batman-adv: 2014.0.0 updated stability fixes

Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
2014-02-15 09:41:19 +08:00 · 2014-02-15 09:41:19 +08:00 · 2185559079
parent a9f43d29e9
commit 2185559079
14 changed files with 330 additions and 28 deletions
--- a/batman-adv/Makefile
+++ b/batman-adv/Makefile
@ -12,7 +12,7 @@ PKG_NAME:=batman-adv

 PKG_VERSION:=2014.0.0
 BATCTL_VERSION:=2014.0.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_MD5SUM:=8d58ecaede17dc05aab1b549dc09fa7d
 BATCTL_MD5SUM:=b0bcf29fef80ddcc33769e13f5937d0a

--- a/batman-adv/patches/0001-batman-adv-fix-batman-adv-header-overhead-calculatio.patch
+++ b/batman-adv/patches/0001-batman-adv-fix-batman-adv-header-overhead-calculatio.patch
@ -1,7 +1,7 @@
 From 746d6436f88899a79c1cb3b27af0614510368bb7 Mon Sep 17 00:00:00 2001
 From: Marek Lindner <mareklindner@neomailbox.ch>
 Date: Wed, 15 Jan 2014 20:31:18 +0800
-Subject: [PATCH 1/5] batman-adv: fix batman-adv header overhead calculation
+Subject: [PATCH 01/13] batman-adv: fix batman-adv header overhead calculation
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -34,5 +34,5 @@ index 4547bf0..fd85205 100644
 
 /**
 -- 
-1.8.5.3
+1.9.0.rc3

--- a/batman-adv/patches/0002-batman-adv-fix-potential-kernel-paging-error-for-uni.patch
+++ b/batman-adv/patches/0002-batman-adv-fix-potential-kernel-paging-error-for-uni.patch
@ -1,8 +1,8 @@
 From 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@web.de>
 Date: Mon, 20 Jan 2014 11:06:44 +0100
-Subject: [PATCH 2/5] batman-adv: fix potential kernel paging error for unicast
- transmissions
+Subject: [PATCH 02/13] batman-adv: fix potential kernel paging error for
+ unicast transmissions
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -40,5 +40,5 @@ index b0a3d76..2035bd9 100644
 
 	/* inform the destination node that we are still missing a correct route
 -- 
-1.8.5.3
+1.9.0.rc3

--- a/batman-adv/patches/0003-batman-adv-fix-soft-interface-MTU-computation.patch
+++ b/batman-adv/patches/0003-batman-adv-fix-soft-interface-MTU-computation.patch
@ -1,7 +1,7 @@
 From 2b108ccd0533e1375e44c73ec58c69dde9a71687 Mon Sep 17 00:00:00 2001
 From: Antonio Quartulli <antonio@meshcoding.com>
 Date: Tue, 21 Jan 2014 11:22:05 +0100
-Subject: [PATCH 3/5] batman-adv: fix soft-interface MTU computation
+Subject: [PATCH 03/13] batman-adv: fix soft-interface MTU computation

 The current MTU computation always returns a value
 smaller than 1500bytes even if the real interfaces
@ -71,5 +71,5 @@ index 6792e03..0eb0b3b 100644
 
 /* adjusts the MTU if a new interface with a smaller MTU appeared. */
 -- 
-1.8.5.3
+1.9.0.rc3

--- a/batman-adv/patches/0004-batman-adv-fix-TT-TVLV-parsing-on-OGM-reception.patch
+++ b/batman-adv/patches/0004-batman-adv-fix-TT-TVLV-parsing-on-OGM-reception.patch
@ -1,7 +1,7 @@
 From db13d361ff6abf57090acfdeb0f5cedd8dd7f02e Mon Sep 17 00:00:00 2001
 From: Antonio Quartulli <antonio@meshcoding.com>
 Date: Mon, 27 Jan 2014 12:23:28 +0100
-Subject: [PATCH 4/5] batman-adv: fix TT-TVLV parsing on OGM reception
+Subject: [PATCH 04/13] batman-adv: fix TT-TVLV parsing on OGM reception

 When accessing a TT-TVLV container in the OGM RX path
 the variable pointing to the list of changes to apply is
@ -31,5 +31,5 @@ index 3fca99d..45b6155 100644
 					 ttvn, tt_change);
 
