diff --git a/batman-adv/patches/0001-batman-adv-make-sure-ELP-OGM-orig-MAC-is-updated-on-.patch b/batman-adv/patches/0001-batman-adv-make-sure-ELP-OGM-orig-MAC-is-updated-on-.patch new file mode 100644 index 0000000..70adb91 --- /dev/null +++ b/batman-adv/patches/0001-batman-adv-make-sure-ELP-OGM-orig-MAC-is-updated-on-.patch @@ -0,0 +1,64 @@ +From a636bf0b69010222ea58337d425ca9ff8ce52639 Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Mon, 2 May 2016 18:27:38 +0800 +Subject: [PATCH 1/6] batman-adv: make sure ELP/OGM orig MAC is updated on + address change + +When the MAC address of the primary interface is changed, +update the originator address in the ELP and OGM skb buffers as +well in order to reflect the change. + +Fixes: a4b88af77e28 ("batman-adv: ELP - adding basic infrastructure") +Reported-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Marek Lindner +--- + net/batman-adv/bat_v.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c +index 4026f19..4547fce 100644 +--- a/net/batman-adv/bat_v.c ++++ b/net/batman-adv/bat_v.c +@@ -72,16 +72,34 @@ static void batadv_v_iface_disable(struct batadv_hard_iface *hard_iface) + batadv_v_elp_iface_disable(hard_iface); + } + +-static void batadv_v_iface_update_mac(struct batadv_hard_iface *hard_iface) +-{ +-} +- + static void batadv_v_primary_iface_set(struct batadv_hard_iface *hard_iface) + { + batadv_v_elp_primary_iface_set(hard_iface); + batadv_v_ogm_primary_iface_set(hard_iface); + } + ++/** ++ * batadv_v_iface_update_mac - react to hard-interface MAC address change ++ * @hard_iface: the modified interface ++ * ++ * If the modified interface is the primary one, update the originator ++ * address in the ELP and OGM messages to reflect the new MAC address. ++ */ ++static void batadv_v_iface_update_mac(struct batadv_hard_iface *hard_iface) ++{ ++ struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface); ++ struct batadv_hard_iface *primary_if; ++ ++ primary_if = batadv_primary_if_get_selected(bat_priv); ++ if (primary_if != hard_iface) ++ goto out; ++ ++ batadv_v_primary_iface_set(hard_iface); ++out: ++ if (primary_if) ++ batadv_hardif_put(primary_if); ++} ++ + static void + batadv_v_hardif_neigh_init(struct batadv_hardif_neigh_node *hardif_neigh) + { +-- +2.8.0.rc3 + diff --git a/batman-adv/patches/0002-batman-adv-Avoid-duplicate-neigh_node-additions.patch b/batman-adv/patches/0002-batman-adv-Avoid-duplicate-neigh_node-additions.patch new file mode 100644 index 0000000..ea191b3 --- /dev/null +++ b/batman-adv/patches/0002-batman-adv-Avoid-duplicate-neigh_node-additions.patch @@ -0,0 +1,89 @@ +From 8013ae257447c99d7ba037967458f91ceb4051ae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Thu, 7 Jan 2016 08:11:12 +0100 +Subject: [PATCH 2/6] batman-adv: Avoid duplicate neigh_node additions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Two parallel calls to batadv_neigh_node_new() might race for creating +and adding the same neig_node. Fix this by including the check for any +already existing, identical neigh_node within the spin-lock. + +This fixes splats like the following: + +[ 739.535069] ------------[ cut here ]------------ +[ 739.535079] WARNING: CPU: 0 PID: 0 at /usr/src/batman-adv/git/batman-adv/net/batman-adv/bat_iv_ogm.c:1004 batadv_iv_ogm_process_per_outif+0xe3f/0xe60 [batman_adv]() +[ 739.535092] too many matching neigh_nodes +[ 739.535094] Modules linked in: dm_mod tun ip6table_filter ip6table_mangle ip6table_nat