batman-adv: add patches from 2016.5-maint 2017-02-21

* batman-adv: Fix double free during fragment merge error * batman-adv: Fix transmission of final, 16th fragment Signed-off-by: Sven Eckelmann <sven@narfation.org>
2017-02-26 15:11:20 +01:00 · 2017-02-26 15:11:20 +01:00 · 0a4df2c301
parent 2a5a5e1837
commit 0a4df2c301
3 changed files with 116 additions and 1 deletions
--- a/batman-adv/Makefile
+++ b/batman-adv/Makefile
@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=batman-adv

 PKG_VERSION:=2016.5
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 PKG_MD5SUM:=6717a933a08dd2a01b00df30cb9f16a8
 PKG_HASH:=d0a0fc90c4f410b57d043215e253bb0b855efa5edbe165d87c17bfdcfafd0db7

--- a/batman-adv/patches/0003-batman-adv-Fix-double-free-during-fragment-merge-err.patch
+++ b/batman-adv/patches/0003-batman-adv-Fix-double-free-during-fragment-merge-err.patch
@ -0,0 +1,61 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Feb 2017 11:26:33 +0100
+Subject: [PATCH] batman-adv: Fix double free during fragment merge error
+
+The function batadv_frag_skb_buffer was supposed not to consume the skbuff
+on errors. This was followed in the helper function
+batadv_frag_insert_packet when the skb would potentially be inserted in the
+fragment queue. But it could happen that the next helper function
+batadv_frag_merge_packets would try to merge the fragments and fail. This
+results in a kfree_skb of all the enqueued fragments (including the just
+inserted one). batadv_recv_frag_packet would detect the error in
+batadv_frag_skb_buffer and try to free the skb again.
+
+The behavior of batadv_frag_skb_buffer (and its helper
+batadv_frag_insert_packet) must therefore be changed to always consume the
+skbuff to have a common behavior and avoid the double kfree_skb.
+
+Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/e3bab02816097f860545d9ce9ae0808c69d7c92f
+---
+ net/batman-adv/fragmentation.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index 0854ebd8..31e97e9a 100644
+--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
+@@ -239,8 +239,10 @@ err_unlock:
+ 	spin_unlock_bh(&chain->lock);
+ 
+ err:
+-	if (!ret)
+	if (!ret) {
+ 		kfree(frag_entry_new);
+		kfree_skb(skb);
+	}
+ 
+ 	return ret;
+ }
+@@ -313,7 +315,7 @@ free:
+  *
+  * There are three possible outcomes: 1) Packet is merged: Return true and
+  * set *skb to merged packet; 2) Packet is buffered: Return true and set *skb
+- * to NULL; 3) Error: Return false and leave skb as is.
+ * to NULL; 3) Error: Return false and free skb.
+  *
+  * Return: true when packet is merged or buffered, false when skb is not not
+  * used.
+@@ -338,9 +340,9 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
+ 		goto out_err;
+ 
+ out:
+-	*skb = skb_out;
+ 	ret = true;
+ out_err:
+	*skb = skb_out;
+ 	return ret;
+ }
+ 
--- a/batman-adv/patches/0004-batman-adv-Fix-transmission-of-final-16th-fragment.patch
+++ b/batman-adv/patches/0004-batman-adv-Fix-transmission-of-final-16th-fragment.patch
@ -0,0 +1,54 @@
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Mon, 13 Feb 2017 20:44:31 +0100
+Subject: [PATCH] batman-adv: Fix transmission of final, 16th fragment
+
+Trying to split and transmit a unicast packet in 16 parts will fail for
+the final fragment: After having sent the 15th one with a frag_packet.no
+index of 14, we will increase the the index to 15 - and return with an
+error code immediately, even though one more fragment is due for
+transmission and allowed.
+
+Fixing this issue by moving the check before incrementing the index.
+
+While at it, adding an unlikely(), because the check is actually more of
+an assertion.
+
+Fixes: db56e4ecf5c2 ("batman-adv: Fragment and send skbs larger than mtu")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/464eff3b1768ff190466a453a57ac140ea5cb756
+---
+ net/batman-adv/fragmentation.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index 31e97e9a..11149e5b 100644
+--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
+@@ -501,6 +501,12 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 
+ 	/* Eat and send fragments from the tail of skb */
+ 	while (skb->len > max_fragment_size) {
+		/* The initial check in this function should cover this case */
+		if (unlikely(frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1)) {
+			ret = -EINVAL;
+			goto put_primary_if;
+		}
+
+ 		skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
+ 		if (!skb_fragment) {
+ 			ret = -ENOMEM;
+@@ -517,12 +523,6 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 		}
+ 
+ 		frag_header.no++;
+-
+-		/* The initial check in this function should cover this case */
+-		if (frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1) {
+-			ret = -EINVAL;
+-			goto put_primary_if;
+-		}
+ 	}
+ 
+ 	/* Make room for the fragment header. */