PKG_NAME:=batman-adv
PKG_VERSION:=2016.5
-PKG_RELEASE:=9
+PKG_RELEASE:=10
PKG_MD5SUM:=6717a933a08dd2a01b00df30cb9f16a8
PKG_HASH:=d0a0fc90c4f410b57d043215e253bb0b855efa5edbe165d87c17bfdcfafd0db7
#endif /* < KERNEL_VERSION(4, 7, 0) */
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0)
+
+static inline void *batadv_skb_put(struct sk_buff *skb, unsigned int len)
+{
+ return (void *)skb_put(skb, len);
+}
+#define skb_put batadv_skb_put
+
+static inline void *skb_put_zero(struct sk_buff *skb, unsigned int len)
+{
+ void *tmp = skb_put(skb, len);
+
+ memset(tmp, 0, len);
+
+ return tmp;
+}
+
+static inline void *skb_put_data(struct sk_buff *skb, const void *data,
+ unsigned int len)
+{
+ void *tmp = skb_put(skb, len);
+
+ memcpy(tmp, data, len);
+
+ return tmp;
+}
+
+#endif /* < KERNEL_VERSION(4, 13, 0) */
+
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
--- /dev/null
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 15:08:44 +0200
+Subject: [PATCH] batman-adv: Avoid probe ELP information leak
+
+The probe ELPs for WiFi interfaces are expanded to contain at least
+BATADV_ELP_MIN_PROBE_SIZE bytes. This is usually a lot more than the
+number of bytes which the template ELP packet requires.
+
+These extra padding bytes were not initialized and thus could contain data
+which were previously stored at the same location. It is therefore required
+to set it to some predefined or random values to avoid leaking private
+information from the system transmitting these kind of packets.
+
+Fixes: bedcadfaa92b ("batman-adv: ELP - send unicast ELP packets for throughput sampling")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/6c876e572f592c31132a55b5fb8427e168e5fb3c
+---
+ net/batman-adv/bat_v_elp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index 06b2924f4cb7dde54bab97ad2d28aecd9b1a4ceb..e988a14f3eb01de1f52fe6dcaa91af898060140e 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -227,7 +227,7 @@ batadv_v_elp_wifi_neigh_probe(struct batadv_hardif_neigh_node *neigh)
+ * the packet to be exactly of that size to make the link
+ * throughput estimation effective.
+ */
+- skb_put(skb, probe_len - hard_iface->bat_v.elp_skb->len);
++ skb_put_zero(skb, probe_len - hard_iface->bat_v.elp_skb->len);
+
+ batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
+ "Sending unicast (probe) ELP packet on interface %s to %pM\n",
--- /dev/null
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 16:46:47 +0200
+Subject: [PATCH] batman-adv: Fix segfault when writing to throughput_override
+
+The per hardif sysfs file "batman_adv/throughput_override" prints the
+resulting change as info text when the users writes to this file. It uses
+the helper function batadv_info to add it at the same time to the kernel
+ring buffer and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG
+is enabled).
+
+The function batadv_info requires as first parameter the batman-adv softif
+net_device. This parameter is then used to find the private buffer which
+contains the debug log for this batman-adv interface. But
+batadv_store_throughput_override used as first argument the slave
+net_device. This slave device doesn't have the batadv_priv private data
+which is access by batadv_info.
+
+Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead
+to a segfault or to memory corruption.
