONFIG_BATMAN_ADV_BATMAN_V
struct batadv_hardif_neigh_node * hardif_neigh ;
# endif
int ret ;
ret = batadv_send_skb_packet ( skb , neigh - > if_incoming , neigh - > addr ) ;
# ifdef CONFIG_BATMAN_ADV_BATMAN_V
hardif_neigh = batadv_hardif_neigh_get ( neigh - > if_incoming , neigh - > addr ) ;
2017-08-23 21:52:13 +02:00
if ( hardif_neigh & & ret ! = NET_XMIT_DROP )
2016-01-16 16:40:15 +08:00
hardif_neigh - > bat_v . last_unicast_tx = jiffies ;
2021-08-08 19:11:08 +02:00
batadv_hardif_neigh_put ( hardif_neigh ) ;
2016-01-16 16:40:15 +08:00
# endif
return ret ;
}
2012-10-16 16:13:48 +02:00
/**
2017-12-02 19:51:47 +01:00
* batadv_send_skb_to_orig ( ) - Lookup next - hop and transmit skb .
2012-10-16 16:13:48 +02:00
* @ skb : Packet to be transmitted .
* @ orig_node : Final destination of the packet .
* @ recv_if : Interface used when receiving the packet ( can be NULL ) .
*
* Looks up the best next - hop towards the passed originator and passes the
* skb on for preparation of MAC header . If the packet originated from this
* host , NULL can be passed as recv_if and no interface alternating is
* attempted .
*
2016-07-17 21:04:03 +02:00
* Return : negative errno code on a failure , - EINPROGRESS if the skb is
* buffered for later transmit or the NET_XMIT status returned by the
2016-05-18 11:38:48 +02:00
* lower routine if the packet has been passed down .
2012-10-16 16:13:48 +02:00
*/
2013-04-20 13:54:39 +02:00
int batadv_send_skb_to_orig ( struct sk_buff * skb ,
struct batadv_orig_node * orig_node ,
struct batadv_hard_iface * recv_if )
2012-10-16 16:13:48 +02:00
{
struct batadv_priv * bat_priv = orig_node - > bat_priv ;
struct batadv_neigh_node * neigh_node ;
2016-07-17 21:04:03 +02:00
int ret ;
2012-10-16 16:13:48 +02:00
/* batadv_find_router() increases neigh_nodes refcount if found. */
neigh_node = batadv_find_router ( bat_priv , orig_node , recv_if ) ;
2016-07-17 21:04:03 +02:00
if ( ! neigh_node ) {
ret = - EINVAL ;
goto free_skb ;
}
2013-05-23 16:53:03 +02:00
/* Check if the skb is too large to send in one piece and fragment
* it if needed .
*/
if ( atomic_read ( & bat_priv - > fragmentation ) & &
skb - > len > neigh_node - > if_incoming - > net_dev - > mtu ) {
/* Fragment and send packet. */
2016-05-18 11:38:48 +02:00
ret = batadv_frag_send_packet ( skb , orig_node , neigh_node ) ;
2016-07-17 21:04:03 +02:00
/* skb was consumed */
skb = NULL ;
2013-05-23 16:53:03 +02:00
2016-07-17 21:04:03 +02:00
goto put_neigh_node ;
2013-05-23 16:53:03 +02:00
}
2012-10-16 16:13:48 +02:00
2013-04-20 13:54:39 +02:00
/* try to network code the packet, if it is received on an interface
* ( i . e . being forwarded ) . If the packet originates from this node or if
* network coding fails , then send the packet as usual .
*/
2016-05-18 11:38:48 +02:00
if ( recv_if & & batadv_nc_skb_forward ( skb , neigh_node ) )
2016-06-11 12:46:04 +02:00
ret = - EINPROGRESS ;
2016-05-18 11:38:48 +02:00
else
ret = batadv_send_unicast_skb ( skb , neigh_node ) ;
2012-10-16 16:13:48 +02:00
2016-07-17 21:04:03 +02:00
/* skb was consumed */
skb = NULL ;
put_neigh_node :
batadv_neigh_node_put ( neigh_node ) ;
free_skb :
kfree_skb ( skb ) ;
2012-10-16 16:13:48 +02:00
2013-04-20 13:54:39 +02:00
return ret ;
2012-10-16 16:13:48 +02:00
}
2013-05-23 16:53:01 +02:00
/**
2017-12-02 19:51:47 +01:00
* batadv_send_skb_push_fill_unicast ( ) - extend the buffer and initialize the
2013-05-23 16:53:01 +02:00
* common fields for unicast packets
* @ skb : the skb carrying the unicast header to initialize
* @ hdr_size : amount of bytes to push at the beginning of the skb
* @ orig_node : the destination node
*
2015-09-15 19:00:48 +02:00
* Return : false if the buffer extension was not possible or true otherwise .
2013-05-23 16:53:01 +02:00
*/
static bool
batadv_send_skb_push_fill_unicast ( struct sk_buff * skb , int hdr_size ,
struct batadv_orig_node * orig_node )
{
struct batadv_unicast_packet * unicast_packet ;
2015-05-26 18:34:26 +02:00
u8 ttvn = ( u8 ) atomic_read ( & orig_node - > last_ttvn ) ;
2013-05-23 16:53:01 +02:00
if ( batadv_skb_head_push ( skb , hdr_size ) < 0 )
return false ;
unicast_packet = ( struct batadv_unicast_packet * ) skb - > data ;
2013-12-02 20:38:31 +01:00
unicast_packet - > version = BATADV_COMPAT_VERSION ;
2013-05-23 16:53:01 +02:00
/* batman packet type: unicast */
2013-12-02 20:38:31 +01:00
unicast_packet - > packet_type = BATADV_UNICAST ;
2013-05-23 16:53:01 +02:00
/* set unicast ttl */
2013-12-02 20:38:31 +01:00
unicast_packet - > ttl = BATADV_TTL ;
2013-05-23 16:53:01 +02:00
/* copy the destination for faster routing */
2014-01-22 00:42:11 +01:00
ether_addr_copy ( unicast_packet - > dest , orig_node - > orig ) ;
2013-05-23 16:53:01 +02:00
/* set the destination tt version number */
unicast_packet - > ttvn = ttvn ;
return true ;
}
/**
2017-12-02 19:51:47 +01:00
* batadv_send_skb_prepare_unicast ( ) - encapsulate an skb with a unicast header
2013-05-23 16:53:01 +02:00
* @ skb : the skb containing the payload to encapsulate
* @ orig_node : the destination node
*
2015-09-15 19:00:48 +02:00
* Return : false if the payload could not be encapsulated or true otherwise .
