From 42af8350c14ac1c72f4785237d4f47332573d79f Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Mon, 11 Feb 2019 11:24:47 +0100 Subject: [PATCH 1/2] batman-adv: Refresh patches Signed-off-by: Sven Eckelmann --- ...ks.patch => 0001-batman-adv-add-compat-hacks.patch} | 10 ++++++++++ ...an-adv-Avoid-race-in-TT-TVLV-allocator-helper.patch | 7 ++----- ...adv-Fix-TT-sync-flags-for-intermediate-TT-res.patch | 7 ++----- ...adv-prevent-TT-request-storms-by-not-sending-.patch | 7 ++----- ...adv-don-t-implement-skb_postpush_rcsum-for-li.patch | 5 +---- ...adv-Fix-bat_ogm_iv-best-gw-refcnt-after-netli.patch | 5 +---- ...adv-Fix-bat_v-best-gw-refcnt-after-netlink-du.patch | 5 +---- ...atman-adv-Fix-debugfs-path-for-renamed-hardif.patch | 7 +------ ...atman-adv-Fix-debugfs-path-for-renamed-softif.patch | 7 +------ ...adv-Avoid-storing-non-TT-sync-flags-on-singul.patch | 7 ++----- ...adv-Fix-multicast-TT-issues-with-bogus-ROAM-f.patch | 7 ++----- ...2-batman-adv-Avoid-probe-ELP-information-leak.patch | 5 +---- ...adv-Fix-segfault-when-writing-to-throughput_o.patch | 5 +---- ...adv-Fix-segfault-when-writing-to-sysfs-elp_in.patch | 5 +---- ...adv-fix-backbone_gw-refcount-on-queue_work-fa.patch | 5 +---- ...adv-fix-hardif_neigh-refcount-on-queue_work-f.patch | 5 +---- ...man-adv-Prevent-duplicated-gateway_node-entry.patch | 5 +---- ...8-batman-adv-Prevent-duplicated-nc_node-entry.patch | 5 +---- ...tman-adv-Prevent-duplicated-softif_vlan-entry.patch | 5 +---- ...batman-adv-Prevent-duplicated-global-TT-entry.patch | 7 ++----- ...21-batman-adv-Prevent-duplicated-tvlv-handler.patch | 5 +---- ...adv-Avoid-WARN-on-net_device-without-parent-i.patch | 5 +---- ...adv-Force-mac-header-to-start-of-data-on-xmit.patch | 5 +---- 23 files changed, 38 insertions(+), 98 deletions(-) rename batman-adv/patches/{0001-compat-hacks.patch => 0001-batman-adv-add-compat-hacks.patch} (57%) diff --git a/batman-adv/patches/0001-compat-hacks.patch b/batman-adv/patches/0001-batman-adv-add-compat-hacks.patch similarity index 57% rename from batman-adv/patches/0001-compat-hacks.patch rename to batman-adv/patches/0001-batman-adv-add-compat-hacks.patch index 0a9994d..e3876d0 100644 --- a/batman-adv/patches/0001-compat-hacks.patch +++ b/batman-adv/patches/0001-batman-adv-add-compat-hacks.patch @@ -1,3 +1,9 @@ +From: Sven Eckelmann +Date: Wed, 9 May 2018 21:07:40 +0200 +Subject: batman-adv: add compat hacks + +diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c +index 69c0d85bceb3e0a1915e37d278110ee2655c4571..53b329d24461819b4cf0d4118cfa5b0eb8d7261b 100644 --- a/net/batman-adv/main.c +++ b/net/batman-adv/main.c @@ -19,7 +19,7 @@ @@ -9,6 +15,8 @@ #include #include #include +diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c +index 11520de96ccb1a87183e9666066e21731538ccd9..9af0a44dce74e7ead7f2c29ec4d49156bf4c9dd7 100644 --- a/net/batman-adv/tp_meter.c +++ b/net/batman-adv/tp_meter.c @@ -20,7 +20,7 @@ @@ -20,6 +28,8 @@ #include #include #include +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index 0225616d5771d0986127322142fc591780fc25b0..91b9a0aaaa2e6fe59b5e4ea2e57b7be375618059 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -21,7 +21,7 @@ diff --git a/batman-adv/patches/0002-batman-adv-Avoid-race-in-TT-TVLV-allocator-helper.patch b/batman-adv/patches/0002-batman-adv-Avoid-race-in-TT-TVLV-allocator-helper.patch index 46a40b3..1e3adca 100644 --- a/batman-adv/patches/0002-batman-adv-Avoid-race-in-TT-TVLV-allocator-helper.patch +++ b/batman-adv/patches/0002-batman-adv-Avoid-race-in-TT-TVLV-allocator-helper.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Wed, 9 May 2018 21:07:40 +0200 -Subject: [PATCH] batman-adv: Avoid race in TT TVLV allocator helper +Subject: batman-adv: Avoid race in TT TVLV allocator helper The functions batadv_tt_prepare_tvlv_local_data and batadv_tt_prepare_tvlv_global_data are responsible for preparing a buffer @@ -29,12 +29,9 @@ Signed-off-by: Sven Eckelmann Acked-by: Antonio Quartulli Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/286be89a33497ba9000aa5c2960f1f4114953522 ---- - net/batman-adv/translation-table.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c -index 0225616d5771d0986127322142fc591780fc25b0..7fa3a0a0524a1da63e92d081b443c302900bf0c3 100644 +index 91b9a0aaaa2e6fe59b5e4ea2e57b7be375618059..2511adb79936782c96ed397265418421b69f617d 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -862,7 +862,7 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node, diff --git a/batman-adv/patches/0003-batman-adv-Fix-TT-sync-flags-for-intermediate-TT-res.patch b/batman-adv/patches/0003-batman-adv-Fix-TT-sync-flags-for-intermediate-TT-res.patch index f396cbc..abc1965 100644 --- a/batman-adv/patches/0003-batman-adv-Fix-TT-sync-flags-for-intermediate-TT-res.patch +++ b/batman-adv/patches/0003-batman-adv-Fix-TT-sync-flags-for-intermediate-TT-res.patch @@ -1,6 +1,6 @@ From: Linus Lüssing Date: Thu, 10 May 2018 19:44:28 +0200 -Subject: [PATCH] batman-adv: Fix TT sync flags for intermediate TT responses +Subject: batman-adv: Fix TT sync flags for intermediate TT responses The previous TT sync fix so far only fixed TT responses issued by the target node directly. So far, TT responses issued by intermediate nodes @@ -19,12 +19,9 @@ Signed-off-by: Linus Lüssing Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/d65daee8617b29c1ddcc949ce3a5ec24f7a1e1af ---- - net/batman-adv/translation-table.c | 61 +++++++++++++++++++++++++----- - 1 file changed, 51 insertions(+), 10 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c -index 7fa3a0a0524a1da63e92d081b443c302900bf0c3..23f9c212ab1e27be429645a85f7b5d6a02585de9 100644 +index 2511adb79936782c96ed397265418421b69f617d..09bc1ed9fb59c1f76a4227f158d3ac8b73cbd32b 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -1538,6 +1538,8 @@ batadv_tt_global_orig_entry_find(const struct batadv_tt_global_entry *entry, diff --git a/batman-adv/patches/0004-batman-adv-prevent-TT-request-storms-by-not-sending-.patch b/batman-adv/patches/0004-batman-adv-prevent-TT-request-storms-by-not-sending-.patch index d1f1188..9bf5fd9 100644 --- a/batman-adv/patches/0004-batman-adv-prevent-TT-request-storms-by-not-sending-.patch +++ b/batman-adv/patches/0004-batman-adv-prevent-TT-request-storms-by-not-sending-.patch @@ -1,6 +1,6 @@ From: Marek Lindner Date: Sat, 12 May 2018 00:23:07 +0800 -Subject: [PATCH] batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs +Subject: batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs A translation table TVLV changset sent with an OGM consists of a number of headers (one per VLAN) plus the changeset @@ -23,12 +23,9 @@ Signed-off-by: Marek Lindner Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/e4687b4be274da6180fc15b327419851fb681ec9 ---- - net/batman-adv/translation-table.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c -index 23f9c212ab1e27be429645a85f7b5d6a02585de9..3986551397caa5ffb6ba7338eeb4769c8b8f99fb 100644 +index 09bc1ed9fb59c1f76a4227f158d3ac8b73cbd32b..dfd484d73f8e569bc60e153ea6ca244ea5757d5c 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -931,15 +931,20 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv, diff --git a/batman-adv/patches/0005-batman-adv-don-t-implement-skb_postpush_rcsum-for-li.patch b/batman-adv/patches/0005-batman-adv-don-t-implement-skb_postpush_rcsum-for-li.patch index 7826959..40ce242 100644 --- a/batman-adv/patches/0005-batman-adv-don-t-implement-skb_postpush_rcsum-for-li.patch +++ b/batman-adv/patches/0005-batman-adv-don-t-implement-skb_postpush_rcsum-for-li.patch @@ -1,6 +1,6 @@ From: Antonio Quartulli Date: Sat, 12 May 2018 03:02:44 +0800 -Subject: [PATCH] batman-adv: don't implement skb_postpush_rcsum() for linux >=4.4.47 +Subject: batman-adv: don't implement skb_postpush_rcsum() for linux >=4.4.47 skb_postpush_rcsum() has been implemented in 4.4.47 therefore our compat code has to be changed to prevent this function to @@ -10,9 +10,6 @@ Signed-off-by: Antonio Quartulli Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/b4693d107e0869bf11956fd2d3be4fd0a8671b46 ---- - compat-include/linux/skbuff.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compat-include/linux/skbuff.h b/compat-include/linux/skbuff.h index 6f73946496ac15f2fdb856357f16e4e2d8a6e6cd..371bb561eecaf605a5c96f9417546f6bb817724d 100644 diff --git a/batman-adv/patches/0006-batman-adv-Fix-bat_ogm_iv-best-gw-refcnt-after-netli.patch b/batman-adv/patches/0006-batman-adv-Fix-bat_ogm_iv-best-gw-refcnt-after-netli.patch index b0f866f..5a827bc 100644 --- a/batman-adv/patches/0006-batman-adv-Fix-bat_ogm_iv-best-gw-refcnt-after-netli.patch +++ b/batman-adv/patches/0006-batman-adv-Fix-bat_ogm_iv-best-gw-refcnt-after-netli.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Sat, 2 Jun 2018 17:26:34 +0200 -Subject: [PATCH] batman-adv: Fix bat_ogm_iv best gw refcnt after netlink dump +Subject: batman-adv: Fix bat_ogm_iv best gw refcnt after netlink dump A reference for the best gateway is taken when the list of gateways in the mesh is sent via netlink. This is necessary to check whether the currently @@ -19,9 +19,6 @@ Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/46360d203c627e71a27d1f8f551c819c7f2353fd ---- - net/batman-adv/bat_iv_ogm.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c index be09a98838252f4f0c23cec0625930cf896cd0ff..73bf6a93a3cf1141a34657bf1284893199e04db9 100644 diff --git a/batman-adv/patches/0007-batman-adv-Fix-bat_v-best-gw-refcnt-after-netlink-du.patch b/batman-adv/patches/0007-batman-adv-Fix-bat_v-best-gw-refcnt-after-netlink-du.patch index 37a672f..4f95719 100644 --- a/batman-adv/patches/0007-batman-adv-Fix-bat_v-best-gw-refcnt-after-netlink-du.patch +++ b/batman-adv/patches/0007-batman-adv-Fix-bat_v-best-gw-refcnt-after-netlink-du.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Sat, 2 Jun 2018 17:26:35 +0200 -Subject: [PATCH] batman-adv: Fix bat_v best gw refcnt after netlink dump +Subject: batman-adv: Fix bat_v best gw refcnt after netlink dump A reference for the best gateway is taken when the list of gateways in the mesh is sent via netlink. This is necessary to check whether the currently @@ -17,9 +17,6 @@ Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/2b422b5808183d1084b450b89d9a085a13dd6d2c ---- - net/batman-adv/bat_v.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c index ec93337ee2597738e46b87dd72724d5becf3f48e..6baec4e68898c6e992e7522d2ee8c78ce62a1b08 100644 diff --git a/batman-adv/patches/0008-batman-adv-Fix-debugfs-path-for-renamed-hardif.patch b/batman-adv/patches/0008-batman-adv-Fix-debugfs-path-for-renamed-hardif.patch index c62751f..8bd8349 100644 --- a/batman-adv/patches/0008-batman-adv-Fix-debugfs-path-for-renamed-hardif.patch +++ b/batman-adv/patches/0008-batman-adv-Fix-debugfs-path-for-renamed-hardif.