+
+Fixes: c513176e4b7a ("batman-adv: add throughput override attribute to hard_ifaces")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/ddf99b78e255530cbadc0f67656a549e19520280
+---
+ net/batman-adv/sysfs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c
+index 17c844196eb26c9faf9fd543b88cd86cc1c2c029..ae22db3d6637dde2fcc238826a624ef2d6dbd8f5 100644
+--- a/net/batman-adv/sysfs.c
++++ b/net/batman-adv/sysfs.c
+@@ -1078,8 +1078,9 @@ static ssize_t batadv_store_throughput_override(struct kobject *kobj,
+ if (old_tp_override == tp_override)
+ goto out;
+
+- batadv_info(net_dev, "%s: Changing from: %u.%u MBit to: %u.%u MBit\n",
+- "throughput_override",
++ batadv_info(hard_iface->soft_iface,
++ "%s: %s: Changing from: %u.%u MBit to: %u.%u MBit\n",
++ "throughput_override", net_dev->name,
+ old_tp_override / 10, old_tp_override % 10,
+ tp_override / 10, tp_override % 10);
+
--- /dev/null
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 16:56:29 +0200
+Subject: [PATCH] batman-adv: Fix segfault when writing to sysfs elp_interval
+
+The per hardif sysfs file "batman_adv/elp_interval" is using the generic
+functions to store/show uint values. The helper __batadv_store_uint_attr
+requires the softif net_device as parameter to print the resulting change
+as info text when the users writes to this file. It uses the helper
+function batadv_info to add it at the same time to the kernel ring buffer
+and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled).
+
+The function batadv_info requires as first parameter the batman-adv softif
+net_device. This parameter is then used to find the private buffer which
+contains the debug log for this batman-adv interface. But
+batadv_store_throughput_override used as first argument the slave
+net_device. This slave device doesn't have the batadv_priv private data
+which is access by batadv_info.
+
+Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead
+to a segfault or to memory corruption.
+
+Fixes: ec46535b8275 ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/848be9859b0109a6e428f92f21f2e660153b1c75
+---
+ net/batman-adv/sysfs.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c
+index ae22db3d6637dde2fcc238826a624ef2d6dbd8f5..a4e6f158de26dea0e8e3fefd5b9aeec3dcd64457 100644
+--- a/net/batman-adv/sysfs.c
++++ b/net/batman-adv/sysfs.c
+@@ -186,7 +186,8 @@ ssize_t batadv_store_##_name(struct kobject *kobj, \
+ \
+ return __batadv_store_uint_attr(buff, count, _min, _max, \
+ _post_func, attr, \
+- &bat_priv->_var, net_dev); \
++ &bat_priv->_var, net_dev, \
++ NULL); \
+ }
+
+ #define BATADV_ATTR_SIF_SHOW_UINT(_name, _var) \
+@@ -260,7 +261,9 @@ ssize_t batadv_store_##_name(struct kobject *kobj, \
+ \
+ length = __batadv_store_uint_attr(buff, count, _min, _max, \
+ _post_func, attr, \
+- &hard_iface->_var, net_dev); \
++ &hard_iface->_var, \
++ hard_iface->soft_iface, \
++ net_dev); \
+ \
+ batadv_hardif_put(hard_iface); \
+ return length; \
+@@ -354,10 +357,12 @@ __batadv_store_bool_attr(char *buff, size_t count,
+
+ static int batadv_store_uint_attr(const char *buff, size_t count,
+ struct net_device *net_dev,
++ struct net_device *slave_dev,
+ const char *attr_name,
+ unsigned int min, unsigned int max,
+ atomic_t *attr)
+ {
++ char ifname[IFNAMSIZ + 3] = "";
+ unsigned long uint_val;
+ int ret;
+
+@@ -383,8 +388,11 @@ static int batadv_store_uint_attr(const char *buff, size_t count,
+ if (atomic_read(attr) == uint_val)
+ return count;
+
+- batadv_info(net_dev, "%s: Changing from: %i to: %lu\n",
+- attr_name, atomic_read(attr), uint_val);
++ if (slave_dev)
++ snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name);
++
++ batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n",
++ attr_name, ifname, atomic_read(attr), uint_val);
+
+ atomic_set(attr, uint_val);
+ return count;
+@@ -395,12 +403,13 @@ static ssize_t __batadv_store_uint_attr(const char *buff, size_t count,
+ void (*post_func)(struct net_device *),
+ const struct attribute *attr,
+ atomic_t *attr_store,
+- struct net_device *net_dev)
++ struct net_device *net_dev,
++ struct net_device *slave_dev)
+ {
+ int ret;
+
+- ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max,
+- attr_store);
++ ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev,
++ attr->name, min, max, attr_store);
+ if (post_func && ret)
+ post_func(net_dev);
+
+@@ -569,7 +578,7 @@ static ssize_t batadv_store_gw_sel_class(struct kobject *kobj,
+ return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE,
+ batadv_post_gw_reselect, attr,
+ &bat_priv->gw.sel_class,
+- bat_priv->soft_iface);
++ bat_priv->soft_iface, NULL);
+ }
+
+ static ssize_t batadv_show_gw_bwidth(struct kobject *kobj,
--- /dev/null
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Fri, 7 Sep 2018 05:45:54 +0800
+Subject: [PATCH] batman-adv: fix backbone_gw refcount on queue_work() failure
+
+The backbone_gw refcounter is to be decreased by the queued work and
+currently is never decreased if the queue_work() call fails.