2013-05-23 16:53:01 +02:00
*/
static bool batadv_send_skb_prepare_unicast ( struct sk_buff * skb ,
struct batadv_orig_node * orig_node )
{
size_t uni_size = sizeof ( struct batadv_unicast_packet ) ;
return batadv_send_skb_push_fill_unicast ( skb , uni_size , orig_node ) ;
}
/**
2017-12-02 19:51:47 +01:00
* batadv_send_skb_prepare_unicast_4addr ( ) - encapsulate an skb with a
2013-05-23 16:53:01 +02:00
* unicast 4 addr header
* @ bat_priv : the bat priv with all the soft interface information
* @ skb : the skb containing the payload to encapsulate
2015-09-06 21:38:51 +02:00
* @ orig : the destination node
2013-05-23 16:53:01 +02:00
* @ packet_subtype : the unicast 4 addr packet subtype to use
*
2015-09-15 19:00:48 +02:00
* Return : false if the payload could not be encapsulated or true otherwise .
2013-05-23 16:53:01 +02:00
*/
bool batadv_send_skb_prepare_unicast_4addr ( struct batadv_priv * bat_priv ,
struct sk_buff * skb ,
struct batadv_orig_node * orig ,
int packet_subtype )
{
struct batadv_hard_iface * primary_if ;
struct batadv_unicast_4addr_packet * uc_4addr_packet ;
bool ret = false ;
primary_if = batadv_primary_if_get_selected ( bat_priv ) ;
if ( ! primary_if )
goto out ;
/* Pull the header space and fill the unicast_packet substructure.
* We can do that because the first member of the uc_4addr_packet
* is of type struct unicast_packet
*/
if ( ! batadv_send_skb_push_fill_unicast ( skb , sizeof ( * uc_4addr_packet ) ,
orig ) )
goto out ;
uc_4addr_packet = ( struct batadv_unicast_4addr_packet * ) skb - > data ;
2013-12-02 20:38:31 +01:00
uc_4addr_packet - > u . packet_type = BATADV_UNICAST_4ADDR ;
2014-01-22 00:42:11 +01:00
ether_addr_copy ( uc_4addr_packet - > src , primary_if - > net_dev - > dev_addr ) ;
2013-05-23 16:53:01 +02:00
uc_4addr_packet - > subtype = packet_subtype ;
uc_4addr_packet - > reserved = 0 ;
ret = true ;
out :
2021-08-08 19:11:08 +02:00
batadv_hardif_put ( primary_if ) ;
2013-05-23 16:53:01 +02:00
return ret ;
}
/**
2017-12-02 19:51:47 +01:00
* batadv_send_skb_unicast ( ) - encapsulate and send an skb via unicast
2013-05-23 16:53:01 +02:00
* @ bat_priv : the bat priv with all the soft interface information
* @ skb : payload to send
* @ packet_type : the batman unicast packet type to use
* @ packet_subtype : the unicast 4 addr packet subtype ( only relevant for unicast
* 4 addr packets )
2013-07-03 10:40:00 +02:00
* @ orig_node : the originator to send the packet to
2013-06-04 12:11:39 +02:00
* @ vid : the vid to be used to search the translation table
2013-05-23 16:53:01 +02:00
*
2013-07-03 10:40:00 +02:00
* Wrap the given skb into a batman - adv unicast or unicast - 4 addr header
* depending on whether BATADV_UNICAST or BATADV_UNICAST_4ADDR was supplied
2016-06-27 08:15:42 +02:00
* as packet_type . Then send this frame to the given orig_node .
2013-07-03 10:40:00 +02:00
*
2015-09-15 19:00:48 +02:00
* Return : NET_XMIT_DROP in case of error or NET_XMIT_SUCCESS otherwise .
2013-05-23 16:53:01 +02:00
*/
2014-02-15 17:47:52 +01:00
int batadv_send_skb_unicast ( struct batadv_priv * bat_priv ,
struct sk_buff * skb , int packet_type ,
int packet_subtype ,
struct batadv_orig_node * orig_node ,
unsigned short vid )
2013-05-23 16:53:01 +02:00
{
struct batadv_unicast_packet * unicast_packet ;
2015-05-11 20:34:52 +02:00
struct ethhdr * ethhdr ;
2016-07-17 21:04:03 +02:00
int ret = NET_XMIT_DROP ;
2013-05-23 16:53:01 +02:00
2013-05-28 11:49:47 +02:00
if ( ! orig_node )
2013-05-23 16:53:01 +02:00
goto out ;
switch ( packet_type ) {
case BATADV_UNICAST :
2013-10-19 14:06:05 +02:00
if ( ! batadv_send_skb_prepare_unicast ( skb , orig_node ) )
goto out ;
2013-05-23 16:53:01 +02:00
break ;
case BATADV_UNICAST_4ADDR :
2013-10-19 14:06:05 +02:00
if ( ! batadv_send_skb_prepare_unicast_4addr ( bat_priv , skb ,
orig_node ,
packet_subtype ) )
goto out ;
2013-05-23 16:53:01 +02:00
break ;
default :
/* this function supports UNICAST and UNICAST_4ADDR only. It
* should never be invoked with any other packet type
*/
goto out ;
}
2014-01-19 22:22:45 +01:00
/* skb->data might have been reallocated by
* batadv_send_skb_prepare_unicast { , _4addr } ( )
*/
ethhdr = eth_hdr ( skb ) ;
2013-05-23 16:53:01 +02:00
unicast_packet = ( struct batadv_unicast_packet * ) skb - > data ;
/* inform the destination node that we are still missing a correct route
* for this client . The destination will receive this packet and will
* try to reroute it because the ttvn contained in the header is less
* than the current one
*/
2013-06-04 12:11:39 +02:00
if ( batadv_tt_global_client_is_roaming ( bat_priv , ethhdr - > h_dest , vid ) )
2013-05-23 16:53:01 +02:00
unicast_packet - > ttvn = unicast_packet - > ttvn - 1 ;
2016-07-17 21:04:03 +02:00
ret = batadv_send_skb_to_orig ( skb , orig_node , NULL ) ;
/* skb was consumed */
skb = NULL ;
2013-05-23 16:53:01 +02:00
out :
2016-07-17 21:04:03 +02:00
kfree_skb ( skb ) ;
2013-05-23 16:53:01 +02:00
return ret ;
}
2013-07-03 10:40:00 +02:00
/**
2017-12-02 19:51:47 +01:00
* batadv_send_skb_via_tt_generic ( ) - send an skb via TT lookup
2013-07-03 10:40:00 +02:00
* @ bat_priv : the bat priv with all the soft interface information
* @ skb : payload to send
* @ packet_type : the batman unicast packet type to use
* @ packet_subtype : the unicast 4 addr packet subtype ( only relevant for unicast
* 4 addr packets )
2014-02-15 11:58:01 +01:00
* @ dst_hint : can be used to override the destination contained in the skb
2013-07-03 10:40:00 +02:00
* @ vid : the vid to be used to search the translation table
*
* Look up the recipient node for the destination address in the ethernet
* header via the translation table . Wrap the given skb into a batman - adv
* unicast or unicast - 4 addr header depending on whether BATADV_UNICAST or
* BATADV_UNICAST_4ADDR was supplied as packet_type . Then send this frame
* to the according destination node .