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Fri, 1 Jun 2018 19:24:23 +0200 -Subject: [PATCH] batman-adv: Fix debugfs path for renamed hardif +Subject: batman-adv: Fix debugfs path for renamed hardif batman-adv is creating special debugfs directories in the init net_namespace for each valid hard-interface (net_device). But it is @@ -27,11 +27,6 @@ Reported-by: John Soros Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/127086f503f6495518b95455efebee33d328f335 ---- - net/batman-adv/debugfs.c | 20 ++++++++++++++++++++ - net/batman-adv/debugfs.h | 6 ++++++ - net/batman-adv/hard-interface.c | 3 +++ - 3 files changed, 29 insertions(+) diff --git a/net/batman-adv/debugfs.c b/net/batman-adv/debugfs.c index 4229b01ac7b54008e023df0ed6546a6d541498ba..7e5de7b9f6d53b846cebfa95bf694a20c640b2d6 100644 diff --git a/batman-adv/patches/0009-batman-adv-Fix-debugfs-path-for-renamed-softif.patch b/batman-adv/patches/0009-batman-adv-Fix-debugfs-path-for-renamed-softif.patch index 2559d64..40ea648 100644 --- a/batman-adv/patches/0009-batman-adv-Fix-debugfs-path-for-renamed-softif.patch +++ b/batman-adv/patches/0009-batman-adv-Fix-debugfs-path-for-renamed-softif.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Fri, 1 Jun 2018 19:24:24 +0200 -Subject: [PATCH] batman-adv: Fix debugfs path for renamed softif +Subject: batman-adv: Fix debugfs path for renamed softif batman-adv is creating special debugfs directories in the init net_namespace for each created soft-interface (batadv net_device). But it @@ -25,11 +25,6 @@ Fixes: 230202d4b530 ("batman-adv: Move device for icmp injection to debugfs") Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/3f2237bb191cd17654a4d5a5badfd6e7379c4b37 ---- - net/batman-adv/debugfs.c | 20 +++++++++++++++++++ - net/batman-adv/debugfs.h | 5 +++++ - net/batman-adv/hard-interface.c | 34 +++++++++++++++++++++++++++------ - 3 files changed, 53 insertions(+), 6 deletions(-) diff --git a/net/batman-adv/debugfs.c b/net/batman-adv/debugfs.c index 7e5de7b9f6d53b846cebfa95bf694a20c640b2d6..87479c60670ebfbe2ad3df17130f1289d657df7b 100644 diff --git a/batman-adv/patches/0010-batman-adv-Avoid-storing-non-TT-sync-flags-on-singul.patch b/batman-adv/patches/0010-batman-adv-Avoid-storing-non-TT-sync-flags-on-singul.patch index 081bb21..e086b15 100644 --- a/batman-adv/patches/0010-batman-adv-Avoid-storing-non-TT-sync-flags-on-singul.patch +++ b/batman-adv/patches/0010-batman-adv-Avoid-storing-non-TT-sync-flags-on-singul.patch @@ -1,6 +1,6 @@ From: Linus Lüssing Date: Thu, 7 Jun 2018 00:46:23 +0200 -Subject: [PATCH] batman-adv: Avoid storing non-TT-sync flags on singular entries too +Subject: batman-adv: Avoid storing non-TT-sync flags on singular entries too Since commit 382d020fe3fa ("batman-adv: fix TT sync flag inconsistencies") TT sync flags and TT non-sync'd flags are supposed to be stored @@ -17,12 +17,9 @@ Signed-off-by: Linus Lüssing Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/beb6246b2339852b6a429ae9259a8eb30a685041 ---- - net/batman-adv/translation-table.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c -index 3986551397caa5ffb6ba7338eeb4769c8b8f99fb..61ce300091f328fd78dafa5c4fd09f6cf924b025 100644 +index dfd484d73f8e569bc60e153ea6ca244ea5757d5c..8b0f30457a2eda3c0791da9c8876fc1768170d76 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -1705,7 +1705,8 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv, diff --git a/batman-adv/patches/0011-batman-adv-Fix-multicast-TT-issues-with-bogus-ROAM-f.patch b/batman-adv/patches/0011-batman-adv-Fix-multicast-TT-issues-with-bogus-ROAM-f.patch index 59fd2ac..8b06596 100644 --- a/batman-adv/patches/0011-batman-adv-Fix-multicast-TT-issues-with-bogus-ROAM-f.patch +++ b/batman-adv/patches/0011-batman-adv-Fix-multicast-TT-issues-with-bogus-ROAM-f.patch @@ -1,6 +1,6 @@ From: Linus Lüssing Date: Thu, 7 Jun 2018 00:46:24 +0200 -Subject: [PATCH] batman-adv: Fix multicast TT issues with bogus ROAM flags +Subject: batman-adv: Fix multicast TT issues with bogus ROAM flags When a (broken) node wrongly sends multicast TT entries with a ROAM flag then this causes any receiving node to drop all entries for the @@ -16,12 +16,9 @@ Signed-off-by: Linus Lüssing Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/c7054ffae0c3b08bb4bef3cffee1e0a543e14096 ---- - net/batman-adv/translation-table.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c -index 61ce300091f328fd78dafa5c4fd09f6cf924b025..12a2b7d21376721d15c6a31f3e794e4270d74b5c 100644 +index 8b0f30457a2eda3c0791da9c8876fc1768170d76..9efbdd6348c4d69c525b3e0574d2b24db838c086 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -1705,7 +1705,8 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv, diff --git a/batman-adv/patches/0012-batman-adv-Avoid-probe-ELP-information-leak.patch b/batman-adv/patches/0012-batman-adv-Avoid-probe-ELP-information-leak.patch index 83371eb..b58de4d 100644 --- a/batman-adv/patches/0012-batman-adv-Avoid-probe-ELP-information-leak.patch +++ b/batman-adv/patches/0012-batman-adv-Avoid-probe-ELP-information-leak.