ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1883

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	net/dccp/ccids/lib/loss_interval.c
Line in file:	162
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-11 08:47:26 UTC
Source:

  1/*
  2 *  net/dccp/ccids/lib/loss_interval.c
  3 *
  4 *  Copyright (c) 2007   The University of Aberdeen, Scotland, UK
  5 *  Copyright (c) 2005-7 The University of Waikato, Hamilton, New Zealand.
  6 *  Copyright (c) 2005-7 Ian McDonald <ian.mcdonald@jandi.co.nz>
  7 *  Copyright (c) 2005 Arnaldo Carvalho de Melo <acme@conectiva.com.br>
  8 *
  9 *  This program is free software; you can redistribute it and/or modify
 10 *  it under the terms of the GNU General Public License as published by
 11 *  the Free Software Foundation; either version 2 of the License, or
 12 *  (at your option) any later version.
 13 */
 14#include <net/sock.h>
 15#include "tfrc.h"
 16
 17static struct kmem_cache  *tfrc_lh_slab  __read_mostly;
 18/* Loss Interval weights from [RFC 3448, 5.4], scaled by 10 */
 19static const int tfrc_lh_weights[NINTERVAL] = { 10, 10, 10, 10, 8, 6, 4, 2 };
 20
 21/* implements LIFO semantics on the array */
 22static inline u8 LIH_INDEX(const u8 ctr)
 23{
 24        return (LIH_SIZE - 1 - (ctr % LIH_SIZE));
 25}
 26
 27/* the `counter' index always points at the next entry to be populated */
 28static inline struct tfrc_loss_interval *tfrc_lh_peek(struct tfrc_loss_hist *lh)
 29{
 30        return lh->counter ? lh->ring[LIH_INDEX(lh->counter - 1)] : NULL;
 31}
 32
 33/* given i with 0 <= i <= k, return I_i as per the rfc3448bis notation */
 34static inline u32 tfrc_lh_get_interval(struct tfrc_loss_hist *lh, const u8 i)
 35{
 36        BUG_ON(i >= lh->counter);
 37        return lh->ring[LIH_INDEX(lh->counter - i - 1)]->li_length;
 38}
 39
 40/*
 41 *        On-demand allocation and de-allocation of entries
 42 */
 43static struct tfrc_loss_interval *tfrc_lh_demand_next(struct tfrc_loss_hist *lh)
 44{
 45        if (lh->ring[LIH_INDEX(lh->counter)] == NULL)
 46                lh->ring[LIH_INDEX(lh->counter)] = kmem_cache_alloc(tfrc_lh_slab,
 47                                                                    GFP_ATOMIC);
 48        return lh->ring[LIH_INDEX(lh->counter)];
 49}
 50
 51void tfrc_lh_cleanup(struct tfrc_loss_hist *lh)
 52{
 53        if (!tfrc_lh_is_initialised(lh))
 54                return;
 55
 56        for (lh->counter = 0; lh->counter < LIH_SIZE; lh->counter++)
 57                if (lh->ring[LIH_INDEX(lh->counter)] != NULL) {
 58                        kmem_cache_free(tfrc_lh_slab,
 59                                        lh->ring[LIH_INDEX(lh->counter)]);
 60                        lh->ring[LIH_INDEX(lh->counter)] = NULL;
 61                }
 62}
 63EXPORT_SYMBOL_GPL(tfrc_lh_cleanup);
 64
 65static void tfrc_lh_calc_i_mean(struct tfrc_loss_hist *lh)
 66{
 67        u32 i_i, i_tot0 = 0, i_tot1 = 0, w_tot = 0;
 68        int i, k = tfrc_lh_length(lh) - 1; /* k is as in rfc3448bis, 5.4 */
 69
 70        if (k <= 0)
 71                return;
 72
 73        for (i = 0; i <= k; i++) {
 74                i_i = tfrc_lh_get_interval(lh, i);
 75
 76                if (i < k) {
 77                        i_tot0 += i_i * tfrc_lh_weights[i];
 78                        w_tot  += tfrc_lh_weights[i];
 79                }
 80                if (i > 0)
 81                        i_tot1 += i_i * tfrc_lh_weights[i-1];
 82        }
 83
 84        lh->i_mean = max(i_tot0, i_tot1) / w_tot;
 85}
 86
 87/**
 88 * tfrc_lh_update_i_mean  -  Update the `open' loss interval I_0
 89 * For recomputing p: returns `true' if p > p_prev  <=>  1/p < 1/p_prev
 90 */
 91u8 tfrc_lh_update_i_mean(struct tfrc_loss_hist *lh, struct sk_buff *skb)
 92{
 93        struct tfrc_loss_interval *cur = tfrc_lh_peek(lh);
 94        u32 old_i_mean = lh->i_mean;
 95        s64 len;
 96
 97        if (cur == NULL)                        /* not initialised */
 98                return 0;
 99
100        len = dccp_delta_seqno(cur->li_seqno, DCCP_SKB_CB(skb)->dccpd_seq) + 1;
101
102        if (len - (s64)cur->li_length <= 0)        /* duplicate or reordered */
103                return 0;
104
105        if (SUB16(dccp_hdr(skb)->dccph_ccval, cur->li_ccval) > 4)
106                /*
107                 * Implements RFC 4342, 10.2:
108                 * If a packet S (skb) exists whose seqno comes `after' the one
109                 * starting the current loss interval (cur) and if the modulo-16
110                 * distance from C(cur) to C(S) is greater than 4, consider all
111                 * subsequent packets as belonging to a new loss interval. This
112                 * test is necessary since CCVal may wrap between intervals.