*
2015-09-15 19:00:48 +02:00
* Return : NET_XMIT_DROP in case of error or NET_XMIT_SUCCESS otherwise .
2013-07-03 10:40:00 +02:00
*/
int batadv_send_skb_via_tt_generic ( struct batadv_priv * bat_priv ,
struct sk_buff * skb , int packet_type ,
2015-05-26 18:34:26 +02:00
int packet_subtype , u8 * dst_hint ,
2013-11-05 19:31:08 +01:00
unsigned short vid )
2013-07-03 10:40:00 +02:00
{
struct ethhdr * ethhdr = ( struct ethhdr * ) skb - > data ;
struct batadv_orig_node * orig_node ;
2015-05-26 18:34:26 +02:00
u8 * src , * dst ;
2016-06-27 08:15:42 +02:00
int ret ;
2013-11-05 19:31:08 +01:00
src = ethhdr - > h_source ;
dst = ethhdr - > h_dest ;
/* if we got an hint! let's send the packet to this client (if any) */
if ( dst_hint ) {
src = NULL ;
dst = dst_hint ;
}
orig_node = batadv_transtable_search ( bat_priv , src , dst , vid ) ;
2013-07-03 10:40:00 +02:00
2016-06-27 08:15:42 +02:00
ret = batadv_send_skb_unicast ( bat_priv , skb , packet_type ,
packet_subtype , orig_node , vid ) ;
2021-08-08 19:11:08 +02:00
batadv_orig_node_put ( orig_node ) ;
2016-06-27 08:15:42 +02:00
return ret ;
2013-07-03 10:40:00 +02:00
}
/**
2017-12-02 19:51:47 +01:00
* batadv_send_skb_via_gw ( ) - send an skb via gateway lookup
2013-07-03 10:40:00 +02:00
* @ bat_priv : the bat priv with all the soft interface information
* @ skb : payload to send
* @ vid : the vid to be used to search the translation table
*
* Look up the currently selected gateway . Wrap the given skb into a batman - adv
* unicast header and send this frame to this gateway node .
*
2015-09-15 19:00:48 +02:00
* Return : NET_XMIT_DROP in case of error or NET_XMIT_SUCCESS otherwise .
2013-07-03 10:40:00 +02:00
*/
int batadv_send_skb_via_gw ( struct batadv_priv * bat_priv , struct sk_buff * skb ,
unsigned short vid )
{
struct batadv_orig_node * orig_node ;
2016-06-27 08:15:42 +02:00
int ret ;
2013-07-03 10:40:00 +02:00
orig_node = batadv_gw_get_selected_orig ( bat_priv ) ;
2016-06-27 08:15:42 +02:00
ret = batadv_send_skb_unicast ( bat_priv , skb , BATADV_UNICAST_4ADDR ,
BATADV_P_DATA , orig_node , vid ) ;
2021-08-08 19:11:08 +02:00
batadv_orig_node_put ( orig_node ) ;
2016-06-27 08:15:42 +02:00
return ret ;
2013-07-03 10:40:00 +02:00
}
2016-06-20 21:39:54 +02:00
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_free ( ) - free a forwarding packet
2016-06-20 21:39:54 +02:00
* @ forw_packet : The packet to free
2020-07-31 20:33:00 +02:00
* @ dropped : whether the packet is freed because is dropped
2016-06-20 21:39:54 +02:00
*
* This frees a forwarding packet and releases any resources it might
* have claimed .
*/
2016-07-17 21:04:00 +02:00
void batadv_forw_packet_free ( struct batadv_forw_packet * forw_packet ,
bool dropped )
2010-12-13 11:19:28 +00:00
{
2016-07-17 21:04:00 +02:00
if ( dropped )
kfree_skb ( forw_packet - > skb ) ;
else
consume_skb ( forw_packet - > skb ) ;
2021-08-08 19:11:08 +02:00
batadv_hardif_put ( forw_packet - > if_incoming ) ;
batadv_hardif_put ( forw_packet - > if_outgoing ) ;
2016-06-20 21:39:54 +02:00
if ( forw_packet - > queue_left )
atomic_inc ( forw_packet - > queue_left ) ;
2010-12-13 11:19:28 +00:00
kfree ( forw_packet ) ;
}
2016-06-20 21:39:54 +02:00
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_alloc ( ) - allocate a forwarding packet
2016-06-20 21:39:54 +02:00
* @ if_incoming : The ( optional ) if_incoming to be grabbed
* @ if_outgoing : The ( optional ) if_outgoing to be grabbed
* @ queue_left : The ( optional ) queue counter to decrease
* @ bat_priv : The bat_priv for the mesh of this forw_packet
2017-02-17 11:17:06 +01:00
* @ skb : The raw packet this forwarding packet shall contain
2016-06-20 21:39:54 +02:00
*
* Allocates a forwarding packet and tries to get a reference to the
* ( optional ) if_incoming , if_outgoing and queue_left . If queue_left
* is NULL then bat_priv is optional , too .
*
* Return : An allocated forwarding packet on success , NULL otherwise .