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Fri, 31 Aug 2018 15:08:44 +0200 -Subject: [PATCH] batman-adv: Avoid probe ELP information leak +Subject: batman-adv: Avoid probe ELP information leak The probe ELPs for WiFi interfaces are expanded to contain at least BATADV_ELP_MIN_PROBE_SIZE bytes. This is usually a lot more than the @@ -16,9 +16,6 @@ Signed-off-by: Sven Eckelmann Acked-by: Antonio Quartulli Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/6c876e572f592c31132a55b5fb8427e168e5fb3c ---- - net/batman-adv/bat_v_elp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c index 28687493599f5ba10b8813c18d803582210bc292..371028f82a0669e86155fee39ba955cbbde48e60 100644 diff --git a/batman-adv/patches/0013-batman-adv-Fix-segfault-when-writing-to-throughput_o.patch b/batman-adv/patches/0013-batman-adv-Fix-segfault-when-writing-to-throughput_o.patch index 4c7d3b0..2e3deb9 100644 --- a/batman-adv/patches/0013-batman-adv-Fix-segfault-when-writing-to-throughput_o.patch +++ b/batman-adv/patches/0013-batman-adv-Fix-segfault-when-writing-to-throughput_o.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Fri, 31 Aug 2018 16:46:47 +0200 -Subject: [PATCH] batman-adv: Fix segfault when writing to throughput_override +Subject: batman-adv: Fix segfault when writing to throughput_override The per hardif sysfs file "batman_adv/throughput_override" prints the resulting change as info text when the users writes to this file. It uses @@ -23,9 +23,6 @@ Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/ddf99b78e255530cbadc0f67656a549e19520280 ---- - net/batman-adv/sysfs.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c index f2eef43bd2ec5b798ba552ff14eedcfa734b39d6..3a76e8970c025ca6917d6cd15d1382f685cd3532 100644 diff --git a/batman-adv/patches/0014-batman-adv-Fix-segfault-when-writing-to-sysfs-elp_in.patch b/batman-adv/patches/0014-batman-adv-Fix-segfault-when-writing-to-sysfs-elp_in.patch index a06f3ba..aaf9145 100644 --- a/batman-adv/patches/0014-batman-adv-Fix-segfault-when-writing-to-sysfs-elp_in.patch +++ b/batman-adv/patches/0014-batman-adv-Fix-segfault-when-writing-to-sysfs-elp_in.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Fri, 31 Aug 2018 16:56:29 +0200 -Subject: [PATCH] batman-adv: Fix segfault when writing to sysfs elp_interval +Subject: batman-adv: Fix segfault when writing to sysfs elp_interval The per hardif sysfs file "batman_adv/elp_interval" is using the generic functions to store/show uint values. The helper __batadv_store_uint_attr @@ -24,9 +24,6 @@ Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/848be9859b0109a6e428f92f21f2e660153b1c75 ---- - net/batman-adv/sysfs.c | 25 +++++++++++++++++-------- - 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c index 3a76e8970c025ca6917d6cd15d1382f685cd3532..09427fc6494a157554d8b19f3481a878a9f97bba 100644 diff --git a/batman-adv/patches/0015-batman-adv-fix-backbone_gw-refcount-on-queue_work-fa.patch b/batman-adv/patches/0015-batman-adv-fix-backbone_gw-refcount-on-queue_work-fa.patch index e6f43d4..ed34fec 100644 --- a/batman-adv/patches/0015-batman-adv-fix-backbone_gw-refcount-on-queue_work-fa.patch +++ b/batman-adv/patches/0015-batman-adv-fix-backbone_gw-refcount-on-queue_work-fa.patch @@ -1,6 +1,6 @@ From: Marek Lindner Date: Fri, 7 Sep 2018 05:45:54 +0800 -Subject: [PATCH] batman-adv: fix backbone_gw refcount on queue_work() failure +Subject: batman-adv: fix backbone_gw refcount on queue_work() failure The backbone_gw refcounter is to be decreased by the queued work and currently is never decreased if the queue_work() call fails. @@ -11,9 +11,6 @@ Signed-off-by: Marek Lindner Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/24d83a50421c1c5d39cd9c015516a1a293ae8d0c ---- - net/batman-adv/bridge_loop_avoidance.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index a2de5a44bd41bf5c3d521d29b72e0b225a3ace05..58c093caf49e804c1e11426959d70e79f1729d41 100644 diff --git a/batman-adv/patches/0016-batman-adv-fix-hardif_neigh-refcount-on-queue_work-f.patch b/batman-adv/patches/0016-batman-adv-fix-hardif_neigh-refcount-on-queue_work-f.patch index c0a7195..e9fe152 100644 --- a/batman-adv/patches/0016-batman-adv-fix-hardif_neigh-refcount-on-queue_work-f.patch +++ b/batman-adv/patches/0016-batman-adv-fix-hardif_neigh-refcount-on-queue_work-f.patch @@ -1,6 +1,6 @@ From: Marek Lindner Date: Fri, 7 Sep 2018 05:45:55 +0800 -Subject: [PATCH] batman-adv: fix hardif_neigh refcount on queue_work() failure +Subject: batman-adv: fix hardif_neigh refcount on queue_work() failure The hardif_neigh refcounter is to be decreased by the queued work and currently is never decreased if the queue_work() call fails. @@ -11,9 +11,6 @@ Signed-off-by: Marek Lindner Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/85100b602c127cecf1bcfd620d20eb867d685df2 ---- - net/batman-adv/bat_v_elp.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c index 371028f82a0669e86155fee39ba955cbbde48e60..83b46654449df72ceda6ca3177f72e7faf0603ab 100644 diff --git a/batman-adv/patches/0017-batman-adv-Prevent-duplicated-gateway_node-entry.patch b/batman-adv/patches/0017-batman-adv-Prevent-duplicated-gateway_node-entry.patch index f456d99..c319f07 100644 --- a/batman-adv/patches/0017-batman-adv-Prevent-duplicated-gateway_node-entry.patch +++ b/batman-adv/patches/0017-batman-adv-Prevent-duplicated-gateway_node-entry.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Thu, 6 Sep 2018 14:35:24 +0200 -Subject: [PATCH] batman-adv: Prevent duplicated gateway_node entry +Subject: batman-adv: Prevent duplicated gateway_node entry The function batadv_gw_node_add is responsible for adding new gw_node to the gateway_list. It is expecting that the caller already checked that @@ -18,9 +18,6 @@ Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/69b3ca714eba608fe79a51ccd89ce7050ee0b770 ---- - net/batman-adv/gateway_client.