+Fix by checking the queue_work() return value and decrease refcount
+if necessary.
+
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/24d83a50421c1c5d39cd9c015516a1a293ae8d0c
+---
+ net/batman-adv/bridge_loop_avoidance.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index aecf34503e95d9aa723449ddbf0bb3035336b878..258a74fd1c237fbf1b81dfc1c48720d8359b0ecc 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1767,6 +1767,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ {
+ struct batadv_bla_backbone_gw *backbone_gw;
+ struct ethhdr *ethhdr;
++ bool ret;
+
+ ethhdr = eth_hdr(skb);
+
+@@ -1790,8 +1791,13 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ if (unlikely(!backbone_gw))
+ return true;
+
+- queue_work(batadv_event_workqueue, &backbone_gw->report_work);
+- /* backbone_gw is unreferenced in the report work function function */
++ ret = queue_work(batadv_event_workqueue, &backbone_gw->report_work);
++
++ /* backbone_gw is unreferenced in the report work function function
++ * if queue_work() call was successful
++ */
++ if (!ret)
++ batadv_backbone_gw_put(backbone_gw);
+
+ return true;
+ }
--- /dev/null
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Fri, 7 Sep 2018 05:45:55 +0800
+Subject: [PATCH] batman-adv: fix hardif_neigh refcount on queue_work() failure
+
+The hardif_neigh refcounter is to be decreased by the queued work and
+currently is never decreased if the queue_work() call fails.
+Fix by checking the queue_work() return value and decrease refcount
+if necessary.
+
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/85100b602c127cecf1bcfd620d20eb867d685df2
+---
+ net/batman-adv/bat_v_elp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index e988a14f3eb01de1f52fe6dcaa91af898060140e..2ec0ecab0493ff88fdc01e55c8557de5b772e8bf 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -254,6 +254,7 @@ static void batadv_v_elp_periodic_work(struct work_struct *work)
+ struct batadv_priv *bat_priv;
+ struct sk_buff *skb;
+ u32 elp_interval;
++ bool ret;
+
+ bat_v = container_of(work, struct batadv_hard_iface_bat_v, elp_wq.work);
+ hard_iface = container_of(bat_v, struct batadv_hard_iface, bat_v);
+@@ -315,8 +316,11 @@ static void batadv_v_elp_periodic_work(struct work_struct *work)
+ * may sleep and that is not allowed in an rcu protected
+ * context. Therefore schedule a task for that.
