--- /dev/null
+From 6e8014947d6469df1566e9e253805557c5c0e4e0 Mon Sep 17 00:00:00 2001
+From: Simon Wunderlich <simon.wunderlich@s2003.tu-chemnitz.de>
+Date: Wed, 19 Oct 2011 10:28:26 +0200
+Subject: batman-adv: add sanity check when removing global tts
+
+From: Simon Wunderlich <simon.wunderlich@s2003.tu-chemnitz.de>
+
+commit 6e8014947d6469df1566e9e253805557c5c0e4e0 upstream.
+
+After removing the batman-adv module, the hash may be already gone
+when tt_global_del_orig() tries to clean the hash. This patch adds
+a sanity check to avoid this.
+
+Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
+Tested-by: Alexey Fisher <bug-track@fisher-privat.net>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/batman-adv/translation-table.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -698,6 +698,9 @@ void tt_global_del_orig(struct bat_priv
+ struct hlist_head *head;
+ spinlock_t *list_lock; /* protects write access to the hash lists */
+
++ if (!hash)
++ return;
++
+ for (i = 0; i < hash->size; i++) {
+ head = &hash->table[i];
+ list_lock = &hash->list_locks[i];
--- /dev/null
+From 9d8523931f7f5eb8900077f0da0fbe6b8ad0010b Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <ordex@autistici.org>
+Date: Mon, 17 Oct 2011 14:25:13 +0200
+Subject: batman-adv: correctly set the data field in the TT_REPONSE packet
+
+From: Antonio Quartulli <ordex@autistici.org>
+
+commit 9d8523931f7f5eb8900077f0da0fbe6b8ad0010b upstream.
+
+In the TT_RESPONSE packet, the number of carried entries is not correctly set.
+This leads to a wrong interpretation of the packet payload on the receiver side
+causing random entries to be added to the global translation table. Therefore
+the latter gets always corrupted, triggering a table recovery all the time.
+
+Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/batman-adv/translation-table.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -999,7 +999,6 @@ static struct sk_buff *tt_response_fill_
+ tt_response = (struct tt_query_packet *)skb_put(skb,
+ tt_query_size + tt_len);
+ tt_response->ttvn = ttvn;
+- tt_response->tt_data = htons(tt_tot);
+
+ tt_change = (struct tt_change *)(skb->data + tt_query_size);
+ tt_count = 0;
+@@ -1025,6 +1024,10 @@ static struct sk_buff *tt_response_fill_
+ }
+ rcu_read_unlock();
+
++ /* store in the message the number of entries we have successfully
++ * copied */
++ tt_response->tt_data = htons(tt_count);
++
+ out:
+ return skb;
+ }
--- /dev/null
+From 31901264511cf20c5ed33b8649a3ca9ce28df60b Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <ordex@autistici.org>
+Date: Sun, 16 Oct 2011 18:53:37 +0200
+Subject: batman-adv: fix tt_local_reset_flags() function
+
+From: Antonio Quartulli <ordex@autistici.org>
+
+commit 31901264511cf20c5ed33b8649a3ca9ce28df60b upstream.
+
+Currently the counter of tt_local_entry structures (tt_local_num) is incremented
+each time the tt_local_reset_flags() is invoked causing the node to send wrong
+TT_REPONSE packets containing a copy of non-initialised memory thus corrupting
+other nodes global translation table and making higher level communication
+impossible.
+
+Reported-by: Junkeun Song <jun361@gmail.com>
+Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+Acked-by: Junkeun Song <jun361@gmail.com>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/batman-adv/translation-table.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1668,6 +1668,8 @@ static void tt_local_reset_flags(struct
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(tt_local_entry, node,
+ head, hash_entry) {
++ if (!(tt_local_entry->flags & flags))
++ continue;
+ tt_local_entry->flags &= ~flags;
+ atomic_inc(&bat_priv->num_local_tt);
+ }
--- /dev/null
+From 531027fcddbcf81c9937dd04f08a7e8f11fd47d2 Mon Sep 17 00:00:00 2001
+From: Simon Wunderlich <simon.wunderlich@s2003.tu-chemnitz.de>
+Date: Wed, 19 Oct 2011 11:02:25 +0200
+Subject: batman-adv: remove references for global tt entries
+
+From: Simon Wunderlich <simon.wunderlich@s2003.tu-chemnitz.de>
+
+commit 531027fcddbcf81c9937dd04f08a7e8f11fd47d2 upstream.
+
+struct tt_global_entry holds a reference to an orig_node which must be
+decremented before deallocating the structure.