nf_nat_ipv6 ip6_tables xt_nat iptable_nat nf_nat_ipv4 nf_nat xt_TCPMSS xt_mark iptable_mangle xt_tcpudp xt_conntrack iptable_filter ip_tables x_tables ip_gre ip_tunnel gre bridge stp llc thermal_sys kvm_intel kvm crct10dif_pclmul crc32_pclmul sha256_ssse3 sha256_generic hmac drbg ansi_cprng aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd evdev pcspkr ip6_gre ip6_tunnel tunnel6 batman_adv(O) libcrc32c nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack autofs4 ext4 crc16 mbcache jbd2 xen_netfront xen_blkfront crc32c_intel +[ 739.535177] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W O 4.2.0-0.bpo.1-amd64 #1 Debian 4.2.6-3~bpo8+2 +[ 739.535186] 0000000000000000 ffffffffa013b050 ffffffff81554521 ffff88007d003c18 +[ 739.535201] ffffffff8106fa01 0000000000000000 ffff8800047a087a ffff880079c3a000 +[ 739.735602] ffff88007b82bf40 ffff88007bc2d1c0 ffffffff8106fa7a ffffffffa013aa8e +[ 739.735624] Call Trace: +[ 739.735639] [] ? dump_stack+0x40/0x50 +[ 739.735677] [] ? warn_slowpath_common+0x81/0xb0 +[ 739.735692] [] ? warn_slowpath_fmt+0x4a/0x50 +[ 739.735715] [] ? batadv_iv_ogm_process_per_outif+0xe3f/0xe60 [batman_adv] +[ 739.735740] [] ? batadv_iv_ogm_receive+0x363/0x380 [batman_adv] +[ 739.735762] [] ? batadv_iv_ogm_receive+0x363/0x380 [batman_adv] +[ 739.735783] [] ? __raw_callee_save___pv_queued_spin_unlock+0x11/0x20 +[ 739.735804] [] ? batadv_batman_skb_recv+0xc9/0x110 [batman_adv] +[ 739.735825] [] ? __netif_receive_skb_core+0x841/0x9a0 +[ 739.735838] [] ? __raw_callee_save___pv_queued_spin_unlock+0x11/0x20 +[ 739.735853] [] ? process_backlog+0xa1/0x140 +[ 739.735864] [] ? net_rx_action+0x20a/0x320 +[ 739.735878] [] ? __do_softirq+0x107/0x270 +[ 739.735891] [] ? irq_exit+0x92/0xa0 +[ 739.735905] [] ? xen_evtchn_do_upcall+0x31/0x40 +[ 739.735924] [] ? xen_do_hypervisor_callback+0x1e/0x40 +[ 739.735939] [] ? xen_hypercall_sched_op+0xa/0x20 +[ 739.735965] [] ? xen_hypercall_sched_op+0xa/0x20 +[ 739.735979] [] ? xen_safe_halt+0xc/0x20 +[ 739.735991] [] ? default_idle+0x1c/0xa0 +[ 739.736004] [] ? cpu_startup_entry+0x2eb/0x350 +[ 739.736019] [] ? start_kernel+0x480/0x48b +[ 739.736032] [] ? xen_start_kernel+0x507/0x511 +[ 739.736048] ---[ end trace c106bb901244bc8c ]--- + +Reported-by: Martin Weinelt +Signed-off-by: Linus Lüssing +Signed-off-by: Marek Lindner +--- + net/batman-adv/originator.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c +index c355a82..28241a4 100644 +--- a/net/batman-adv/originator.c ++++ b/net/batman-adv/originator.c +@@ -630,6 +630,8 @@ batadv_neigh_node_new(struct batadv_orig_node *orig_node, + struct batadv_neigh_node *neigh_node; + struct batadv_hardif_neigh_node *hardif_neigh = NULL; + ++ spin_lock_bh(&orig_node->neigh_list_lock); ++ + neigh_node = batadv_neigh_node_get(orig_node, hard_iface, neigh_addr); + if (neigh_node) + goto out; +@@ -666,15 +668,15 @@ batadv_neigh_node_new(struct batadv_orig_node *orig_node, + kref_init(&neigh_node->refcount); + kref_get(&neigh_node->refcount); + +- spin_lock_bh(&orig_node->neigh_list_lock); + hlist_add_head_rcu(&neigh_node->list, &orig_node->neigh_list); +- spin_unlock_bh(&orig_node->neigh_list_lock); + + batadv_dbg(BATADV_DBG_BATMAN, orig_node->bat_priv, + "Creating new neighbor %pM for orig_node %pM on interface %s\n", + neigh_addr, orig_node->orig, hard_iface->net_dev->name); + + out: ++ spin_unlock_bh(&orig_node->neigh_list_lock); ++ + if (hardif_neigh) + batadv_hardif_neigh_put(hardif_neigh); + return