*/
struct batadv_forw_packet *
batadv_forw_packet_alloc ( struct batadv_hard_iface * if_incoming ,
struct batadv_hard_iface * if_outgoing ,
atomic_t * queue_left ,
2017-02-17 11:17:06 +01:00
struct batadv_priv * bat_priv ,
struct sk_buff * skb )
2016-06-20 21:39:54 +02:00
{
struct batadv_forw_packet * forw_packet ;
const char * qname ;
if ( queue_left & & ! batadv_atomic_dec_not_zero ( queue_left ) ) {
qname = " unknown " ;
if ( queue_left = = & bat_priv - > bcast_queue_left )
qname = " bcast " ;
if ( queue_left = = & bat_priv - > batman_queue_left )
qname = " batman " ;
batadv_dbg ( BATADV_DBG_BATMAN , bat_priv ,
" %s queue is full \n " , qname ) ;
return NULL ;
}
forw_packet = kmalloc ( sizeof ( * forw_packet ) , GFP_ATOMIC ) ;
if ( ! forw_packet )
goto err ;
if ( if_incoming )
kref_get ( & if_incoming - > refcount ) ;
if ( if_outgoing )
kref_get ( & if_outgoing - > refcount ) ;
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
INIT_HLIST_NODE ( & forw_packet - > list ) ;
INIT_HLIST_NODE ( & forw_packet - > cleanup_list ) ;
2017-02-17 11:17:06 +01:00
forw_packet - > skb = skb ;
2016-06-20 21:39:54 +02:00
forw_packet - > queue_left = queue_left ;
forw_packet - > if_incoming = if_incoming ;
forw_packet - > if_outgoing = if_outgoing ;
forw_packet - > num_packets = 0 ;
return forw_packet ;
err :
if ( queue_left )
atomic_inc ( queue_left ) ;
return NULL ;
}
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_was_stolen ( ) - check whether someone stole this packet
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
* @ forw_packet : the forwarding packet to check
*
* This function checks whether the given forwarding packet was claimed by
* someone else for free ( ) .
*
* Return : True if someone stole it , false otherwise .
*/
static bool
batadv_forw_packet_was_stolen ( struct batadv_forw_packet * forw_packet )
{
return ! hlist_unhashed ( & forw_packet - > cleanup_list ) ;
}
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_steal ( ) - claim a forw_packet for free ( )
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
* @ forw_packet : the forwarding packet to steal
* @ lock : a key to the store to steal from ( e . g . forw_ { bat , bcast } _list_lock )
*
* This function tries to steal a specific forw_packet from global
* visibility for the purpose of getting it for free ( ) . That means
* the caller is * not * allowed to requeue it afterwards .
*
* Return : True if stealing was successful . False if someone else stole it
* before us .
*/
bool batadv_forw_packet_steal ( struct batadv_forw_packet * forw_packet ,
spinlock_t * lock )
{
/* did purging routine steal it earlier? */
spin_lock_bh ( lock ) ;
if ( batadv_forw_packet_was_stolen ( forw_packet ) ) {
spin_unlock_bh ( lock ) ;
return false ;
}
hlist_del_init ( & forw_packet - > list ) ;
/* Just to spot misuse of this function */
hlist_add_fake ( & forw_packet - > cleanup_list ) ;
spin_unlock_bh ( lock ) ;
return true ;
}
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_list_steal ( ) - claim a list of forward packets for free ( )
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
* @ forw_list : the to be stolen forward packets
* @ cleanup_list : a backup pointer , to be able to dispose the packet later
* @ hard_iface : the interface to steal forward packets from
*
* This function claims responsibility to free any forw_packet queued on the
* given hard_iface . If hard_iface is NULL forwarding packets on all hard
* interfaces will be claimed .
*
2020-06-01 20:13:21 +02:00
* The packets are being moved from the forw_list to the cleanup_list . This
* makes it possible for already running threads to notice the claim .
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
*/
2012-06-05 22:31:31 +02:00
static void
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
batadv_forw_packet_list_steal ( struct hlist_head * forw_list ,
struct hlist_head * cleanup_list ,
const struct batadv_hard_iface * hard_iface )
2010-12-13 11:19:28 +00:00
{
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
struct batadv_forw_packet * forw_packet ;
struct hlist_node * safe_tmp_node ;
hlist_for_each_entry_safe ( forw_packet , safe_tmp_node ,
forw_list , list ) {
/* if purge_outstanding_packets() was called with an argument
* we delete only packets belonging to the given interface
*/
if ( hard_iface & &
2017-08-23 21:52:13 +02:00
forw_packet - > if_incoming ! = hard_iface & &
forw_packet - > if_outgoing ! = hard_iface )
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
continue ;
hlist_del ( & forw_packet - > list ) ;
hlist_add_head ( & forw_packet - > cleanup_list , cleanup_list ) ;
}
}
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_list_free ( ) - free a list of forward packets
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
* @ head : a list of to be freed forw_packets
*
* This function cancels the scheduling of any packet in the provided list ,
* waits for any possibly running packet forwarding thread to finish and
* finally , safely frees this forward packet .
*
* This function might sleep .
*/
static void batadv_forw_packet_list_free ( struct hlist_head * head )
{
struct batadv_forw_packet * forw_packet ;
struct hlist_node * safe_tmp_node ;
hlist_for_each_entry_safe ( forw_packet , safe_tmp_node , head ,
cleanup_list ) {
cancel_delayed_work_sync ( & forw_packet - > delayed_work ) ;
2010-12-13 11:19:28 +00:00
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
hlist_del ( & forw_packet - > cleanup_list ) ;
batadv_forw_packet_free ( forw_packet , true ) ;
}
}
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_queue ( ) - try to queue a forwarding packet
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
* @ forw_packet : the forwarding packet to queue
* @ lock : a key to the store ( e . g . forw_ { bat , bcast } _list_lock )
* @ head : the shelve to queue it on ( e . g . forw_ { bat , bcast } _list )
* @ send_time : timestamp ( jiffies ) when the packet is to be sent
*
* This function tries to ( re ) queue a forwarding packet . Requeuing
* is prevented if the according interface is shutting down
* ( e . g . if batadv_forw_packet_list_steal ( ) was called for this
* packet earlier ) .
*
* Calling batadv_forw_packet_queue ( ) after a call to
* batadv_forw_packet_steal ( ) is forbidden !
*
* Caller needs to ensure that forw_packet - > delayed_work was initialized .
*/
static void batadv_forw_packet_queue ( struct batadv_forw_packet * forw_packet ,
spinlock_t * lock , struct hlist_head * head ,
unsigned long send_time )
{
spin_lock_bh ( lock ) ;
/* did purging routine steal it from us? */
if ( batadv_forw_packet_was_stolen ( forw_packet ) ) {
/* If you got it for free() without trouble, then
* don ' t get back into the queue after stealing . . .
