batman-adv: 2013.2.0 stability fixes

Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>

batman-adv/Makefile

@@ -12,7 +12,7 @@ PKG_NAME:=batman-adv
 
 PKG_VERSION:=2013.2.0
 BATCTL_VERSION:=2013.2.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_MD5SUM:=9ec18300b96df22f0ed21c9f51e4ccef
 BATCTL_MD5SUM:=712f86cdd0f9076503fc48acf37e109e
 

batman-adv/patches/0001-batman-adv-use-the-proper-header-len-when-checking-t.patch

@@ -1,7 +1,7 @@
 From 9b96ecbae7295269aaa0320667f646870de65661 Mon Sep 17 00:00:00 2001
 From: Antonio Quartulli <antonio@open-mesh.com>
 Date: Wed, 3 Apr 2013 10:14:20 +0200
-Subject: [PATCH 1/2] batman-adv: use the proper header len when checking the
+Subject: [PATCH 1/6] batman-adv: use the proper header len when checking the
  TTVN
 
 Unicast packet might be of type either UNICAST or

batman-adv/patches/0002-batman-adv-vlan-add-protocol-argument-to-packet-tagging-fun.patch

@@ -1,7 +1,7 @@
 From 82d1a8ebf19a1b9841ee44ce7b2448114be3e772 Mon Sep 17 00:00:00 2001
 From: Patrick McHardy <kaber@trash.net>
 Date: Wed, 24 Apr 2013 17:42:56 +0200
-Subject: [PATCH 2/2] net: vlan: add protocol argument to packet tagging
+Subject: [PATCH 2/6] net: vlan: add protocol argument to packet tagging
  functions
 
 Add a protocol argument to the VLAN packet tagging functions. In case of HW

batman-adv/patches/0003-batman-adv-check-proto-length-before-accessing-proto.patch

@@ -0,0 +1,33 @@
+From aa7d19a5b97fe48657e075e8e4d130bd6916551e Mon Sep 17 00:00:00 2001
+From: Marek Lindner <lindner_marek@yahoo.de>
+Date: Sat, 27 Apr 2013 16:22:28 +0800
+Subject: [PATCH 3/6] batman-adv: check proto length before accessing proto
+ string buffer
+
+batadv_param_set_ra() strips the trailing '\n' from the supplied
+string buffer without checking the length of the buffer first. This
+patches avoids random memory access and associated potential
+crashes.
+
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+---
+ main.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/main.c b/main.c
+index 3e30a0f..9c620cd 100644
+--- a/main.c
++++ b/main.c
+@@ -475,7 +475,7 @@ static int batadv_param_set_ra(const char *val, const struct kernel_param *kp)
+ 	char *algo_name = (char *)val;
+ 	size_t name_len = strlen(algo_name);
+ 
+-	if (algo_name[name_len - 1] == '\n')
++	if (name_len > 0 && algo_name[name_len - 1] == '\n')
+ 		algo_name[name_len - 1] = '\0';
+ 
+ 	bat_algo_ops = batadv_algo_get(algo_name);
+-- 
+1.7.10.4
+

batman-adv/patches/0004-batman-adv-check-return-value-of-pskb_trim_rcsum.patch

@@ -0,0 +1,44 @@
+From d22ebef1431aab13099370b89afa4ba55eb95c35 Mon Sep 17 00:00:00 2001
+From: Marek Lindner <lindner_marek@yahoo.de>
+Date: Tue, 7 May 2013 19:25:02 +0800
+Subject: [PATCH 4/6] batman-adv: check return value of pskb_trim_rcsum()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+Acked-by: Martin Hundebøll <martin@hundeboll.net>
+---
+ network-coding.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/network-coding.c b/network-coding.c
+index f7c5430..e84629e 100644
+--- a/network-coding.c
++++ b/network-coding.c
+@@ -1514,6 +1514,7 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ 	struct ethhdr *ethhdr, ethhdr_tmp;
+ 	uint8_t *orig_dest, ttl, ttvn;
+ 	unsigned int coding_len;
++	int err;
+ 
+ 	/* Save headers temporarily */
+ 	memcpy(&coded_packet_tmp, skb->data, sizeof(coded_packet_tmp));
+@@ -1568,8 +1569,11 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ 			 coding_len);
+ 
+ 	/* Resize decoded skb if decoded with larger packet */
+-	if (nc_packet->skb->len > coding_len + h_size)
+-		pskb_trim_rcsum(skb, coding_len + h_size);
++	if (nc_packet->skb->len > coding_len + h_size) {
++		err = pskb_trim_rcsum(skb, coding_len + h_size);
++		if (err)
++			return NULL;
++	}
+ 
+ 	/* Create decoded unicast packet */
+ 	unicast_packet = (struct batadv_unicast_packet *)skb->data;
+-- 
+1.7.10.4
+

batman-adv/patches/0005-batman-adv-make-DAT-drop-ARP-requests-targeting-loca.patch