neigh_node; +-- +2.8.0.rc3 + diff --git a/batman-adv/patches/0003-batman-adv-Avoid-nullptr-derefence-in-batadv_v_neigh.patch b/batman-adv/patches/0003-batman-adv-Avoid-nullptr-derefence-in-batadv_v_neigh.patch new file mode 100644 index 0000000..aa07ad5 --- /dev/null +++ b/batman-adv/patches/0003-batman-adv-Avoid-nullptr-derefence-in-batadv_v_neigh.patch @@ -0,0 +1,38 @@ +From 036aa7b7181ee96ae6971eb31dd97b6ace7c0a80 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Fri, 6 May 2016 11:43:38 +0200 +Subject: [PATCH 3/6] batman-adv: Avoid nullptr derefence in + batadv_v_neigh_is_sob + +batadv_neigh_ifinfo_get can return NULL when it cannot find (even when only +temporarily) anymore the neigh_ifinfo in the list neigh->ifinfo_list. This +has to be checked to avoid kernel Oopses when the ifinfo is dereferenced. + +This a situation which isn't expected but is already handled by functions +like batadv_v_neigh_cmp. The same kind of warning is therefore used before +the function returns without dereferencing the pointers. + +Fixes: b05bbab5e1fc ("batman-adv: B.A.T.M.A.N. V - implement neighbor comparison API calls") +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +--- + net/batman-adv/bat_v.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c +index 4547fce..7e1467a 100644 +--- a/net/batman-adv/bat_v.c ++++ b/net/batman-adv/bat_v.c +@@ -295,6 +295,9 @@ static bool batadv_v_neigh_is_sob(struct batadv_neigh_node *neigh1, + ifinfo1 = batadv_neigh_ifinfo_get(neigh1, if_outgoing1); + ifinfo2 = batadv_neigh_ifinfo_get(neigh2, if_outgoing2); + ++ if (WARN_ON(!ifinfo1 || !ifinfo2)) ++ return false; ++ + threshold = ifinfo1->bat_v.throughput / 4; + threshold = ifinfo1->bat_v.throughput - threshold; + +-- +2.8.0.rc3 + diff --git a/batman-adv/patches/0004-batman-adv-Fix-refcnt-leak-in-batadv_v_neigh_.patch b/batman-adv/patches/0004-batman-adv-Fix-refcnt-leak-in-batadv_v_neigh_.patch new file mode 100644 index 0000000..15ef21c --- /dev/null +++ b/batman-adv/patches/0004-batman-adv-Fix-refcnt-leak-in-batadv_v_neigh_.patch @@ -0,0 +1,81 @@ +From 650d41de4be2fe9e9d1842c1abdd357dedbaa7ba Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Fri, 6 May 2016 11:43:39 +0200 +Subject: [PATCH 4/6] batman-adv: Fix refcnt leak in batadv_v_neigh_* + +The functions batadv_neigh_ifinfo_get increase the reference counter of the +batadv_neigh_ifinfo. These have to be reduced again when the reference is +not used anymore to correctly free the objects. + +Fixes: b05bbab5e1fc ("batman-adv: B.A.T.M.A.N. V - implement neighbor comparison API calls") +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +--- + net/batman-adv/bat_v.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c +index 7e1467a..2bcb29b 100644 +--- a/net/batman-adv/bat_v.c ++++ b/net/batman-adv/bat_v.c +@@ -274,14 +274,23 @@ static int batadv_v_neigh_cmp(struct batadv_neigh_node *neigh1, + struct batadv_hard_iface *if_outgoing2) + { + struct batadv_neigh_ifinfo *ifinfo1, *ifinfo2; ++ int ret = 0; + + ifinfo1 = batadv_neigh_ifinfo_get(neigh1, if_outgoing1); ++ if (WARN_ON(!ifinfo1)) ++ goto err_ifinfo1; ++ + ifinfo2 = batadv_neigh_ifinfo_get(neigh2, if_outgoing2); ++ if (WARN_ON(!ifinfo2)) ++ goto err_ifinfo2; + +- if (WARN_ON(!ifinfo1 || !ifinfo2)) +- return 0; ++ ret = ifinfo1->bat_v.throughput - ifinfo2->bat_v.throughput; + +- return ifinfo1->bat_v.throughput - ifinfo2->bat_v.throughput; ++ batadv_neigh_ifinfo_put(ifinfo2); ++err_ifinfo2: ++ batadv_neigh_ifinfo_put(ifinfo1); ++err_ifinfo1: ++ return ret; + } + + static bool batadv_v_neigh_is_sob(struct batadv_neigh_node *neigh1, +@@ -291,17 +300,26 @@ static bool batadv_v_neigh_is_sob(struct batadv_neigh_node *neigh1, + { + struct batadv_neigh_ifinfo *ifinfo1, *ifinfo2; + u32 threshold; ++ bool ret = false; + + ifinfo1 = batadv_neigh_ifinfo_get(neigh1, if_outgoing1); +- ifinfo2 = batadv_neigh_ifinfo_get(neigh2, if_outgoing2); ++ if (WARN_ON(!ifinfo1)) ++ goto err_ifinfo1; + +- if (WARN_ON(!ifinfo1 || !ifinfo2)) +- return false; ++ ifinfo2 = batadv_neigh_ifinfo_get(neigh2, if_outgoing2); ++ if (WARN_ON(!ifinfo2)) ++ goto err_ifinfo2; + + threshold = ifinfo1->bat_v.throughput / 4; + threshold = ifinfo1->bat_v.throughput - threshold; + +- return ifinfo2->bat_v.throughput > threshold; ++ ret = ifinfo2->bat_v.throughput > threshold; ++ ++ batadv_neigh_ifinfo_put(ifinfo2); ++err_ifinfo2: ++ batadv_neigh_ifinfo_put(ifinfo1); ++err_ifinfo1: ++ return ret; + } + + static struct batadv_algo_ops batadv_batman_v __read_mostly = { +-- +2.8.0.rc3 + diff --git a/batman-adv/patches/0005-batman-adv-Fix-double-neigh_node_put-in-batadv_v_ogm.patch b/batman-adv/patches/0005-batman-adv-Fix-double-neigh_node_put-in-batadv_v_ogm.patch new file mode 100644 index 0000000..8ea3788 --- /dev/null +++ b/batman-adv/patches/0005-batman-adv-Fix-double-neigh_node_put-in-batadv_v_ogm.patch @@ -0,0 +1,40 @@ +From fc3e79d9ef2a1006f94e441d9613749cbbe7176a Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Fri, 6 May 2016 22:27:09 +0200 +Subject: [PATCH 5/6] batman-adv: Fix double neigh_node_put in + batadv_v_ogm_route_update + +The router is put down twice when it was non-NULL and either orig_ifinfo is +NULL afterwards or batman-adv receives a packet with the same sequence +number. This will end up in a use-after-free when the batadv_neigh_node is +removed because the reference counter ended up too early at 0. + +Fixes: 667996ebeab4 ("batman-adv: OGMv2 - implement originators logic") +Reported-by: Gui Iribarren +Tested-by: Antonio Quartulli +Tested-by: Marek Lindner +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +--- + net/batman-adv/bat_v_ogm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c +index d9bcbe6..91df28a 100644 +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -529,8 +529,10 @@ static void batadv_v_ogm_route_update(struct batadv_priv *bat_priv, + goto out; + } + +- if (router) ++ if (router) { + batadv_neigh_node_put(router); ++ router = NULL; ++ } + + /* Update routes, and check if the OGM is from the best next hop */ + batadv_v_ogm_orig_update(bat_priv, orig_node, neigh_node, ogm2, +-- +2.8.0.rc3 + diff --git a/batman-adv/patches/0006-batman-adv-initialize-ELP-orig-address-on-secondary-.patch b/batman-adv/patches/0006-batman-adv-initialize-ELP-orig-address-on-secondary-.patch new file mode 100644 index 0000000..f87ddf0 --- /dev/null +++ b/batman-adv/patches/0006-batman-adv-initialize-ELP-orig-address-on-secondary-.patch @@ -0,0 +1,110 @@ +From f58a0b03873fd3aa9568c11af198f997ed2208cc Mon Sep 17 00:00:00 2001 +From: Marek Lindner +Date: Sat, 7 May 2016 19:54:17 +0800 +Subject: [PATCH 6/6] batman-adv: initialize ELP orig address on secondary + interfaces + +This fix prevents nodes to wrongly create a 00:00:00:00:00:00 originator +which can potentially interfere with the rest of the neighbor statistics. + +Fixes: a4b88af77e28 ("batman-adv: ELP - adding basic infrastructure") +Signed-off-by: Marek Lindner +--- + net/batman-adv/bat_v.c | 10 ++++++++++ + net/batman-adv/bat_v_elp.c | 31 ++++++++++++++++++++++--------- + net/batman-adv/bat_v_elp.h | 2 ++ + 3 files changed, 34 insertions(+), 9 deletions(-) + +diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c +index 2bcb29b..0caca2f 100644 +--- a/net/batman-adv/bat_v.c ++++ b/net/batman-adv/bat_v.c +@@ -39,6 +39,16 @@ + + static void batadv_v_iface_activate(struct batadv_hard_iface *hard_iface) + { ++ struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface); ++ struct batadv_hard_iface *primary_if; ++ ++ primary_if = batadv_primary_if_get_selected(bat_priv); ++ ++ if (primary_if) { ++ batadv_v_elp_iface_activate(primary_if, hard_iface); ++ batadv_hardif_put(primary_if); ++ } ++ + /* B.A.T.M.A.N. V does not use any queuing mechanism, therefore it can + * set the interface as ACTIVE right away, without any risk of race + * condition +diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c +index 3844e7e..df42eb1 100644 +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -377,6 +377,27 @@ void batadv_v_elp_iface_disable(struct batadv_hard_iface *hard_iface) + } + + /** ++ * batadv_v_elp_iface_activate - update the ELP buffer belonging to the given ++ * hard-interface ++ * @primary_iface: the new primary interface ++ * @hard_iface: interface holding the to-be-updated buffer ++ */ ++void batadv_v_elp_iface_activate(struct batadv_hard_iface *primary_iface, ++ struct batadv_hard_iface *hard_iface) ++{ ++ struct batadv_elp_packet *elp_packet; ++ struct sk_buff *skb; ++ ++ if (!hard_iface->bat_v.elp_skb) ++ return; ++ ++ skb = hard_iface->bat_v.elp_skb; ++ elp_packet = (struct batadv_elp_packet *)skb->data; ++ ether_addr_copy(elp_packet->orig, ++ primary_iface->net_dev->dev_addr); ++} ++ ++/** + * batadv_v_elp_primary_iface_set - change internal data to reflect the new + * primary interface + * @primary_iface: the new primary interface +@@ -384,8 +405,6 @@ void batadv_v_elp_iface_disable(struct batadv_hard_iface *hard_iface) + void batadv_v_elp_primary_iface_set(struct batadv_hard_iface *primary_iface) + { + struct batadv_hard_iface *hard_iface; +- struct batadv_elp_packet *elp_packet; +- struct sk_buff *skb; + + /* update orig field of every elp iface belonging to this mesh */ + rcu_read_lock(); +@@ -393,13 +412,7 @@ void batadv_v_elp_primary_iface_set(struct batadv_hard_iface *primary_iface) + if (primary_iface->soft_iface != hard_iface->soft_iface) + continue; + +- if (!hard_iface->bat_v.elp_skb) +- continue; +- +- skb = hard_iface->bat_v.elp_skb; +- elp_packet = (struct batadv_elp_packet *)skb->data; +- ether_addr_copy(elp_packet->orig, +- primary_iface->net_dev->dev_addr); ++ batadv_v_elp_iface_activate(primary_iface, hard_iface); + } + rcu_read_unlock(); + } +diff --git a/net/batman-adv/bat_v_elp.h b/net/batman-adv/bat_v_elp.h +index e95f1bc..cc130b2 100644 +--- a/net/batman-adv/bat_v_elp.h ++++ b/net/batman-adv/bat_v_elp.h +@@ -25,6 +25,8 @@ struct work_struct; + + int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface); + void batadv_v_elp_iface_disable(struct batadv_hard_iface *hard_iface); ++void batadv_v_elp_iface_activate(struct batadv_hard_iface *primary_iface, ++ struct batadv_hard_iface *hard_iface); + void batadv_v_elp_primary_iface_set(struct batadv_hard_iface *primary_iface); + int batadv_v_elp_packet_recv(struct sk_buff *skb, + struct batadv_hard_iface *if_incoming); +-- +2.8.0.rc3 +