 -- 
-1.8.5.3
+1.9.0.rc3

--- a/batman-adv/patches/0005-batman-adv-release-vlan-object-after-checking-the-CR.patch
+++ b/batman-adv/patches/0005-batman-adv-release-vlan-object-after-checking-the-CR.patch
@ -1,7 +1,7 @@
 From dc08c045b46bdd9a5c81068a89f9f2a78d3d4bbd Mon Sep 17 00:00:00 2001
 From: Antonio Quartulli <antonio@meshcoding.com>
 Date: Tue, 28 Jan 2014 02:06:47 +0100
-Subject: [PATCH 5/5] batman-adv: release vlan object after checking the CRC
+Subject: [PATCH 05/13] batman-adv: release vlan object after checking the CRC

 There is a refcounter unbalance in the CRC checking routine
 invoked on OGM reception. A vlan object is retrieved (thus
@ -46,5 +46,5 @@ index 45b6155..05c2a9b 100644
 	}
 
 -- 
-1.8.5.3
+1.9.0.rc3

--- a/batman-adv/patches/0006-batman-adv-properly-check-pskb_may_pull-return-value.patch
+++ b/batman-adv/patches/0006-batman-adv-properly-check-pskb_may_pull-return-value.patch
@ -0,0 +1,34 @@
+From eabdc3175b1d119cd673f36d06264cddb4803ace Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@meshcoding.com>
+Date: Thu, 30 Jan 2014 00:12:24 +0100
+Subject: [PATCH 06/13] batman-adv: properly check pskb_may_pull return value
+
+pskb_may_pull() returns 1 on success and 0 in case of failure,
+therefore checking for the return value being negative does
+not make sense at all.
+
+This way if the function fails we will probably read beyond the current
+skb data buffer. Fix this by doing the proper check.
+
+Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ routing.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/routing.c b/routing.c
+index f28920f..f7579d0 100644
+--- a/routing.c
+++ b/routing.c
+@@ -833,7 +833,7 @@ static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
+ 	int is_old_ttvn;
+ 
+ 	/* check if there is enough data before accessing it */
+-	if (pskb_may_pull(skb, hdr_len + ETH_HLEN) < 0)
+	if (!pskb_may_pull(skb, hdr_len + ETH_HLEN))
+ 		return 0;
+ 
+ 	/* create a copy of the skb (in case of for re-routing) to modify it. */
+-- 
+1.9.0.rc3
+
--- a/batman-adv/patches/0007-batman-adv-remove-useless-assignment.patch
+++ b/batman-adv/patches/0007-batman-adv-remove-useless-assignment.patch
@ -0,0 +1,30 @@
+From 9a91d33c0ea234faf59ee7543d5253e6809a6b6f Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@meshcoding.com>
+Date: Thu, 30 Jan 2014 13:57:27 +0100
+Subject: [PATCH 07/13] batman-adv: remove useless assignment
+
+Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb
+   ("batman-adv: fix potential kernel paging error for unicast transmissions")
+
+Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ send.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/send.c b/send.c
+index 2035bd9..75be770 100644
+--- a/send.c
+++ b/send.c
+@@ -256,7 +256,7 @@ static int batadv_send_skb_unicast(struct batadv_priv *bat_priv,
+ 				   struct batadv_orig_node *orig_node,
+ 				   unsigned short vid)
+ {
+-	struct ethhdr *ethhdr = (struct ethhdr *)skb->data;
+	struct ethhdr *ethhdr;
+ 	struct batadv_unicast_packet *unicast_packet;
+ 	int ret = NET_XMIT_DROP;
+ 
+-- 
+1.9.0.rc3
+
--- a/batman-adv/patches/0008-batman-adv-backport-eth_hdr-compat-fix-to-avoid-kern.patch
+++ b/batman-adv/patches/0008-batman-adv-backport-eth_hdr-compat-fix-to-avoid-kern.patch
@ -1,32 +1,26 @@
-From f9170f22998a276e04b4c7d91da4c373609d28b3 Mon Sep 17 00:00:00 2001
+From b921e8f70aa929766856decfe79ee8e78ba21e23 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@web.de>
-Date: Sun, 19 Jan 2014 22:22:45 +0100
-Subject: [PATCH] batman-adv: use vlan_/eth_hdr() instead of skb->data in
- interface_tx path
+Date: Sun, 2 Feb 2014 22:53:11 +0800
+Subject: [PATCH 08/13] batman-adv: backport eth_hdr() compat fix to avoid
+ kernel oops
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