@@ -0,0 +1,48 @@
+From d6bd8b36fa1f3d72a6fd5942a6e9bde6ddafcd0d Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <ordex@autistici.org>
+Date: Thu, 9 May 2013 09:35:45 +0200
+Subject: [PATCH 5/6] batman-adv: make DAT drop ARP requests targeting local
+ clients
+
+In the outgoing ARP request snooping routine in DAT, ARP
+Request sent by local clients which are supposed to be
+replied by other local clients can be silently dropped.
+
+The destination host will reply by itself through the LAN
+and therefore there is no need to involve DAT.
+
+Reported-by: Carlos Quijano <carlos@crqgestion.es>
+Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+Tested-by: Carlos Quijano <carlos@crqgestion.es>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+---
+ distributed-arp-table.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/distributed-arp-table.c b/distributed-arp-table.c
+index 8e15d96..2399920 100644
+--- a/distributed-arp-table.c
++++ b/distributed-arp-table.c
+@@ -837,6 +837,19 @@ bool batadv_dat_snoop_outgoing_arp_request(struct batadv_priv *bat_priv,
+ 
+ 	dat_entry = batadv_dat_entry_hash_find(bat_priv, ip_dst);
+ 	if (dat_entry) {
++		/* If the ARP request is destined for a local client the local
++		 * client will answer itself. DAT would only generate a
++		 * duplicate packet.
++		 *
++		 * Moreover, if the soft-interface is enslaved into a bridge, an
++		 * additional DAT answer may trigger kernel warnings about
++		 * a packet coming from the wrong port.
++		 */
++		if (batadv_is_my_client(bat_priv, dat_entry->mac_addr)) {
++			ret = true;
++			goto out;
++		}
++
+ 		skb_new = arp_create(ARPOP_REPLY, ETH_P_ARP, ip_src,
+ 				     bat_priv->soft_iface, ip_dst, hw_src,
+ 				     dat_entry->mac_addr, hw_src);
+-- 
+1.7.10.4
+

batman-adv/patches/0006-batman-adv-reorder-clean-up-routine-in-order-to-avoi.patch

@@ -0,0 +1,57 @@
+From 763f413b9c74ccb25cb066408f49f07e5dd78f9b Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <ordex@autistici.org>
+Date: Tue, 7 May 2013 01:06:18 +0200
+Subject: [PATCH 6/6] batman-adv: reorder clean up routine in order to avoid
+ race conditions
+
+nc_worker accesses the originator table during its periodic
+work, but since the originator table is freed before
+stopping the worker this leads to a global protection fault.
+
+Fix this by killing the worker (in nc_free) before freeing
+the originator table.
+
+Moreover tidy up the entire clean up routine by running all
+the subcomponents freeing procedures first and then killing
+the TT and the originator tables at the end.
+
+Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+---
+ main.c |   16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/main.c b/main.c
+index 9c620cd..1240f07 100644
+--- a/main.c
++++ b/main.c
+@@ -163,14 +163,22 @@ void batadv_mesh_free(struct net_device *soft_iface)
+ 	batadv_vis_quit(bat_priv);
+ 
+ 	batadv_gw_node_purge(bat_priv);
+-	batadv_originator_free(bat_priv);
+ 	batadv_nc_free(bat_priv);
++	batadv_dat_free(bat_priv);
++	batadv_bla_free(bat_priv);
+ 
++	/* Free the TT and the originator tables only after having terminated
++	 * all the other depending components which may use these structures for
++	 * their purposes.
++	 */
+ 	batadv_tt_free(bat_priv);
+ 
+-	batadv_bla_free(bat_priv);
+-
+-	batadv_dat_free(bat_priv);
++	/* Since the originator table clean up routine is accessing the TT
++	 * tables as well, it has to be invoked after the TT tables have been
++	 * freed and marked as empty. This ensures that no cleanup RCU callbacks
++	 * accessing the TT data are scheduled for later execution.
++	 */
++	batadv_originator_free(bat_priv);
+ 
+ 	free_percpu(bat_priv->bat_counters);
+ 
+-- 
+1.7.10.4
+