+ */
+- queue_work(batadv_event_workqueue,
+- &hardif_neigh->bat_v.metric_work);
++ ret = queue_work(batadv_event_workqueue,
++ &hardif_neigh->bat_v.metric_work);
++
++ if (!ret)
++ batadv_hardif_neigh_put(hardif_neigh);
+ }
+ rcu_read_unlock();
+
--- /dev/null
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 6 Sep 2018 14:35:24 +0200
+Subject: [PATCH] batman-adv: Prevent duplicated gateway_node entry
+
+The function batadv_gw_node_add is responsible for adding new gw_node to
+the gateway_list. It is expecting that the caller already checked that
+there is not already an entry with the same key or not.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: bc3538cabac5 ("batman-adv: adding gateway functionality")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/69b3ca714eba608fe79a51ccd89ce7050ee0b770
+---
+ net/batman-adv/gateway_client.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
+index f1fdf4e7f5c3ce7f20339dcee3b6e43290ea3b4e..a6f5a3969529745d6efa1d43a89440745e1926ad 100644
+--- a/net/batman-adv/gateway_client.c
++++ b/net/batman-adv/gateway_client.c
+@@ -31,6 +31,7 @@
+ #include <linux/kernel.h>
+ #include <linux/kref.h>
+ #include <linux/list.h>
++#include <linux/lockdep.h>
+ #include <linux/netdevice.h>
+ #include <linux/netlink.h>
+ #include <linux/rculist.h>
+@@ -325,6 +326,9 @@ out:
+ * @bat_priv: the bat priv with all the soft interface information
+ * @orig_node: originator announcing gateway capabilities
+ * @gateway: announced bandwidth information
++ *
++ * Has to be called with the appropriate locks being acquired
++ * (gw.list_lock).
+ */
+ static void batadv_gw_node_add(struct batadv_priv *bat_priv,
+ struct batadv_orig_node *orig_node,
+@@ -332,6 +336,8 @@ static void batadv_gw_node_add(struct batadv_priv *bat_priv,
+ {
+ struct batadv_gw_node *gw_node;
+
++ lockdep_assert_held(&bat_priv->gw.list_lock);
++
+ if (gateway->bandwidth_down == 0)
+ return;
+
+@@ -346,10 +352,8 @@ static void batadv_gw_node_add(struct batadv_priv *bat_priv,
+ gw_node->bandwidth_down = ntohl(gateway->bandwidth_down);
+ gw_node->bandwidth_up = ntohl(gateway->bandwidth_up);
+
+- spin_lock_bh(&bat_priv->gw.list_lock);
+ kref_get(&gw_node->refcount);
+ hlist_add_head_rcu(&gw_node->list, &bat_priv->gw.gateway_list);
+- spin_unlock_bh(&bat_priv->gw.list_lock);
+
+ batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
+ "Found new gateway %pM -> gw bandwidth: %u.%u/%u.%u MBit\n",
+@@ -405,11 +409,14 @@ void batadv_gw_node_update(struct batadv_priv *bat_priv,
+ {
+ struct batadv_gw_node *gw_node, *curr_gw = NULL;
+
++ spin_lock_bh(&bat_priv->gw.list_lock);
+ gw_node = batadv_gw_node_get(bat_priv, orig_node);
+ if (!gw_node) {
+ batadv_gw_node_add(bat_priv, orig_node, gateway);
++ spin_unlock_bh(&bat_priv->gw.list_lock);
+ goto out;
+ }
++ spin_unlock_bh(&bat_priv->gw.list_lock);
+
+ if ((gw_node->bandwidth_down == ntohl(gateway->bandwidth_down)) &&
+ (gw_node->bandwidth_up == ntohl(gateway->bandwidth_up)))
--- /dev/null
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 6 Sep 2018 14:35:25 +0200
+Subject: [PATCH] batman-adv: Prevent duplicated nc_node entry
+
+The function batadv_nc_get_nc_node is responsible for adding new nc_nodes
+to the in_coding_list and out_coding_list. It first checks whether the
+entry already is in the list or not. If it is, then the creation of a new
+entry is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: 3ed7ada3f0bb ("batman-adv: network coding - detect coding nodes and remove these after timeout")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/bab8447ad1850b25188f9652c0c52f8e58acd656
+---
+ net/batman-adv/network-coding.c | 41 ++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 19 deletions(-)
+
+diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c
+index ab5a3bf0765f36f2fe14ff4a91d43d905e08a1f3..3279f7f3b97fd56535071b857cebebd68a5b3484 100644
+--- a/net/batman-adv/network-coding.c
++++ b/net/batman-adv/network-coding.c
+@@ -850,24 +850,6 @@ batadv_nc_get_nc_node(struct batadv_priv *bat_priv,
+ spinlock_t *lock; /* Used to lock list selected by "int in_coding" */
+ struct list_head *list;
+
+- /* Check if nc_node is already added */
+- nc_node = batadv_nc_find_nc_node(orig_node, orig_neigh_node, in_coding);
+-
+- /* Node found */
+- if (nc_node)
+- return nc_node;
+-
+- nc_node = kzalloc(sizeof(*nc_node), GFP_ATOMIC);
+- if (!nc_node)
+- return NULL;
+-
+- /* Initialize nc_node */
+- INIT_LIST_HEAD(&nc_node->list);
+- kref_init(&nc_node->refcount);
+- ether_addr_copy(nc_node->addr, orig_node->orig);
+- kref_get(&orig_neigh_node->refcount);
+- nc_node->orig_node = orig_neigh_node;
+-
+ /* Select ingoing or outgoing coding node */
+ if (in_coding) {
+ lock = &orig_neigh_node->in_coding_list_lock;
+@@ -877,13 +859,34 @@ batadv_nc_get_nc_node(struct batadv_priv *bat_priv,
+ list = &orig_neigh_node->out_coding_list;
+ }
+
++ spin_lock_bh(lock);
++
++ /* Check if nc_node is already added */
++ nc_node = batadv_nc_find_nc_node(orig_node, orig_neigh_node, in_coding);
++
++ /* Node found */
++ if (nc_node)
++ goto unlock;
++
++ nc_node = kzalloc(sizeof(*nc_node), GFP_ATOMIC);
++ if (!nc_node)
++ goto unlock;
++
++ /* Initialize nc_node */
++ INIT_LIST_HEAD(&nc_node->list);
++ kref_init(&nc_node->refcount);
++ ether_addr_copy(nc_node->addr, orig_node->orig);
++ kref_get(&orig_neigh_node->refcount);
++ nc_node->orig_node = orig_neigh_node;
++
+ batadv_dbg(BATADV_DBG_NC, bat_priv, "Adding nc_node %pM -> %pM\n",
+ nc_node->addr, nc_node->orig_node->orig);
+
+ /* Add nc_node to orig_node */
+- spin_lock_bh(lock);
+ kref_get(&nc_node->refcount);
+ list_add_tail_rcu(&nc_node->list, list);
++
++unlock:
+ spin_unlock_bh(lock);
+
+ return nc_node;
--- /dev/null
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 6 Sep 2018 14:35:26 +0200
+Subject: [PATCH] batman-adv: Prevent duplicated softif_vlan entry
+
+The function batadv_softif_vlan_get is responsible for adding new
+softif_vlan to the softif_vlan_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: 952cebb57518 ("batman-adv: add per VLAN interface attribute framework")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/023d3f64207e8b6a6e6d0718d98e239c5545ef0c
+---
+ net/batman-adv/soft-interface.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index 5da1a1c0f1efb5d95f31bc852b899f61e462feb1..ff797f32fb3bb81dafe1e7d3e9c6307e6a5aaff1 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -587,15 +587,20 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
+ struct batadv_softif_vlan *vlan;
+ int err;
+
++ spin_lock_bh(&bat_priv->softif_vlan_list_lock);
++
+ vlan = batadv_softif_vlan_get(bat_priv, vid);
+ if (vlan) {
+ batadv_softif_vlan_put(vlan);
++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+ return -EEXIST;
+ }
+
+ vlan = kzalloc(sizeof(*vlan), GFP_ATOMIC);
+- if (!vlan)
++ if (!vlan) {
++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+ return -ENOMEM;
++ }
+
+ vlan->bat_priv = bat_priv;
+ vlan->vid = vid;
+@@ -603,17 +608,23 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
+
+ atomic_set(&vlan->ap_isolation, 0);
+
+- err = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan);
+- if (err) {
+- kfree(vlan);
+- return err;
+- }
+-
+- spin_lock_bh(&bat_priv->softif_vlan_list_lock);
+ kref_get(&vlan->refcount);
+ hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
+ spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+
++ /* batadv_sysfs_add_vlan cannot be in the spinlock section due to the