*/
WARN_ONCE ( hlist_fake ( & forw_packet - > cleanup_list ) ,
" Requeuing after batadv_forw_packet_steal() not allowed! \n " ) ;
spin_unlock_bh ( lock ) ;
return ;
}
hlist_del_init ( & forw_packet - > list ) ;
hlist_add_head ( & forw_packet - > list , head ) ;
queue_delayed_work ( batadv_event_workqueue ,
& forw_packet - > delayed_work ,
send_time - jiffies ) ;
spin_unlock_bh ( lock ) ;
}
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_bcast_queue ( ) - try to queue a broadcast packet
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
* @ bat_priv : the bat priv with all the soft interface information
* @ forw_packet : the forwarding packet to queue
* @ send_time : timestamp ( jiffies ) when the packet is to be sent
*
* This function tries to ( re ) queue a broadcast packet .
*
* Caller needs to ensure that forw_packet - > delayed_work was initialized .
*/
static void
batadv_forw_packet_bcast_queue ( struct batadv_priv * bat_priv ,
struct batadv_forw_packet * forw_packet ,
unsigned long send_time )
{
batadv_forw_packet_queue ( forw_packet , & bat_priv - > forw_bcast_list_lock ,
& bat_priv - > forw_bcast_list , send_time ) ;
}
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_ogmv1_queue ( ) - try to queue an OGMv1 packet
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
* @ bat_priv : the bat priv with all the soft interface information
* @ forw_packet : the forwarding packet to queue
* @ send_time : timestamp ( jiffies ) when the packet is to be sent
*
* This function tries to ( re ) queue an OGMv1 packet .
*
* Caller needs to ensure that forw_packet - > delayed_work was initialized .
*/
void batadv_forw_packet_ogmv1_queue ( struct batadv_priv * bat_priv ,
struct batadv_forw_packet * forw_packet ,
unsigned long send_time )
{
batadv_forw_packet_queue ( forw_packet , & bat_priv - > forw_bat_list_lock ,
& bat_priv - > forw_bat_list , send_time ) ;
2010-12-13 11:19:28 +00:00
}
2015-09-15 19:00:48 +02:00
/**
2021-05-17 00:33:07 +02:00
* batadv_forw_bcast_packet_to_list ( ) - queue broadcast packet for transmissions
2015-10-31 12:29:29 +01:00
* @ bat_priv : the bat priv with all the soft interface information
* @ skb : broadcast packet to add
* @ delay : number of jiffies to wait before sending
batman-adv: Simple (re)broadcast avoidance
With this patch, (re)broadcasting on a specific interfaces is avoided:
* No neighbor: There is no need to broadcast on an interface if there
is no node behind it.
* Single neighbor is source: If there is just one neighbor on an
interface and if this neighbor is the one we actually got this
broadcast packet from, then we do not need to echo it back.
* Single neighbor is originator: If there is just one neighbor on
an interface and if this neighbor is the originator of this
broadcast packet, then we do not need to echo it back.
Goodies for BATMAN V:
("Upgrade your BATMAN IV network to V now to get these for free!")
Thanks to the split of OGMv1 into two packet types, OGMv2 and ELP
that is, we can now apply the same optimizations stated above to OGMv2
packets, too.
Furthermore, with BATMAN V, rebroadcasts can be reduced in certain
multi interface cases, too, where BATMAN IV cannot. This is thanks to
the removal of the "secondary interface originator" concept in BATMAN V.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-08-07 12:34:19 +02:00
* @ own_packet : true if it is a self - generated broadcast packet
2021-05-17 00:33:07 +02:00
* @ if_in : the interface where the packet was received on
* @ if_out : the outgoing interface to queue on
2010-12-13 11:19:28 +00:00
*
2021-05-17 00:33:07 +02:00
* Adds a broadcast packet to the queue and sets up timers . Broadcast packets
2015-09-15 19:00:48 +02:00
* are sent multiple times to increase probability for being received .
2010-12-13 11:19:28 +00:00
*
2021-05-17 00:33:09 +02:00
* This call clones the given skb , hence the caller needs to take into
* account that the data segment of the original skb might not be
* modifiable anymore .
*
2015-09-15 19:00:48 +02:00
* Return : NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors .
2012-05-12 02:09:43 +02:00
*/
2021-05-17 00:33:07 +02:00
static int batadv_forw_bcast_packet_to_list ( struct batadv_priv * bat_priv ,
struct sk_buff * skb ,
unsigned long delay ,
bool own_packet ,
struct batadv_hard_iface * if_in ,
struct batadv_hard_iface * if_out )
2010-12-13 11:19:28 +00:00
{
2012-06-05 22:31:31 +02:00
struct batadv_forw_packet * forw_packet ;
2021-05-17 00:33:07 +02:00
unsigned long send_time = jiffies ;
2011-05-14 23:14:50 +02:00
struct sk_buff * newskb ;
2010-12-13 11:19:28 +00:00
2021-05-17 00:33:09 +02:00
newskb = skb_clone ( skb , GFP_ATOMIC ) ;
2021-05-17 00:33:07 +02:00
if ( ! newskb )
2017-02-17 11:17:06 +01:00
goto err ;
2021-05-17 00:33:07 +02:00
forw_packet = batadv_forw_packet_alloc ( if_in , if_out ,
2016-06-20 21:39:54 +02:00
& bat_priv - > bcast_queue_left ,
2017-02-17 11:17:06 +01:00
bat_priv , newskb ) ;
2010-12-13 11:19:28 +00:00
if ( ! forw_packet )
2016-06-20 21:39:54 +02:00
goto err_packet_free ;
2010-12-13 11:19:28 +00:00
batman-adv: Simple (re)broadcast avoidance
With this patch, (re)broadcasting on a specific interfaces is avoided:
* No neighbor: There is no need to broadcast on an interface if there
is no node behind it.
* Single neighbor is source: If there is just one neighbor on an
interface and if this neighbor is the one we actually got this
broadcast packet from, then we do not need to echo it back.
* Single neighbor is originator: If there is just one neighbor on
an interface and if this neighbor is the originator of this
broadcast packet, then we do not need to echo it back.
Goodies for BATMAN V:
("Upgrade your BATMAN IV network to V now to get these for free!")
Thanks to the split of OGMv1 into two packet types, OGMv2 and ELP
that is, we can now apply the same optimizations stated above to OGMv2
packets, too.
