From 88e202e84816064a12130f14a55ca7e53b3d910f Mon Sep 17 00:00:00 2001 From: Marek Lindner Date: Thu, 9 May 2013 17:56:23 +0800 Subject: [PATCH] batman-adv: 2013.2.0 stability fixes Signed-off-by: Marek Lindner --- batman-adv/Makefile | 2 +- ...he-proper-header-len-when-checking-t.patch | 2 +- ...tocol-argument-to-packet-tagging-fun.patch | 2 +- ...-proto-length-before-accessing-proto.patch | 33 +++++++++++ ...heck-return-value-of-pskb_trim_rcsum.patch | 44 ++++++++++++++ ...DAT-drop-ARP-requests-targeting-loca.patch | 48 ++++++++++++++++ ...er-clean-up-routine-in-order-to-avoi.patch | 57 +++++++++++++++++++ 7 files changed, 185 insertions(+), 3 deletions(-) create mode 100644 batman-adv/patches/0003-batman-adv-check-proto-length-before-accessing-proto.patch create mode 100644 batman-adv/patches/0004-batman-adv-check-return-value-of-pskb_trim_rcsum.patch create mode 100644 batman-adv/patches/0005-batman-adv-make-DAT-drop-ARP-requests-targeting-loca.patch create mode 100644 batman-adv/patches/0006-batman-adv-reorder-clean-up-routine-in-order-to-avoi.patch diff --git a/batman-adv/Makefile b/batman-adv/Makefile index d6cd9b8..51dc797 100644 --- a/batman-adv/Makefile +++ b/batman-adv/Makefile @@ -12,7 +12,7 @@ PKG_NAME:=batman-adv PKG_VERSION:=2013.2.0 BATCTL_VERSION:=2013.2.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MD5SUM:=9ec18300b96df22f0ed21c9f51e4ccef BATCTL_MD5SUM:=712f86cdd0f9076503fc48acf37e109e diff --git a/batman-adv/patches/0001-batman-adv-use-the-proper-header-len-when-checking-t.patch b/batman-adv/patches/0001-batman-adv-use-the-proper-header-len-when-checking-t.patch index 753825e..0327e03 100644 --- a/batman-adv/patches/0001-batman-adv-use-the-proper-header-len-when-checking-t.patch +++ b/batman-adv/patches/0001-batman-adv-use-the-proper-header-len-when-checking-t.patch @@ -1,7 +1,7 @@ From 9b96ecbae7295269aaa0320667f646870de65661 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Wed, 3 Apr 2013 10:14:20 +0200 -Subject: [PATCH 1/2] batman-adv: use the proper header len when checking the +Subject: [PATCH 1/6] batman-adv: use the proper header len when checking the TTVN Unicast packet might be of type either UNICAST or diff --git a/batman-adv/patches/0002-batman-adv-vlan-add-protocol-argument-to-packet-tagging-fun.patch b/batman-adv/patches/0002-batman-adv-vlan-add-protocol-argument-to-packet-tagging-fun.patch index cb88314..f00a33f 100644 --- a/batman-adv/patches/0002-batman-adv-vlan-add-protocol-argument-to-packet-tagging-fun.patch +++ b/batman-adv/patches/0002-batman-adv-vlan-add-protocol-argument-to-packet-tagging-fun.patch @@ -1,7 +1,7 @@ From 82d1a8ebf19a1b9841ee44ce7b2448114be3e772 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Wed, 24 Apr 2013 17:42:56 +0200 -Subject: [PATCH 2/2] net: vlan: add protocol argument to packet tagging +Subject: [PATCH 2/6] net: vlan: add protocol argument to packet tagging functions Add a protocol argument to the VLAN packet tagging functions. In case of HW diff --git a/batman-adv/patches/0003-batman-adv-check-proto-length-before-accessing-proto.patch b/batman-adv/patches/0003-batman-adv-check-proto-length-before-accessing-proto.patch new file mode 100644 index 0000000..b7cb91f --- /dev/null +++ b/batman-adv/patches/0003-batman-adv-check-proto-length-before-accessing-proto.patch @@ -0,0 +1,33 @@ +From aa7d19a5b97fe48657e075e8e4d130bd6916551e