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c index 8b198ee798c910b40997ed9ca867fc931c53dcc3..140c61a3f1ecfec4fe23c5ddca19e18e2e86fd56 100644 diff --git a/batman-adv/patches/0018-batman-adv-Prevent-duplicated-nc_node-entry.patch b/batman-adv/patches/0018-batman-adv-Prevent-duplicated-nc_node-entry.patch index c1c3103..5a79707 100644 --- a/batman-adv/patches/0018-batman-adv-Prevent-duplicated-nc_node-entry.patch +++ b/batman-adv/patches/0018-batman-adv-Prevent-duplicated-nc_node-entry.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Thu, 6 Sep 2018 14:35:25 +0200 -Subject: [PATCH] batman-adv: Prevent duplicated nc_node entry +Subject: batman-adv: Prevent duplicated nc_node entry The function batadv_nc_get_nc_node is responsible for adding new nc_nodes to the in_coding_list and out_coding_list. It first checks whether the @@ -19,9 +19,6 @@ Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/bab8447ad1850b25188f9652c0c52f8e58acd656 ---- - net/batman-adv/network-coding.c | 41 ++++++++++++++++++--------------- - 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c index c3578444f3cbe759a5385ac460ccb9d41ae1c4de..34caf129a9bf5531360f798be6a7059bad26a50f 100644 diff --git a/batman-adv/patches/0019-batman-adv-Prevent-duplicated-softif_vlan-entry.patch b/batman-adv/patches/0019-batman-adv-Prevent-duplicated-softif_vlan-entry.patch index 7cb33f3..db83ad2 100644 --- a/batman-adv/patches/0019-batman-adv-Prevent-duplicated-softif_vlan-entry.patch +++ b/batman-adv/patches/0019-batman-adv-Prevent-duplicated-softif_vlan-entry.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Thu, 6 Sep 2018 14:35:26 +0200 -Subject: [PATCH] batman-adv: Prevent duplicated softif_vlan entry +Subject: batman-adv: Prevent duplicated softif_vlan entry The function batadv_softif_vlan_get is responsible for adding new softif_vlan to the softif_vlan_list. It first checks whether the entry @@ -18,9 +18,6 @@ Fixes: 952cebb57518 ("batman-adv: add per VLAN interface attribute framework") Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/023d3f64207e8b6a6e6d0718d98e239c5545ef0c ---- - net/batman-adv/soft-interface.c | 27 +++++++++++++++++++-------- - 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c index edeffcb9f3a24e1b53c2b4d705fb260717ac09c4..79d6ab78359db9c6a5df14e2e204c611ab134dfc 100644 diff --git a/batman-adv/patches/0020-batman-adv-Prevent-duplicated-global-TT-entry.patch b/batman-adv/patches/0020-batman-adv-Prevent-duplicated-global-TT-entry.patch index 159c653..5594cff 100644 --- a/batman-adv/patches/0020-batman-adv-Prevent-duplicated-global-TT-entry.patch +++ b/batman-adv/patches/0020-batman-adv-Prevent-duplicated-global-TT-entry.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Thu, 6 Sep 2018 14:35:27 +0200 -Subject: [PATCH] batman-adv: Prevent duplicated global TT entry +Subject: batman-adv: Prevent duplicated global TT entry The function batadv_tt_global_orig_entry_add is responsible for adding new tt_orig_list_entry to the orig_list. It first checks whether the entry @@ -19,12 +19,9 @@ Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/79097255a1a3e1bd1949be309af941181fbc7b36 ---- - net/batman-adv/translation-table.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c -index 12a2b7d21376721d15c6a31f3e794e4270d74b5c..d21624c446655d57786a1bcfa45aaf57c5ce9701 100644 +index 9efbdd6348c4d69c525b3e0574d2b24db838c086..7502cb54c152d06d78c88d9f8fb841cada9f3b5d 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -1613,6 +1613,8 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global, diff --git a/batman-adv/patches/0021-batman-adv-Prevent-duplicated-tvlv-handler.patch b/batman-adv/patches/0021-batman-adv-Prevent-duplicated-tvlv-handler.patch index 5922170..1830998 100644 --- a/batman-adv/patches/0021-batman-adv-Prevent-duplicated-tvlv-handler.patch +++ b/batman-adv/patches/0021-batman-adv-Prevent-duplicated-tvlv-handler.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Thu, 6 Sep 2018 14:35:28 +0200 -Subject: [PATCH] batman-adv: Prevent duplicated tvlv handler +Subject: batman-adv: Prevent duplicated tvlv handler The function batadv_tvlv_handler_register is responsible for adding new tvlv_handler to the handler_list. It first checks whether the entry @@ -19,9 +19,6 @@ Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/acabad79e01740525cf4ff8ce6e9a210b683d420 ---- - net/batman-adv/tvlv.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c index a637458205d16bf838f796383d8cc15ac861801b..40e69c9346d22c09481544b8b4dec56cad88b64a 100644 diff --git a/batman-adv/patches/0022-batman-adv-Avoid-WARN-on-net_device-without-parent-i.patch b/batman-adv/patches/0022-batman-adv-Avoid-WARN-on-net_device-without-parent-i.patch index 4850a55..0d8aa2c 100644 --- a/batman-adv/patches/0022-batman-adv-Avoid-WARN-on-net_device-without-parent-i.patch +++ b/batman-adv/patches/0022-batman-adv-Avoid-WARN-on-net_device-without-parent-i.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Sun, 30 Dec 2018 12:46:01 +0100 -Subject: [PATCH] batman-adv: Avoid WARN on net_device without parent in netns +Subject: batman-adv: Avoid WARN on net_device without parent in netns It is not allowed to use WARN* helpers on potential incorrect input from the user or transient problems because systems configured as panic_on_warn @@ -18,9 +18,6 @@ Reported-by: Dmitry Vyukov Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/59ad04405be86f648fd83d81d2fd0a78f215a43b ---- - net/batman-adv/hard-interface.