++ * sleeping behavior of the sysfs functions and the fs_reclaim lock
++ */
++ err = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan);
++ if (err) {
++ /* ref for the function */
++ batadv_softif_vlan_put(vlan);
++
++ /* ref for the list */
++ batadv_softif_vlan_put(vlan);
++ return err;
++ }
++
+ /* add a new TT local entry. This one will be marked with the NOPURGE
+ * flag
+ */
--- /dev/null
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 6 Sep 2018 14:35:27 +0200
+Subject: [PATCH] batman-adv: Prevent duplicated global TT entry
+
+The function batadv_tt_global_orig_entry_add is responsible for adding new
+tt_orig_list_entry to the orig_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: c5eb5bb30321 ("batman-adv: add reference counting for type batadv_tt_orig_list_entry")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/79097255a1a3e1bd1949be309af941181fbc7b36
+---
+ net/batman-adv/translation-table.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 143a00f90d1d925aad7113f897d06f435f28dcd8..b32853cbab028f0a052492545bb803efdcdb0ff3 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1603,6 +1603,8 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
+ {
+ struct batadv_tt_orig_list_entry *orig_entry;
+
++ spin_lock_bh(&tt_global->list_lock);
++
+ orig_entry = batadv_tt_global_orig_entry_find(tt_global, orig_node);
+ if (orig_entry) {
+ /* refresh the ttvn: the current value could be a bogus one that
+@@ -1625,11 +1627,9 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
+ orig_entry->flags = flags;
+ kref_init(&orig_entry->refcount);
+
+- spin_lock_bh(&tt_global->list_lock);
+ kref_get(&orig_entry->refcount);
+ hlist_add_head_rcu(&orig_entry->list,
+ &tt_global->orig_list);
+- spin_unlock_bh(&tt_global->list_lock);
+ atomic_inc(&tt_global->orig_list_count);
+
+ sync_flags:
+@@ -1637,6 +1637,8 @@ sync_flags:
+ out:
+ if (orig_entry)
+ batadv_tt_orig_list_entry_put(orig_entry);
++
++ spin_unlock_bh(&tt_global->list_lock);
+ }
+
+ /**
--- /dev/null
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 6 Sep 2018 14:35:28 +0200
+Subject: [PATCH] batman-adv: Prevent duplicated tvlv handler
+
+The function batadv_tvlv_handler_register is responsible for adding new
+tvlv_handler to the handler_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: 0b6aa0d43767 ("batman-adv: tvlv - basic infrastructure")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/acabad79e01740525cf4ff8ce6e9a210b683d420
+---
+ net/batman-adv/tvlv.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
+index a783420356ae0cd4a6273b3b7a04781242e37a82..1eccc49a793004db82346f9dc3be7fcc2386417b 100644
+--- a/net/batman-adv/tvlv.c
++++ b/net/batman-adv/tvlv.c
+@@ -528,15 +528,20 @@ void batadv_tvlv_handler_register(struct batadv_priv *bat_priv,
+ {
+ struct batadv_tvlv_handler *tvlv_handler;
+
++ spin_lock_bh(&bat_priv->tvlv.handler_list_lock);
++
+ tvlv_handler = batadv_tvlv_handler_get(bat_priv, type, version);
+ if (tvlv_handler) {
++ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
+ batadv_tvlv_handler_put(tvlv_handler);
+ return;
+ }
+
+ tvlv_handler = kzalloc(sizeof(*tvlv_handler), GFP_ATOMIC);
+- if (!tvlv_handler)
++ if (!tvlv_handler) {
++ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
+ return;
++ }
+
+ tvlv_handler->ogm_handler = optr;
+ tvlv_handler->unicast_handler = uptr;
+@@ -546,7 +551,6 @@ void batadv_tvlv_handler_register(struct batadv_priv *bat_priv,
+ kref_init(&tvlv_handler->refcount);
+ INIT_HLIST_NODE(&tvlv_handler->list);
+
+- spin_lock_bh(&bat_priv->tvlv.handler_list_lock);
+ kref_get(&tvlv_handler->refcount);
+ hlist_add_head_rcu(&tvlv_handler->list, &bat_priv->tvlv.handler_list);
+ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
projects / feed / routing.git / commitdiff