Mon Sep 17 00:00:00 2001 +From: Marek Lindner +Date: Sat, 27 Apr 2013 16:22:28 +0800 +Subject: [PATCH 3/6] batman-adv: check proto length before accessing proto + string buffer + +batadv_param_set_ra() strips the trailing '\n' from the supplied +string buffer without checking the length of the buffer first. This +patches avoids random memory access and associated potential +crashes. + +Reported-by: Sasha Levin +Signed-off-by: Marek Lindner +--- + main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/main.c b/main.c +index 3e30a0f..9c620cd 100644 +--- a/main.c ++++ b/main.c +@@ -475,7 +475,7 @@ static int batadv_param_set_ra(const char *val, const struct kernel_param *kp) + char *algo_name = (char *)val; + size_t name_len = strlen(algo_name); + +- if (algo_name[name_len - 1] == '\n') ++ if (name_len > 0 && algo_name[name_len - 1] == '\n') + algo_name[name_len - 1] = '\0'; + + bat_algo_ops = batadv_algo_get(algo_name); +-- +1.7.10.4 + diff --git a/batman-adv/patches/0004-batman-adv-check-return-value-of-pskb_trim_rcsum.patch b/batman-adv/patches/0004-batman-adv-check-return-value-of-pskb_trim_rcsum.patch new file mode 100644 index 0000000..29962a5 --- /dev/null +++ b/batman-adv/patches/0004-batman-adv-check-return-value-of-pskb_trim_rcsum.patch @@ -0,0 +1,44 @@ +From d22ebef1431aab13099370b89afa4ba55eb95c35 Mon Sep 17 00:00:00 2001 +From: Marek Lindner +Date: Tue, 7 May 2013 19:25:02 +0800 +Subject: [PATCH 4/6] batman-adv: check return value of pskb_trim_rcsum() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reported-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Acked-by: Martin Hundebøll +--- + network-coding.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/network-coding.c b/network-coding.c +index f7c5430..e84629e 100644 +--- a/network-coding.c ++++ b/network-coding.c +@@ -1514,6 +1514,7 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb, + struct ethhdr *ethhdr, ethhdr_tmp; + uint8_t *orig_dest, ttl, ttvn; + unsigned int coding_len; ++ int err; + + /* Save headers temporarily */ + memcpy(&coded_packet_tmp, skb->data, sizeof(coded_packet_tmp)); +@@ -1568,8 +1569,11 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb, + coding_len); + + /* Resize decoded skb if decoded with larger packet */ +- if (nc_packet->skb->len > coding_len + h_size) +- pskb_trim_rcsum(skb, coding_len + h_size); ++ if (nc_packet->skb->len > coding_len + h_size) { ++ err = pskb_trim_rcsum(skb, coding_len + h_size); ++ if (err) ++ return NULL; ++ } + + /* Create decoded unicast packet */ + unicast_packet = (struct batadv_unicast_packet *)skb->data; +-- +1.7.10.4 + diff --git a/batman-adv/patches/0005-batman-adv-make-DAT-drop-ARP-requests-targeting-loca.patch b/batman-adv/patches/0005-batman-adv-make-DAT-drop-ARP-requests-targeting-loca.patch new file mode 100644 index 0000000..dd17f77 --- /dev/null +++ b/batman-adv/patches/0005-batman-adv-make-DAT-drop-ARP-requests-targeting-loca.patch @@ -0,0 +1,48 @@ +From d6bd8b36fa1f3d72a6fd5942a6e9bde6ddafcd0d Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Thu, 9 May 2013 09:35:45 +0200 +Subject: [PATCH 5/6] batman-adv: make DAT drop ARP requests targeting local + clients + +In the outgoing ARP request snooping routine in DAT, ARP +Request sent by local clients which are supposed to be +replied by other local clients can be silently dropped. + +The destination host will reply by itself through the LAN +and therefore there is no need to involve DAT. + +Reported-by: Carlos Quijano +Signed-off-by: Antonio Quartulli +Tested-by: Carlos Quijano +Signed-off-by: Marek Lindner +--- + distributed-arp-table.