-Our .ndo_start_xmit handler (batadv_interface_tx()) can rely on having
-the skb mac header pointer set correctly since the following commit
-present in kernels >= 3.9:
+Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb
+   ("batman-adv: fix potential kernel paging error for unicast transmissions")

-"net: reset mac header in dev_start_xmit()" (6d1ccff627)
-
-Therefore we can safely use eth_hdr() and vlan_eth_hdr() instead of
-skb->data now, which spares us some ugly type casts.
-
-Signed-off-by: Linus Lüssing <linus.luessing@web.de>
 Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+CC: Linus Lüssing <linus.luessing@web.de>
 ---
 compat.h | 11 +++++++++++
 1 file changed, 11 insertions(+)

 diff --git a/compat.h b/compat.h
-index 57c9d96..9692ed2 100644
+index a4ab202..deea92b 100644
 --- a/compat.h
 +++ b/compat.h
-@@ -302,6 +302,17 @@ static int batadv_interface_set_mac_addr(struct net_device *dev, void *p) \
+@@ -289,6 +289,17 @@ static int batadv_interface_set_mac_addr(struct net_device *dev, void *p) \
 }\
 static int __batadv_interface_set_mac_addr(x, y)
 
@ -45,5 +39,5 @@ index 57c9d96..9692ed2 100644
 #define netdev_upper_dev_unlink(slave, master) netdev_set_master(slave, NULL)
 #define netdev_master_upper_dev_get(dev) \
 -- 
-1.8.5.3
+1.9.0.rc3