Furthermore, with BATMAN V, rebroadcasts can be reduced in certain
multi interface cases, too, where BATMAN IV cannot. This is thanks to
the removal of the "secondary interface originator" concept in BATMAN V.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-08-07 12:34:19 +02:00
forw_packet - > own = own_packet ;
2010-12-13 11:19:28 +00:00
2012-12-25 13:14:37 +01:00
INIT_DELAYED_WORK ( & forw_packet - > delayed_work ,
batadv_send_outstanding_bcast_packet ) ;
2021-05-17 00:33:07 +02:00
send_time + = delay ? delay : msecs_to_jiffies ( 5 ) ;
batadv_forw_packet_bcast_queue ( bat_priv , forw_packet , send_time ) ;
2010-12-13 11:19:28 +00:00
return NETDEV_TX_OK ;
2016-06-20 21:39:54 +02:00
err_packet_free :
2017-02-17 11:17:06 +01:00
kfree_skb ( newskb ) ;
2016-06-20 21:39:54 +02:00
err :
2010-12-13 11:19:28 +00:00
return NETDEV_TX_BUSY ;
}
2021-05-17 00:33:07 +02:00
/**
* batadv_forw_bcast_packet_if ( ) - forward and queue a broadcast packet
* @ bat_priv : the bat priv with all the soft interface information
* @ skb : broadcast packet to add
* @ delay : number of jiffies to wait before sending
* @ own_packet : true if it is a self - generated broadcast packet
* @ if_in : the interface where the packet was received on
* @ if_out : the outgoing interface to forward to
*
* Transmits a broadcast packet on the specified interface either immediately
* or if a delay is given after that . Furthermore , queues additional
* retransmissions if this interface is a wireless one .
*
2021-05-17 00:33:09 +02:00
* This call clones the given skb , hence the caller needs to take into
* account that the data segment of the original skb might not be
* modifiable anymore .
*
2021-05-17 00:33:07 +02:00
* Return : NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors .
*/
static int batadv_forw_bcast_packet_if ( struct batadv_priv * bat_priv ,
struct sk_buff * skb ,
unsigned long delay ,
bool own_packet ,
struct batadv_hard_iface * if_in ,
struct batadv_hard_iface * if_out )
{
unsigned int num_bcasts = if_out - > num_bcasts ;
struct sk_buff * newskb ;
int ret = NETDEV_TX_OK ;
if ( ! delay ) {
2021-05-17 00:33:09 +02:00
newskb = skb_clone ( skb , GFP_ATOMIC ) ;
2021-05-17 00:33:07 +02:00
if ( ! newskb )
return NETDEV_TX_BUSY ;
batadv_send_broadcast_skb ( newskb , if_out ) ;
num_bcasts - - ;
}
/* delayed broadcast or rebroadcasts? */
if ( num_bcasts > = 1 ) {
BATADV_SKB_CB ( skb ) - > num_bcasts = num_bcasts ;
ret = batadv_forw_bcast_packet_to_list ( bat_priv , skb , delay ,
own_packet , if_in ,
if_out ) ;
}
return ret ;
}
/**
* batadv_send_no_broadcast ( ) - check whether ( re ) broadcast is necessary
* @ bat_priv : the bat priv with all the soft interface information
* @ skb : broadcast packet to check
* @ own_packet : true if it is a self - generated broadcast packet
* @ if_out : the outgoing interface checked and considered for ( re ) broadcast
*
* Return : False if a packet needs to be ( re ) broadcasted on the given interface ,
* true otherwise .
*/
static bool batadv_send_no_broadcast ( struct batadv_priv * bat_priv ,
struct sk_buff * skb , bool own_packet ,
struct batadv_hard_iface * if_out )
{
struct batadv_hardif_neigh_node * neigh_node = NULL ;
struct batadv_bcast_packet * bcast_packet ;
u8 * orig_neigh ;
u8 * neigh_addr ;
char * type ;
int ret ;
if ( ! own_packet ) {
neigh_addr = eth_hdr ( skb ) - > h_source ;
neigh_node = batadv_hardif_neigh_get ( if_out ,
neigh_addr ) ;
}
bcast_packet = ( struct batadv_bcast_packet * ) skb - > data ;
orig_neigh = neigh_node ? neigh_node - > orig : NULL ;
ret = batadv_hardif_no_broadcast ( if_out , bcast_packet - > orig ,
orig_neigh ) ;
2021-08-08 19:11:08 +02:00
batadv_hardif_neigh_put ( neigh_node ) ;
2021-05-17 00:33:07 +02:00
/* ok, may broadcast */
if ( ! ret )
return false ;
/* no broadcast */
switch ( ret ) {
case BATADV_HARDIF_BCAST_NORECIPIENT :
type = " no neighbor " ;
break ;
case BATADV_HARDIF_BCAST_DUPFWD :
type = " single neighbor is source " ;
break ;
case BATADV_HARDIF_BCAST_DUPORIG :
type = " single neighbor is originator " ;
break ;
default :
type = " unknown " ;
}
batadv_dbg ( BATADV_DBG_BATMAN , bat_priv ,
" BCAST packet from orig %pM on %s suppressed: %s \n " ,
bcast_packet - > orig ,
if_out - > net_dev - > name , type ) ;
return true ;
}
/**
* __batadv_forw_bcast_packet ( ) - forward and queue a broadcast packet
* @ bat_priv : the bat priv with all the soft interface information
* @ skb : broadcast packet to add
* @ delay : number of jiffies to wait before sending
* @ own_packet : true if it is a self - generated broadcast packet
*
* Transmits a broadcast packet either immediately or if a delay is given
* after that . Furthermore , queues additional retransmissions on wireless
* interfaces .
*
* This call clones the given skb , hence the caller needs to take into
* account that the data segment of the given skb might not be
* modifiable anymore .
*
* Return : NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors .
*/
static int __batadv_forw_bcast_packet ( struct batadv_priv * bat_priv ,
struct sk_buff * skb ,
unsigned long delay ,
bool own_packet )
{
struct batadv_hard_iface * hard_iface ;
struct batadv_hard_iface * primary_if ;
int ret = NETDEV_TX_OK ;
primary_if = batadv_primary_if_get_selected ( bat_priv ) ;
if ( ! primary_if )
return NETDEV_TX_BUSY ;
rcu_read_lock ( ) ;
list_for_each_entry_rcu ( hard_iface , & batadv_hardif_list , list ) {
if ( hard_iface - > soft_iface ! = bat_priv - > soft_iface )
continue ;
if ( ! kref_get_unless_zero ( & hard_iface - > refcount ) )
continue ;
if ( batadv_send_no_broadcast ( bat_priv , skb , own_packet ,
hard_iface ) ) {
batadv_hardif_put ( hard_iface ) ;
continue ;
}
ret = batadv_forw_bcast_packet_if ( bat_priv , skb , delay ,
own_packet , primary_if ,
hard_iface ) ;
batadv_hardif_put ( hard_iface ) ;
if ( ret = = NETDEV_TX_BUSY )
break ;
}
rcu_read_unlock ( ) ;
batadv_hardif_put ( primary_if ) ;
return ret ;
}
/**
* batadv_forw_bcast_packet ( ) - forward and queue a broadcast packet
* @ bat_priv : the bat priv with all the soft interface information
* @ skb : broadcast packet to add
* @ delay : number of jiffies to wait before sending
* @ own_packet : true if it is a self - generated broadcast packet
*
* Transmits a broadcast packet either immediately or if a delay is given
* after that . Furthermore , queues additional retransmissions on wireless
* interfaces .