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/distributed-arp-table.c b/distributed-arp-table.c +index 8e15d96..2399920 100644 +--- a/distributed-arp-table.c ++++ b/distributed-arp-table.c +@@ -837,6 +837,19 @@ bool batadv_dat_snoop_outgoing_arp_request(struct batadv_priv *bat_priv, + + dat_entry = batadv_dat_entry_hash_find(bat_priv, ip_dst); + if (dat_entry) { ++ /* If the ARP request is destined for a local client the local ++ * client will answer itself. DAT would only generate a ++ * duplicate packet. ++ * ++ * Moreover, if the soft-interface is enslaved into a bridge, an ++ * additional DAT answer may trigger kernel warnings about ++ * a packet coming from the wrong port. ++ */ ++ if (batadv_is_my_client(bat_priv, dat_entry->mac_addr)) { ++ ret = true; ++ goto out; ++ } ++ + skb_new = arp_create(ARPOP_REPLY, ETH_P_ARP, ip_src, + bat_priv->soft_iface, ip_dst, hw_src, + dat_entry->mac_addr, hw_src); +-- +1.7.10.4 + diff --git a/batman-adv/patches/0006-batman-adv-reorder-clean-up-routine-in-order-to-avoi.patch b/batman-adv/patches/0006-batman-adv-reorder-clean-up-routine-in-order-to-avoi.patch new file mode 100644 index 0000000..8fa5f47 --- /dev/null +++ b/batman-adv/patches/0006-batman-adv-reorder-clean-up-routine-in-order-to-avoi.patch @@ -0,0 +1,57 @@ +From 763f413b9c74ccb25cb066408f49f07e5dd78f9b Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Tue, 7 May 2013 01:06:18 +0200 +Subject: [PATCH 6/6] batman-adv: reorder clean up routine in order to avoid + race conditions + +nc_worker accesses the originator table during its periodic +work, but since the originator table is freed before +stopping the worker this leads to a global protection fault. + +Fix this by killing the worker (in nc_free) before freeing +the originator table. + +Moreover tidy up the entire clean up routine by running all +the subcomponents freeing procedures first and then killing +the TT and the originator tables at the end. + +Signed-off-by: Antonio Quartulli +Signed-off-by: Marek Lindner +--- + main.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/main.c b/main.c +index 9c620cd..1240f07 100644 +--- a/main.c ++++ b/main.c +@@ -163,14 +163,22 @@ void batadv_mesh_free(struct net_device *soft_iface) + batadv_vis_quit(bat_priv); + + batadv_gw_node_purge(bat_priv); +- batadv_originator_free(bat_priv); + batadv_nc_free(bat_priv); ++ batadv_dat_free(bat_priv); ++ batadv_bla_free(bat_priv); + ++ /* Free the TT and the originator tables only after having terminated ++ * all the other depending components which may use these structures for ++ * their purposes. ++ */ + batadv_tt_free(bat_priv); + +- batadv_bla_free(bat_priv); +- +- batadv_dat_free(bat_priv); ++ /* Since the originator table clean up routine is accessing the TT ++ * tables as well, it has to be invoked after the TT tables have been ++ * freed and marked as empty. This ensures that no cleanup RCU callbacks ++ * accessing the TT data are scheduled for later execution. ++ */ ++ batadv_originator_free(bat_priv); + + free_percpu(bat_priv->bat_counters); + +-- +1.7.10.4 + -- 2.35.1