On Saturday, February 23, 2013 02:37:06 Sasha Levin wrote:

I'm confused about how batadv_orig_hash_del_if removes an interface from
the hashtable. I see the hashtable is using rcu to protect it, but when we
delete an entry we free it straight away by calling
batadv_orig_node_del_if() and not going through kfree_rcu().

Is there a reason behind doing that, or might it be the cause of the
problem we're seeing here?

Maybe I am overlooking something but it seems to me access to this memory is 
protected by the same lock: orig_node->ogm_cnt_lock
Before batadv_orig_node_del_if() is called this lock is acquired and 
batadv_slide_own_bcast_window() also attempts acquire the orig_node-

ogm_cnt_lock spinlock before writing to this chunk of memory.

Do we know for certain that batadv_orig_hash_del_if() is involved or is that a 
guess at this point ? If you ask me the next for-loop in 
batadv_orig_hash_del_if() looks more suspicious than the first one. The 
interfaces get renumbered without any protection. Could be a regression from 
the orig_hash_lock removal (the comments refer to a now inexisting lock).

Cheers,
Marek