*
* Return : NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors .
*/
int batadv_forw_bcast_packet ( struct batadv_priv * bat_priv ,
struct sk_buff * skb ,
unsigned long delay ,
bool own_packet )
{
return __batadv_forw_bcast_packet ( bat_priv , skb , delay , own_packet ) ;
}
/**
* batadv_send_bcast_packet ( ) - send and queue a broadcast packet
* @ bat_priv : the bat priv with all the soft interface information
* @ skb : broadcast packet to add
* @ delay : number of jiffies to wait before sending
* @ own_packet : true if it is a self - generated broadcast packet
*
* Transmits a broadcast packet either immediately or if a delay is given
* after that . Furthermore , queues additional retransmissions on wireless
* interfaces .
*
* Consumes the provided skb .
*/
void batadv_send_bcast_packet ( struct batadv_priv * bat_priv ,
struct sk_buff * skb ,
unsigned long delay ,
bool own_packet )
{
__batadv_forw_bcast_packet ( bat_priv , skb , delay , own_packet ) ;
consume_skb ( skb ) ;
}
2017-02-17 11:17:07 +01:00
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_bcasts_left ( ) - check if a retransmission is necessary
2017-02-17 11:17:07 +01:00
* @ forw_packet : the forwarding packet to check
*
* Checks whether a given packet has any ( re ) transmissions left on the provided
* interface .
*
* hard_iface may be NULL : In that case the number of transmissions this skb had
* so far is compared with the maximum amount of retransmissions independent of
* any interface instead .
*
* Return : True if ( re ) transmissions are left , false otherwise .
*/
static bool
2021-05-17 00:33:07 +02:00
batadv_forw_packet_bcasts_left ( struct batadv_forw_packet * forw_packet )
2017-02-17 11:17:07 +01:00
{
2021-05-17 00:33:07 +02:00
return BATADV_SKB_CB ( forw_packet - > skb ) - > num_bcasts ;
2017-02-17 11:17:07 +01:00
}
/**
2021-05-17 00:33:07 +02:00
* batadv_forw_packet_bcasts_dec ( ) - decrement retransmission counter of a
2017-12-02 19:51:47 +01:00
* packet
2021-05-17 00:33:07 +02:00
* @ forw_packet : the packet to decrease the counter for
2017-02-17 11:17:07 +01:00
*/
static void
2021-05-17 00:33:07 +02:00
batadv_forw_packet_bcasts_dec ( struct batadv_forw_packet * forw_packet )
2017-02-17 11:17:07 +01:00
{
2021-05-17 00:33:07 +02:00
BATADV_SKB_CB ( forw_packet - > skb ) - > num_bcasts - - ;
2017-02-17 11:17:07 +01:00
}
/**
2017-12-02 19:51:47 +01:00
* batadv_forw_packet_is_rebroadcast ( ) - check packet for previous transmissions
2017-02-17 11:17:07 +01:00
* @ forw_packet : the packet to check
*
* Return : True if this packet was transmitted before , false otherwise .
*/
bool batadv_forw_packet_is_rebroadcast ( struct batadv_forw_packet * forw_packet )
{
2021-05-17 00:33:07 +02:00
unsigned char num_bcasts = BATADV_SKB_CB ( forw_packet - > skb ) - > num_bcasts ;
return num_bcasts ! = forw_packet - > if_outgoing - > num_bcasts ;
2017-02-17 11:17:07 +01:00
}
2021-05-17 00:33:07 +02:00
/**
* batadv_send_outstanding_bcast_packet ( ) - transmit a queued broadcast packet
* @ work : work queue item
*
* Transmits a queued broadcast packet and if necessary reschedules it .
*/
2012-05-16 20:23:14 +02:00
static void batadv_send_outstanding_bcast_packet ( struct work_struct * work )
2010-12-13 11:19:28 +00:00
{
2021-05-17 00:33:07 +02:00
unsigned long send_time = jiffies + msecs_to_jiffies ( 5 ) ;
2012-06-05 22:31:31 +02:00
struct batadv_forw_packet * forw_packet ;
2021-05-17 00:33:07 +02:00
struct delayed_work * delayed_work ;
2012-06-05 22:31:31 +02:00
struct batadv_priv * bat_priv ;
2021-05-17 00:33:07 +02:00
struct sk_buff * skb1 ;
2016-07-17 21:04:00 +02:00
bool dropped = false ;
2012-06-05 22:31:31 +02:00
2015-12-28 23:43:37 +08:00
delayed_work = to_delayed_work ( work ) ;
2012-06-05 22:31:31 +02:00
forw_packet = container_of ( delayed_work , struct batadv_forw_packet ,
delayed_work ) ;
2021-05-17 00:33:07 +02:00
bat_priv = netdev_priv ( forw_packet - > if_incoming - > soft_iface ) ;
2010-12-13 11:19:28 +00:00
2016-07-17 21:04:00 +02:00
if ( atomic_read ( & bat_priv - > mesh_state ) = = BATADV_MESH_DEACTIVATING ) {
dropped = true ;
2010-12-13 11:19:28 +00:00
goto out ;
2016-07-17 21:04:00 +02:00
}
2010-12-13 11:19:28 +00:00
2016-07-17 21:04:00 +02:00
if ( batadv_dat_drop_broadcast_packet ( bat_priv , forw_packet ) ) {
dropped = true ;
2011-06-26 03:37:18 +02:00
goto out ;
2016-07-17 21:04:00 +02:00
}
2011-06-26 03:37:18 +02:00
2021-05-17 00:33:07 +02:00
/* send a copy of the saved skb */
2021-05-17 00:33:08 +02:00
skb1 = skb_clone ( forw_packet - > skb , GFP_ATOMIC ) ;
2021-05-17 00:33:07 +02:00
if ( ! skb1 )
goto out ;
2010-12-13 11:19:28 +00:00
2021-05-17 00:33:07 +02:00
batadv_send_broadcast_skb ( skb1 , forw_packet - > if_outgoing ) ;
batadv_forw_packet_bcasts_dec ( forw_packet ) ;
2010-12-13 11:19:28 +00:00
2021-05-17 00:33:07 +02:00
if ( batadv_forw_packet_bcasts_left ( forw_packet ) ) {
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
batadv_forw_packet_bcast_queue ( bat_priv , forw_packet ,
send_time ) ;
2010-12-13 11:19:28 +00:00
return ;
}
out :
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
/* do we get something for free()? */
if ( batadv_forw_packet_steal ( forw_packet ,
& bat_priv - > forw_bcast_list_lock ) )
batadv_forw_packet_free ( forw_packet , dropped ) ;
2010-12-13 11:19:28 +00:00
}
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
/**
2017-12-02 19:51:47 +01:00
* batadv_purge_outstanding_packets ( ) - stop / purge scheduled bcast / OGMv1 packets
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
* @ bat_priv : the bat priv with all the soft interface information
* @ hard_iface : the hard interface to cancel and purge bcast / ogm packets on
*
* This method cancels and purges any broadcast and OGMv1 packet on the given
* hard_iface . If hard_iface is NULL , broadcast and OGMv1 packets on all hard
* interfaces will be canceled and purged .