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c index 2f0d42f2f913e74cf10c0c6ce89320434994cac5..08690d06b7be2b25ca3f009394763c7083c70644 100644 diff --git a/batman-adv/patches/0023-batman-adv-Force-mac-header-to-start-of-data-on-xmit.patch b/batman-adv/patches/0023-batman-adv-Force-mac-header-to-start-of-data-on-xmit.patch index c5eb7dd..f7fe6ce 100644 --- a/batman-adv/patches/0023-batman-adv-Force-mac-header-to-start-of-data-on-xmit.patch +++ b/batman-adv/patches/0023-batman-adv-Force-mac-header-to-start-of-data-on-xmit.patch @@ -1,6 +1,6 @@ From: Sven Eckelmann Date: Mon, 31 Dec 2018 22:46:09 +0100 -Subject: [PATCH] batman-adv: Force mac header to start of data on xmit +Subject: batman-adv: Force mac header to start of data on xmit The caller of ndo_start_xmit may not already have called skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr @@ -20,9 +20,6 @@ Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com Signed-off-by: Sven Eckelmann Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/74c4b0c50f19f986752ee18ed393732f4eed7a66 ---- - net/batman-adv/soft-interface.c | 2 ++ - 1 file changed, 2 insertions(+) diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c index 79d6ab78359db9c6a5df14e2e204c611ab134dfc..d3f540ba2a1388a8aa693a539d01d6a1cad95b44 100644 From ee2d981d00d2cbf9484b9ab731f44fde8509f6a9 Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Thu, 28 Mar 2019 20:39:10 +0100 Subject: [PATCH 2/2] batman-adv: Merge bugfixes from 2019.1 * fix uninit-value in batadv_interface_tx() * Reduce claim hash refcnt only for removed entry * Reduce tt_local hash refcnt only for removed entry * Reduce tt_global hash refcnt only for removed entry Signed-off-by: Sven Eckelmann --- batman-adv/Makefile | 2 +- ...-uninit-value-in-batadv_interface_tx.patch | 95 +++++++++++++++++++ ...e-claim-hash-refcnt-only-for-removed.patch | 65 +++++++++++++ ...e-tt_local-hash-refcnt-only-for-remo.patch | 69 ++++++++++++++ ...e-tt_global-hash-refcnt-only-for-rem.patch | 66 +++++++++++++ 5 files changed, 296 insertions(+), 1 deletion(-) create mode 100644 batman-adv/patches/0024-batman-adv-fix-uninit-value-in-batadv_interface_tx.patch create mode 100644 batman-adv/patches/0025-batman-adv-Reduce-claim-hash-refcnt-only-for-removed.patch create mode 100644 batman-adv/patches/0026-batman-adv-Reduce-tt_local-hash-refcnt-only-for-remo.patch create mode 100644 batman-adv/patches/0027-batman-adv-Reduce-tt_global-hash-refcnt-only-for-rem.patch diff --git a/batman-adv/Makefile b/batman-adv/Makefile index 74ef4b8..42f1300 100644 --- a/batman-adv/Makefile +++ b/batman-adv/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=batman-adv PKG_VERSION:=2018.1 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_HASH:=b866b28dbbe5c9238abbdf5abbc30fc526dea56898ce4c1bd76d5c017843048b PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz diff --git a/batman-adv/patches/0024-batman-adv-fix-uninit-value-in-batadv_interface_tx.patch b/batman-adv/patches/0024-batman-adv-fix-uninit-value-in-batadv_interface_tx.patch new file mode 100644 index 0000000..dd2edad --- /dev/null +++ b/batman-adv/patches/0024-batman-adv-fix-uninit-value-in-batadv_interface_tx.patch @@ -0,0 +1,95 @@ +From: Eric Dumazet +Date: Mon, 11 Feb 2019 14:41:22 -0800 +Subject: batman-adv: fix uninit-value in batadv_interface_tx() + +KMSAN reported batadv_interface_tx() was possibly using a +garbage value [1] + +batadv_get_vid() does have a pskb_may_pull() call +but batadv_interface_tx() does not actually make sure +this did not fail. + +[1] +BUG: KMSAN: uninit-value in batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231 +CPU: 0 PID: 10006 Comm: syz-executor469 Not tainted 4.20.0-rc7+ #5 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x173/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 + __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313 + batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231 + __netdev_start_xmit include/linux/netdevice.h:4356 [inline] + netdev_start_xmit include/linux/netdevice.h:4365 [inline] + xmit_one net/core/dev.c:3257 [inline] + dev_hard_start_xmit+0x607/0xc40 net/core/dev.c:3273 + __dev_queue_xmit+0x2e42/0x3bc0 net/core/dev.c:3843 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:3876 + packet_snd net/packet/af_packet.c:2928 [inline] + packet_sendmsg+0x8306/0x8f30 net/packet/af_packet.c:2953 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + __sys_sendto+0x8c4/0xac0 net/socket.c:1788 + __do_sys_sendto net/socket.c:1800 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1796 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1796 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x441889 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffdda6fd468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000441889 +RDX: 000000000000000e RSI: 00000000200000c0 RDI: 0000000000000003 +RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000216 R12: 00007ffdda6fd4c0 +R13: 00007ffdda6fd4b0 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline] + kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158 + kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176 + kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2759 [inline] + __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383 + __kmalloc_reserve net/core/skbuff.c:137 [inline] + __alloc_skb+0x309/0xa20 