113                 */
114                cur->li_is_closed = 1;
115
116        if (tfrc_lh_length(lh) == 1)                /* due to RFC 3448, 6.3.1 */
117                return 0;
118
119        cur->li_length = len;
120        tfrc_lh_calc_i_mean(lh);
121
122        return (lh->i_mean < old_i_mean);
123}
124EXPORT_SYMBOL_GPL(tfrc_lh_update_i_mean);
125
126/* Determine if `new_loss' does begin a new loss interval [RFC 4342, 10.2] */
127static inline u8 tfrc_lh_is_new_loss(struct tfrc_loss_interval *cur,
128                                     struct tfrc_rx_hist_entry *new_loss)
129{
130        return        dccp_delta_seqno(cur->li_seqno, new_loss->tfrchrx_seqno) > 0 &&
131                (cur->li_is_closed || SUB16(new_loss->tfrchrx_ccval, cur->li_ccval) > 4);
132}
133
134/** tfrc_lh_interval_add  -  Insert new record into the Loss Interval database
135 * @lh:                   Loss Interval database
136 * @rh:                   Receive history containing a fresh loss event
137 * @calc_first_li: Caller-dependent routine to compute length of first interval
138 * @sk:                   Used by @calc_first_li in caller-specific way (subtyping)
139 * Updates I_mean and returns 1 if a new interval has in fact been added to @lh.
140 */
141int tfrc_lh_interval_add(struct tfrc_loss_hist *lh, struct tfrc_rx_hist *rh,
142                         u32 (*calc_first_li)(struct sock *), struct sock *sk)
143{
144        struct tfrc_loss_interval *cur = tfrc_lh_peek(lh), *new;
145
146        if (cur != NULL && !tfrc_lh_is_new_loss(cur, tfrc_rx_hist_loss_prev(rh)))
147                return 0;
148
149        new = tfrc_lh_demand_next(lh);
150        if (unlikely(new == NULL)) {
151                DCCP_CRIT("Cannot allocate/add loss record.");
152                return 0;
153        }
154
155        new->li_seqno          = tfrc_rx_hist_loss_prev(rh)->tfrchrx_seqno;
156        new->li_ccval          = tfrc_rx_hist_loss_prev(rh)->tfrchrx_ccval;
157        new->li_is_closed = 0;
158
159        if (++lh->counter == 1)
160                lh->i_mean = new->li_length = (*calc_first_li)(sk);
161        else {
162                cur->li_length = dccp_delta_seqno(cur->li_seqno, new->li_seqno);
163                new->li_length = dccp_delta_seqno(new->li_seqno,
164                                  tfrc_rx_hist_last_rcv(rh)->tfrchrx_seqno) + 1;
165                if (lh->counter > (2*LIH_SIZE))
166                        lh->counter -= LIH_SIZE;
167
168                tfrc_lh_calc_i_mean(lh);
169        }
170        return 1;
171}
172EXPORT_SYMBOL_GPL(tfrc_lh_interval_add);
173
174int __init tfrc_li_init(void)
175{
176        tfrc_lh_slab = kmem_cache_create("tfrc_li_hist",
177                                         sizeof(struct tfrc_loss_interval), 0,
178                                         SLAB_HWCACHE_ALIGN, NULL);
179        return tfrc_lh_slab == NULL ? -ENOBUFS : 0;
180}
181
182void tfrc_li_exit(void)
183{
184        if (tfrc_lh_slab != NULL) {
185                kmem_cache_destroy(tfrc_lh_slab);
186                tfrc_lh_slab = NULL;
187        }
188}