*
* This function might sleep .
*/
2012-06-05 22:31:31 +02:00
void
batadv_purge_outstanding_packets ( struct batadv_priv * bat_priv ,
const struct batadv_hard_iface * hard_iface )
2010-12-13 11:19:28 +00:00
{
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
struct hlist_head head = HLIST_HEAD_INIT ;
2010-12-13 11:19:28 +00:00
2011-02-18 12:33:20 +00:00
if ( hard_iface )
2012-06-03 22:19:22 +02:00
batadv_dbg ( BATADV_DBG_BATMAN , bat_priv ,
2017-05-19 13:02:00 +02:00
" %s(): %s \n " ,
__func__ , hard_iface - > net_dev - > name ) ;
2010-12-13 11:19:28 +00:00
else
2012-06-03 22:19:22 +02:00
batadv_dbg ( BATADV_DBG_BATMAN , bat_priv ,
2017-05-19 13:02:00 +02:00
" %s() \n " , __func__ ) ;
2010-12-13 11:19:28 +00:00
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
/* claim bcast list for free() */
2010-12-13 11:19:28 +00:00
spin_lock_bh ( & bat_priv - > forw_bcast_list_lock ) ;
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
batadv_forw_packet_list_steal ( & bat_priv - > forw_bcast_list , & head ,
hard_iface ) ;
2010-12-13 11:19:28 +00:00
spin_unlock_bh ( & bat_priv - > forw_bcast_list_lock ) ;
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
/* claim batman packet list for free() */
2010-12-13 11:19:28 +00:00
spin_lock_bh ( & bat_priv - > forw_bat_list_lock ) ;
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
batadv_forw_packet_list_steal ( & bat_priv - > forw_bat_list , & head ,
hard_iface ) ;
2010-12-13 11:19:28 +00:00
spin_unlock_bh ( & bat_priv - > forw_bat_list_lock ) ;
batman-adv: fix rare race conditions on interface removal
In rare cases during shutdown the following general protection fault can
happen:
general protection fault: 0000 [#1] SMP
Modules linked in: batman_adv(O-) [...]
CPU: 3 PID: 1714 Comm: rmmod Tainted: G O 4.6.0-rc6+ #1
[...]
Call Trace:
[<ffffffffa0363294>] batadv_hardif_disable_interface+0x29a/0x3a6 [batman_adv]
[<ffffffffa0373db4>] batadv_softif_destroy_netlink+0x4b/0xa4 [batman_adv]
[<ffffffff813b52f3>] __rtnl_link_unregister+0x48/0x92
[<ffffffff813b9240>] rtnl_link_unregister+0xc1/0xdb
[<ffffffff8108547c>] ? bit_waitqueue+0x87/0x87
[<ffffffffa03850d2>] batadv_exit+0x1a/0xf48 [batman_adv]
[<ffffffff810c26f9>] SyS_delete_module+0x136/0x1b0
[<ffffffff8144dc65>] entry_SYSCALL_64_fastpath+0x18/0xa8
[<ffffffff8108aaca>] ? trace_hardirqs_off_caller+0x37/0xa6
Code: 89 f7 e8 21 bd 0d e1 4d 85 e4 75 0e 31 f6 48 c7 c7 50 d7 3b a0 e8 50 16 f2 e0 49 8b 9c 24 28 01 00 00 48 85 db 0f 84 b2 00 00 00 <48> 8b 03 4d 85 ed 48 89 45 c8 74 09 4c 39 ab f8 00 00 00 75 1c
RIP [<ffffffffa0371852>] batadv_purge_outstanding_packets+0x1c8/0x291 [batman_adv]
RSP <ffff88001da5fd78>
---[ end trace 803b9bdc6a4a952b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
It does not happen often, but may potentially happen when frequently
shutting down and reinitializing an interface. With some carefully
placed msleep()s/mdelay()s it can be reproduced easily.
The issue is, that on interface removal, any still running worker thread
of a forwarding packet will race with the interface purging routine to
free a forwarding packet. Temporarily giving up a spin-lock to be able
to sleep in the purging routine is not safe.
Furthermore, there is a potential general protection fault not just for
the purging side shown above, but also on the worker side: Temporarily
removing a forw_packet from the according forw_{bcast,bat}_list will make
it impossible for the purging routine to catch and cancel it.
# How this patch tries to fix it:
With this patch we split the queue purging into three steps: Step 1),
removing forward packets from the queue of an interface and by that
claim it as our responsibility to free.
Step 2), we are either lucky to cancel a pending worker before it starts
to run. Or if it is already running, we wait and let it do its thing,
except two things:
Through the claiming in step 1) we prevent workers from a) re-arming
themselves. And b) prevent workers from freeing packets which we still
hold in the interface purging routine.
Finally, step 3, we are sure that no forwarding packets are pending or
even running anymore on the interface to remove. We can then safely free
the claimed forwarding packets.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2016-11-01 09:44:44 +01:00
/* then cancel or wait for packet workers to finish and free */
batadv_forw_packet_list_free ( & head ) ;
2010-12-13 11:19:28 +00:00
}