net/core/skbuff.c:205 + alloc_skb include/linux/skbuff.h:998 [inline] + alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5220 + sock_alloc_send_pskb+0xafd/0x10e0 net/core/sock.c:2083 + packet_alloc_skb net/packet/af_packet.c:2781 [inline] + packet_snd net/packet/af_packet.c:2872 [inline] + packet_sendmsg+0x661a/0x8f30 net/packet/af_packet.c:2953 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + __sys_sendto+0x8c4/0xac0 net/socket.c:1788 + __do_sys_sendto net/socket.c:1800 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1796 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1796 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +Fixes: 48628bb9419f ("batman-adv: softif bridge loop avoidance") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Marek Lindner +Cc: Simon Wunderlich +Cc: Antonio Quartulli +Signed-off-by: David S. Miller +Signed-off-by: Sven Eckelmann + +Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/35482922b38bb5f5b03b0e92bc58cec2b7c77cdf + +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index d3f540ba2a1388a8aa693a539d01d6a1cad95b44..97e28907a0acbb3d64d8ceebf7b1df13dc396300 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -227,6 +227,8 @@ static int batadv_interface_tx(struct sk_buff *skb, + + switch (ntohs(ethhdr->h_proto)) { + case ETH_P_8021Q: ++ if (!pskb_may_pull(skb, sizeof(*vhdr))) ++ goto dropped; + vhdr = vlan_eth_hdr(skb); + + /* drop batman-in-batman packets to prevent loops */ diff --git a/batman-adv/patches/0025-batman-adv-Reduce-claim-hash-refcnt-only-for-removed.patch b/batman-adv/patches/0025-batman-adv-Reduce-claim-hash-refcnt-only-for-removed.patch new file mode 100644 index 0000000..7a2f999 --- /dev/null +++ b/batman-adv/patches/0025-batman-adv-Reduce-claim-hash-refcnt-only-for-removed.patch @@ -0,0 +1,65 @@ +From: Sven Eckelmann +Date: Sat, 23 Feb 2019 15:09:04 +0100 +Subject: batman-adv: Reduce claim hash refcnt only for removed entry + +The batadv_hash_remove is a function which searches the hashtable for an +entry using a needle, a hashtable bucket selection function and a compare +function. It will lock the bucket list and delete an entry when the compare +function matches it with the needle. It returns the pointer to the +hlist_node which matches or NULL when no entry matches the needle. + +The batadv_bla_del_claim is not itself protected in anyway to avoid that +any other function is modifying the hashtable between the search for the +entry and the call to batadv_hash_remove. It can therefore happen that the +entry either doesn't exist anymore or an entry was deleted which is not the +same object as the needle. In such an situation, the reference counter (for +the reference stored in the hashtable) must not be reduced for the needle. +Instead the reference counter of the actually removed entry has to be +reduced. + +Otherwise the reference counter will underflow and the object might be +freed before all its references were dropped. The kref helpers reported +this problem as: + + refcount_t: underflow; use-after-free. + +Fixes: a9ce0dc43e2c ("batman-adv: add basic bridge loop avoidance code") +Signed-off-by: Sven Eckelmann + +Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/3a7af70ae7c4209324dbb08b91e013c17108bdd6 + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 58c093caf49e804c1e11426959d70e79f1729d41..0842080a71f4ac89b3fbebc4b95c6c27d1cc4254 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -803,6 +803,8 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv, + const u8 *mac, const unsigned short vid) + { + struct batadv_bla_claim search_claim, *claim; ++ struct batadv_bla_claim *claim_removed_entry; ++ struct hlist_node *claim_removed_node; + + ether_addr_copy(search_claim.addr, mac); + search_claim.vid = vid; +@@ -813,10 +815,18 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv, + batadv_dbg(BATADV_DBG_BLA, bat_priv, "%s(): %pM, vid %d\n", __func__, + mac, batadv_print_vid(vid)); + +- batadv_hash_remove(bat_priv->bla.claim_hash, batadv_compare_claim, +- batadv_choose_claim, claim); +- batadv_claim_put(claim); /* reference from the hash is gone */ ++ claim_removed_node = batadv_hash_remove(bat_priv->bla.claim_hash, ++ batadv_compare_claim, ++ batadv_choose_claim, claim); ++ if (!claim_removed_node) ++ goto free_claim; + ++ /* reference from the hash is gone */ ++ claim_removed_entry = hlist_entry(claim_removed_node, ++ struct batadv_bla_claim, hash_entry); ++ batadv_claim_put(claim_removed_entry); ++ ++free_claim: + /* don't need the reference from hash_find() anymore */ + batadv_claim_put(claim); + } diff --git a/batman-adv/patches/0026-batman-adv-Reduce-tt_local-hash-refcnt-only-for-remo.patch b/batman-adv/patches/0026-batman-adv-Reduce-tt_local-hash-refcnt-only-for-remo.patch new file mode 100644 index 0000000..a6ffb25 --- /dev/null +++ b/batman-adv/patches/0026-batman-adv-Reduce-tt_local-hash-refcnt-only-for-remo.patch @@ -0,0 +1,69 @@ +From: Sven Eckelmann +Date: Sat, 23 Feb 2019 15:09:05 +0100 +Subject: batman-adv: Reduce tt_local hash refcnt only for removed entry + +The batadv_hash_remove is a function which searches the hashtable for an +entry using a needle, a hashtable bucket selection function and a compare +function. It will lock the bucket list and delete an entry when the compare +function matches it with the needle. It returns the pointer to the +hlist_node which matches or NULL when no