--- a/batman-adv/patches/0009-batman-adv-fix-potential-orig_node-reference-leak.patch
+++ b/batman-adv/patches/0009-batman-adv-fix-potential-orig_node-reference-leak.patch
@ -0,0 +1,34 @@
+From cb4d66e6803b854663ee758e3eecbda183b0b007 Mon Sep 17 00:00:00 2001
+From: Simon Wunderlich <sw@simonwunderlich.de>
+Date: Sat, 8 Feb 2014 16:45:06 +0100
+Subject: [PATCH 09/13] batman-adv: fix potential orig_node reference leak
+
+Since batadv_orig_node_new() sets the refcount to two, assuming that
+the calling function will use a reference for putting the orig_node into
+a hash or similar, both references must be freed if initialization of
+the orig_node fails. Otherwise that object may be leaked in that error
+case.
+
+Reported-by: Antonio Quartulli <antonio@meshcoding.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ bat_iv_ogm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/bat_iv_ogm.c b/bat_iv_ogm.c
+index 6f4fcdc..c07e59f 100644
+--- a/bat_iv_ogm.c
+++ b/bat_iv_ogm.c
+@@ -256,6 +256,8 @@ batadv_iv_ogm_orig_get(struct batadv_priv *bat_priv, const uint8_t *addr)
+ free_bcast_own:
+ 	kfree(orig_node->bat_iv.bcast_own);
+ free_orig_node:
+	/* free twice, as batadv_orig_node_new sets refcount to 2 */
+	batadv_orig_node_free_ref(orig_node);
+ 	batadv_orig_node_free_ref(orig_node);
+ 
+ 	return NULL;
+-- 
+1.9.0.rc3
+
--- a/batman-adv/patches/0010-batman-adv-fix-memory-access-by-setting-mac_header-i.patch
+++ b/batman-adv/patches/0010-batman-adv-fix-memory-access-by-setting-mac_header-i.patch
@ -0,0 +1,44 @@
+From df99b07081eeda5cca292afe2dcc5cb3bf5be154 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@meshcoding.com>
+Date: Tue, 11 Feb 2014 11:26:43 +0100
+Subject: [PATCH 10/13] batman-adv: fix memory access by setting mac_header in
+ DAT
+
+In the TX path we now have functions that rely on the
+skb->mac_header field. DAT does not set such field when
+creating its own ARP packets thus leading to wrong memory
+access.
+
+Fix it by always setting the mac_header after having forged
+the ARP packet.
+
+Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb
+("batman-adv: fix potential kernel paging error for unicast transmissions")
+
+Reported-by: Russel Senior <russell@personaltelco.net>
+Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
+Tested-by: Russel Senior <russell@personaltelco.net>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ distributed-arp-table.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/distributed-arp-table.c b/distributed-arp-table.c
+index 6da587a..0b69b61 100644
+--- a/distributed-arp-table.c
+++ b/distributed-arp-table.c
+@@ -1028,6 +1028,11 @@ bool batadv_dat_snoop_incoming_arp_request(struct batadv_priv *bat_priv,
+ 	if (!skb_new)
+ 		goto out;
+ 
+	/* the rest of the TX path assumes that the mac_header offset pointing
+	 * to the inner Ethernet header has been set, therefore reset it now.
+	 */
+	skb_reset_mac_header(skb_new);
+
+ 	if (vid & BATADV_VLAN_HAS_TAG)
+ 		skb_new = vlan_insert_tag(skb_new, htons(ETH_P_8021Q),
+ 					  vid & VLAN_VID_MASK);
+-- 
+1.9.0.rc3
+
--- a/batman-adv/patches/0011-batman-adv-fix-TT-CRC-computation-by-ensuring-byte-o.patch
+++ b/batman-adv/patches/0011-batman-adv-fix-TT-CRC-computation-by-ensuring-byte-o.patch
@ -0,0 +1,82 @@
+From be4385eacf30ad55a5cf4574768624ce8141a0c7 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@open-mesh.com>
+Date: Tue, 11 Feb 2014 17:05:06 +0100
+Subject: [PATCH 11/13] batman-adv: fix TT CRC computation by ensuring byte
+ order
+
+When computing the CRC on a 2byte variable the order of
+the bytes obviously alters the final result. This means
+that computing the CRC over the same value on two archs
+having different endianess leads to different numbers.
+
+The global and local translation table CRC computation
+routine makes this mistake while processing the clients
+VIDs. The result is a continuous CRC mismatching between
+nodes having different endianess.
+
+Fix this by converting the VID to Network Order before
+processing it. This guarantees that every node uses the same
+byte order.
+
+Introduced by 21a57f6e7a3b4455dfe68ee07a7b901d9e7f200b
+("batman-adv: make the TT CRC logic VLAN specific")
+
+Reported-by: Russel Senior <russell@personaltelco.net>
+Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
+Tested-by: Russell Senior <russell@personaltelco.net>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ translation-table.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/translation-table.c b/translation-table.c
+index 05c2a9b..24e3267 100644