+
+Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
+Tested-by: Alexey Fisher <bug-track@fisher-privat.net>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/batman-adv/translation-table.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -137,10 +137,22 @@ static void tt_local_entry_free_ref(stru
+ kfree_rcu(tt_local_entry, rcu);
+ }
+
++static void tt_global_entry_free_rcu(struct rcu_head *rcu)
++{
++ struct tt_global_entry *tt_global_entry;
++
++ tt_global_entry = container_of(rcu, struct tt_global_entry, rcu);
++
++ if (tt_global_entry->orig_node)
++ orig_node_free_ref(tt_global_entry->orig_node);
++
++ kfree(tt_global_entry);
++}
++
+ static void tt_global_entry_free_ref(struct tt_global_entry *tt_global_entry)
+ {
+ if (atomic_dec_and_test(&tt_global_entry->refcount))
+- kfree_rcu(tt_global_entry, rcu);
++ call_rcu(&tt_global_entry->rcu, tt_global_entry_free_rcu);
+ }
+
+ static void tt_local_event(struct bat_priv *bat_priv, const uint8_t *addr,
--- /dev/null
+From 93840ac40bb0d0f177ef8af74e64671be67e8c37 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <ordex@autistici.org>
+Date: Sat, 22 Oct 2011 00:55:39 +0200
+Subject: batman-adv: unify hash_entry field position in tt_local/global_entry
+
+From: Antonio Quartulli <ordex@autistici.org>
+
+commit 93840ac40bb0d0f177ef8af74e64671be67e8c37 upstream.
+
+Function tt_response_fill_table() actually uses a tt_local_entry pointer to
+iterate either over the local or the global table entries (it depends on the
+what hash table is passed as argument). To iterate over such entries the
+hlist_for_each_entry_rcu() macro has to access their "hash_entry" field which
+MUST be at the same position in both the tt_global/local_entry structures.
+
+Reported-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
+Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/batman-adv/types.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -223,22 +223,22 @@ struct socket_packet {
+
+ struct tt_local_entry {
+ uint8_t addr[ETH_ALEN];
++ struct hlist_node hash_entry;
+ unsigned long last_seen;
+ uint16_t flags;
+ atomic_t refcount;
+ struct rcu_head rcu;
+- struct hlist_node hash_entry;
+ };
+
+ struct tt_global_entry {
+ uint8_t addr[ETH_ALEN];
++ struct hlist_node hash_entry; /* entry in the global table */
+ struct orig_node *orig_node;
+ uint8_t ttvn;
+ uint16_t flags; /* only TT_GLOBAL_ROAM is used */
+ unsigned long roam_at; /* time at which TT_GLOBAL_ROAM was set */
+ atomic_t refcount;
+ struct rcu_head rcu;
+- struct hlist_node hash_entry; /* entry in the global table */
+ };
+
+ struct tt_change_node {
usb-quirks-adding-more-quirky-webcams-to-avoid-squeaky-audio.patch
drm-i915-fix-ivb-cursor-support.patch
drm-i915-always-set-fdi-composite-sync-bit.patch
+batman-adv-fix-tt_local_reset_flags-function.patch
+batman-adv-correctly-set-the-data-field-in-the-tt_reponse-packet.patch
+batman-adv-remove-references-for-global-tt-entries.patch
+batman-adv-add-sanity-check-when-removing-global-tts.patch
+batman-adv-unify-hash_entry-field-position-in-tt_local-global_entry.patch
+vmscan-fix-shrinker-callback-bug-in-fs-super.c.patch
--- /dev/null
+From 09f363c7363eb10cfb4b82094bd7064e5608258b Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 31 Oct 2011 17:08:57 -0700
+Subject: vmscan: fix shrinker callback bug in fs/super.c
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 09f363c7363eb10cfb4b82094bd7064e5608258b upstream.
+
+The callback must not return -1 when nr_to_scan is zero. Fix the bug in
+fs/super.c and add this requirement to the callback specification.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/super.c | 2 +-
+ include/linux/shrinker.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/super.c
++++ b/fs/super.c
+@@ -61,7 +61,7 @@ static int prune_super(struct shrinker *
+ return -1;
+
+ if (!grab_super_passive(sb))
+- return -1;
++ return !sc->nr_to_scan ? 0 : -1;
+
+ if (sb->s_op && sb->s_op->nr_cached_objects)
+ fs_objects = sb->s_op->nr_cached_objects(sb);
+--- a/include/linux/shrinker.h
++++ b/include/linux/shrinker.h
+@@ -20,6 +20,7 @@ struct shrink_control {
+ * 'nr_to_scan' entries and attempt to free them up. It should return
+ * the number of objects which remain in the cache. If it returns -1, it means
+ * it cannot do any scanning at this time (eg. there is a risk of deadlock).
++ * The callback must not return -1 if nr_to_scan is zero.
+ *
+ * The 'gfpmask' refers to the allocation we are currently trying to
+ * fulfil.
projects / thirdparty / kernel / stable-queue.git / commitdiff