entry matches the needle. + +The batadv_tt_local_remove is not itself protected in anyway to avoid that +any other function is modifying the hashtable between the search for the +entry and the call to batadv_hash_remove. It can therefore happen that the +entry either doesn't exist anymore or an entry was deleted which is not the +same object as the needle. In such an situation, the reference counter (for +the reference stored in the hashtable) must not be reduced for the needle. +Instead the reference counter of the actually removed entry has to be +reduced. + +Otherwise the reference counter will underflow and the object might be +freed before all its references were dropped. The kref helpers reported +this problem as: + + refcount_t: underflow; use-after-free. + +Fixes: af912d77181f ("batman-adv: protect tt_local_entry from concurrent delete events") +Signed-off-by: Sven Eckelmann + +Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/0c86a0511e97de502276900c5d6f22b09e042d21 + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index 7502cb54c152d06d78c88d9f8fb841cada9f3b5d..d2ecfdbdc64956b238f0554b4c354df9a9e9f26a 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -1332,9 +1332,10 @@ u16 batadv_tt_local_remove(struct batadv_priv *bat_priv, const u8 *addr, + unsigned short vid, const char *message, + bool roaming) + { ++ struct batadv_tt_local_entry *tt_removed_entry; + struct batadv_tt_local_entry *tt_local_entry; + u16 flags, curr_flags = BATADV_NO_FLAGS; +- void *tt_entry_exists; ++ struct hlist_node *tt_removed_node; + + tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid); + if (!tt_local_entry) +@@ -1363,15 +1364,18 @@ u16 batadv_tt_local_remove(struct batadv_priv *bat_priv, const u8 *addr, + */ + batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL); + +- tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash, ++ tt_removed_node = batadv_hash_remove(bat_priv->tt.local_hash, + batadv_compare_tt, + batadv_choose_tt, + &tt_local_entry->common); +- if (!tt_entry_exists) ++ if (!tt_removed_node) + goto out; + +- /* extra call to free the local tt entry */ +- batadv_tt_local_entry_put(tt_local_entry); ++ /* drop reference of remove hash entry */ ++ tt_removed_entry = hlist_entry(tt_removed_node, ++ struct batadv_tt_local_entry, ++ common.hash_entry); ++ batadv_tt_local_entry_put(tt_removed_entry); + + out: + if (tt_local_entry) diff --git a/batman-adv/patches/0027-batman-adv-Reduce-tt_global-hash-refcnt-only-for-rem.patch b/batman-adv/patches/0027-batman-adv-Reduce-tt_global-hash-refcnt-only-for-rem.patch new file mode 100644 index 0000000..cd08563 --- /dev/null +++ b/batman-adv/patches/0027-batman-adv-Reduce-tt_global-hash-refcnt-only-for-rem.patch @@ -0,0 +1,66 @@ +From: Sven Eckelmann +Date: Sat, 23 Feb 2019 15:09:06 +0100 +Subject: batman-adv: Reduce tt_global hash refcnt only for removed entry + +The batadv_hash_remove is a function which searches the hashtable for an +entry using a needle, a hashtable bucket selection function and a compare +function. It will lock the bucket list and delete an entry when the compare +function matches it with the needle. It returns the pointer to the +hlist_node which matches or NULL when no entry matches the needle. + +The batadv_tt_global_free is not itself protected in anyway to avoid that +any other function is modifying the hashtable between the search for the +entry and the call to batadv_hash_remove. It can therefore happen that the +entry either doesn't exist anymore or an entry was deleted which is not the +same object as the needle. In such an situation, the reference counter (for +the reference stored in the hashtable) must not be reduced for the needle. +Instead the reference counter of the actually removed entry has to be +reduced. + +Otherwise the reference counter will underflow and the object might be +freed before all its references were dropped. The kref helpers reported +this problem as: + + refcount_t: underflow; use-after-free. + +Fixes: 7bad46397eff ("batman-adv: protect the local and the global trans-tables with rcu") +Reported-by: Martin Weinelt +Signed-off-by: Sven Eckelmann +Acked-by: Antonio Quartulli + +Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/bd6df24da0063fe50828c287d05bdc1876f4f6cc + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index d2ecfdbdc64956b238f0554b4c354df9a9e9f26a..554fd886e652c7c206ff43a5627d342ccbcc2123 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -616,14 +616,26 @@ static void batadv_tt_global_free(struct batadv_priv *bat_priv, + struct batadv_tt_global_entry *tt_global, + const char *message) + { ++ struct batadv_tt_global_entry *tt_removed_entry; ++ struct hlist_node *tt_removed_node; ++ + batadv_dbg(BATADV_DBG_TT, bat_priv, + "Deleting global tt entry %pM (vid: %d): %s\n", + tt_global->common.addr, + batadv_print_vid(tt_global->common.vid), message); + +- batadv_hash_remove(bat_priv->tt.global_hash, batadv_compare_tt, +- batadv_choose_tt, &tt_global->common); +- batadv_tt_global_entry_put(tt_global); ++ tt_removed_node = batadv_hash_remove(bat_priv->tt.global_hash, ++ batadv_compare_tt, ++ batadv_choose_tt, ++ &tt_global->common); ++ if (!tt_removed_node) ++ return; ++ ++ /* drop reference of remove hash entry */ ++ tt_removed_entry = hlist_entry(tt_removed_node, ++ struct batadv_tt_global_entry, ++ common.hash_entry); ++ batadv_tt_global_entry_put(tt_removed_entry); + } + + /**