+--- a/translation-table.c
+++ b/translation-table.c
+@@ -1961,6 +1961,7 @@ static uint32_t batadv_tt_global_crc(struct batadv_priv *bat_priv,
+ 	struct hlist_head *head;
+ 	uint32_t i, crc_tmp, crc = 0;
+ 	uint8_t flags;
+	__be16 tmp_vid;
+ 
+ 	for (i = 0; i < hash->size; i++) {
+ 		head = &hash->table[i];
+@@ -1997,8 +1998,11 @@ static uint32_t batadv_tt_global_crc(struct batadv_priv *bat_priv,
+ 							     orig_node))
+ 				continue;
+ 
+-			crc_tmp = crc32c(0, &tt_common->vid,
+-					 sizeof(tt_common->vid));
+			/* use network order to read the VID: this ensures that
+			 * every node reads the bytes in the same order.
+			 */
+			tmp_vid = htons(tt_common->vid);
+			crc_tmp = crc32c(0, &tmp_vid, sizeof(tmp_vid));
+ 
+ 			/* compute the CRC on flags that have to be kept in sync
+ 			 * among nodes
+@@ -2032,6 +2036,7 @@ static uint32_t batadv_tt_local_crc(struct batadv_priv *bat_priv,
+ 	struct hlist_head *head;
+ 	uint32_t i, crc_tmp, crc = 0;
+ 	uint8_t flags;
+	__be16 tmp_vid;
+ 
+ 	for (i = 0; i < hash->size; i++) {
+ 		head = &hash->table[i];
+@@ -2050,8 +2055,11 @@ static uint32_t batadv_tt_local_crc(struct batadv_priv *bat_priv,
+ 			if (tt_common->flags & BATADV_TT_CLIENT_NEW)
+ 				continue;
+ 
+-			crc_tmp = crc32c(0, &tt_common->vid,
+-					 sizeof(tt_common->vid));
+			/* use network order to read the VID: this ensures that
+			 * every node reads the bytes in the same order.
+			 */
+			tmp_vid = htons(tt_common->vid);
+			crc_tmp = crc32c(0, &tmp_vid, sizeof(tmp_vid));
+ 
+ 			/* compute the CRC on flags that have to be kept in sync
+ 			 * among nodes
+-- 
+1.9.0.rc3
+
--- a/batman-adv/patches/0012-batman-adv-free-skb-on-TVLV-parsing-success.patch
+++ b/batman-adv/patches/0012-batman-adv-free-skb-on-TVLV-parsing-success.patch
@ -0,0 +1,37 @@
+From 9289542085d7e298b90c7b6fb6efb509dab69d8b Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@open-mesh.com>
+Date: Tue, 11 Feb 2014 17:05:07 +0100
+Subject: [PATCH 12/13] batman-adv: free skb on TVLV parsing success
+
+When the TVLV parsing routine succeed the skb is left
+untouched thus leading to a memory leak.
+
+Fix this by consuming the skb in case of success.
+
+Introduced by 0b6aa0d43767889eeda43a132cf5e73df4e63bf2
+("batman-adv: tvlv - basic infrastructure")
+
+Reported-by: Russel Senior <russell@personaltelco.net>
+Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
+Tested-by: Russell Senior <russell@personaltelco.net>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ routing.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/routing.c b/routing.c
+index f7579d0..71bf698 100644
+--- a/routing.c
+++ b/routing.c
+@@ -1063,6 +1063,8 @@ int batadv_recv_unicast_tvlv(struct sk_buff *skb,
+ 
+ 	if (ret != NET_RX_SUCCESS)
+ 		ret = batadv_route_unicast_packet(skb, recv_if);
+	else
+		consume_skb(skb);
+ 
+ 	return ret;
+ }
+-- 
+1.9.0.rc3
+
--- a/batman-adv/patches/0013-batman-adv-avoid-double-free-when-orig_node-initiali.patch
+++ b/batman-adv/patches/0013-batman-adv-avoid-double-free-when-orig_node-initiali.patch
@ -0,0 +1,47 @@
+From d4acda1cb9cca135e7b91777bb2680518b3cffa0 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@meshcoding.com>
+Date: Sat, 15 Feb 2014 02:17:20 +0100
+Subject: [PATCH 13/13] batman-adv: avoid double free when orig_node
+ initialization fails
+
+In the failure path of the orig_node initialization routine
+the orig_node->bat_iv.bcast_own field is free'd twice: first
+in batadv_iv_ogm_orig_get() and then later in
+batadv_orig_node_free_rcu().
+
+Fix it by removing the kfree in batadv_iv_ogm_orig_get().
+
+Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ bat_iv_ogm.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/bat_iv_ogm.c b/bat_iv_ogm.c
+index c07e59f..fdf4322 100644
+--- a/bat_iv_ogm.c
+++ b/bat_iv_ogm.c
+@@ -243,18 +243,16 @@ batadv_iv_ogm_orig_get(struct batadv_priv *bat_priv, const uint8_t *addr)
+ 	size = bat_priv->num_ifaces * sizeof(uint8_t);
+ 	orig_node->bat_iv.bcast_own_sum = kzalloc(size, GFP_ATOMIC);
+ 	if (!orig_node->bat_iv.bcast_own_sum)
+-		goto free_bcast_own;
+		goto free_orig_node;
+ 
+ 	hash_added = batadv_hash_add(bat_priv->orig_hash, batadv_compare_orig,
+ 				     batadv_choose_orig, orig_node,
+ 				     &orig_node->hash_entry);
+ 	if (hash_added != 0)
+-		goto free_bcast_own;
+		goto free_orig_node;
+ 
+ 	return orig_node;
+ 
+-free_bcast_own:
+-	kfree(orig_node->bat_iv.bcast_own);
+ free_orig_node:
+ 	/* free twice, as batadv_orig_node_new sets refcount to 2 */
+ 	batadv_orig_node_free_ref(orig_node);
+-- 
+1.9.0.rc3
+