--- /dev/null
+From f63c54bba31d2c86269982fd8efdfb618f1daabe Mon Sep 17 00:00:00 2001
+From: Ruben Wisniewski <ruben@freifunk-nrw.de>
+Date: Tue, 26 May 2015 18:34:27 +0200
+Subject: [PATCH 01/10] batman-adv: Avoid u32 overflow during gateway select
+
+The gateway selection based on fast connections is using a single value
+calculated from the average tq (0-255) and the download bandwidth (in
+100Kibit). The formula for the first step (tq ** 2 * 10000 * bandwidth)
+tends to overflow a u32 with low bandwidth settings like 50 [100KiBit]
+and a tq value of over 92.
+
+Changing this to a 64 bit unsigned integer allows to support a
+bandwidth_down with up to ~2.8e10 [100KiBit] and a perfect tq of 255. This
+is ~6.6 times higher than the maximum possible value of the gateway
+announcement TVLV.
+
+This problem only affects the non-default gw_sel_class 1.
+
+Signed-off-by: Ruben Wisniewsi <ruben@vfn-nrw.de>
+[sven@narfation.org: rewritten commit message, changed to kernel type]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ gateway_client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gateway_client.c b/gateway_client.c
+index a85eaca..3f32357 100644
+--- a/gateway_client.c
++++ b/gateway_client.c
+@@ -133,7 +133,7 @@ batadv_gw_get_best_gw_node(struct batadv_priv *bat_priv)
+ struct batadv_neigh_node *router;
+ struct batadv_neigh_ifinfo *router_ifinfo;
+ struct batadv_gw_node *gw_node, *curr_gw = NULL;
+- uint32_t max_gw_factor = 0, tmp_gw_factor = 0;
++ uint64_t max_gw_factor = 0, tmp_gw_factor = 0;
+ uint32_t gw_divisor;
+ uint8_t max_tq = 0;
+ uint8_t tq_avg;
+--
+2.1.4
+
--- /dev/null
+From 9bbd794030657fe0d38590cd67d4801b989cebf9 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@meshcoding.com>
+Date: Mon, 1 Jun 2015 17:29:57 +0200
+Subject: [PATCH 02/10] batman-adv: avoid DAT to mess up LAN state
+
+When a node running DAT receives an ARP request from the LAN for the
+first time, it is likely that this node will request the ARP entry
+through the distributed ARP table (DAT) in the mesh.
+
+Once a DAT reply is received the asking node must check if the MAC
+address for which the IP address has been asked is local. If it is, the
+node must drop the ARP reply bceause the client should have replied on
+its own locally.
+
+Forwarding this reply means fooling any L2 bridge (e.g. Ethernet
+switches) lying between the batman-adv node and the LAN. This happens
+because the L2 bridge will think that the client sending the ARP reply
+lies somewhere in the mesh, while this node is sitting in the same LAN.
+
+Reported-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ distributed-arp-table.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/distributed-arp-table.c b/distributed-arp-table.c
+index da1742d..0d791dc 100644
+--- a/distributed-arp-table.c
++++ b/distributed-arp-table.c
+@@ -1107,6 +1107,9 @@ void batadv_dat_snoop_outgoing_arp_reply(struct batadv_priv *bat_priv,
+ * @bat_priv: the bat priv with all the soft interface information
+ * @skb: packet to check
+ * @hdr_size: size of the encapsulation header
++ *
++ * Returns true if the packet was snooped and consumed by DAT. False if the
++ * packet has to be delivered to the interface
+ */
+ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ struct sk_buff *skb, int hdr_size)
+@@ -1114,7 +1117,7 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ uint16_t type;
+ __be32 ip_src, ip_dst;
+ uint8_t *hw_src, *hw_dst;
+- bool ret = false;
++ bool dropped = false;
+ unsigned short vid;
+
+ if (!atomic_read(&bat_priv->distributed_arp_table))
+@@ -1143,12 +1146,17 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ /* if this REPLY is directed to a client of mine, let's deliver the
+ * packet to the interface
+ */
+- ret = !batadv_is_my_client(bat_priv, hw_dst, vid);
++ dropped = !batadv_is_my_client(bat_priv, hw_dst, vid);
++
++ /* if this REPLY is sent on behalf of a client of mine, let's drop the
++ * packet because the client will reply by itself
++ */
++ dropped |= batadv_is_my_client(bat_priv, hw_src, vid);
+ out:
+- if (ret)
++ if (dropped)
+ kfree_skb(skb);
+- /* if ret == false -> packet has to be delivered to the interface */
+- return ret;
++ /* if dropped == false -> deliver to the interface */
++ return dropped;
+ }
+
+ /**
+--
+2.1.4
+
--- /dev/null
+From bfd0fbaef270ac4ed8e4457a38ef8d91190c0540 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Tue, 16 Jun 2015 17:10:22 +0200
+Subject: [PATCH 03/10] batman-adv: Make DAT capability changes atomic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bitwise OR/AND assignments in C aren't guaranteed to be atomic. One
+OGM handler might undo the set/clear of a specific bit from another
+handler run in between.
+
+Fix this by using the atomic set_bit()/clear_bit() functions.
+
+Fixes: 2b1c07b918d2 ("batman-adv: tvlv - add distributed arp table container")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ distributed-arp-table.c | 4 ++--
+ types.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/distributed-arp-table.c b/distributed-arp-table.c
+index 0d791dc..b2cc19b 100644
+--- a/distributed-arp-table.c
++++ b/distributed-arp-table.c
+@@ -682,9 +682,9 @@ static void batadv_dat_tvlv_ogm_handler_v1(struct batadv_priv *bat_priv,
+ uint16_t tvlv_value_len)
+ {
+ if (flags & BATADV_TVLV_HANDLER_OGM_CIFNOTFND)
+- orig->capabilities &= ~BATADV_ORIG_CAPA_HAS_DAT;
++ clear_bit(BATADV_ORIG_CAPA_HAS_DAT, &orig->capabilities);
+ else
+- orig->capabilities |= BATADV_ORIG_CAPA_HAS_DAT;
++ set_bit(BATADV_ORIG_CAPA_HAS_DAT, &orig->capabilities);
+ }
+
+ /**
+diff --git a/types.h b/types.h
+index 28f2461..e33b5aa 100644
+--- a/types.h
++++ b/types.h
+@@ -256,7 +256,7 @@ struct batadv_orig_node {
+ struct hlist_node mcast_want_all_ipv4_node;
+ struct hlist_node mcast_want_all_ipv6_node;
+ #endif
+- uint8_t capabilities;
++ unsigned long capabilities;
+ uint8_t capa_initialized;
+ atomic_t last_ttvn;
+ unsigned char *tt_buff;
+--
+2.1.4
+
--- /dev/null
+From 586df9e2537b51c0df7ce99576c3cee1681b64de Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Tue, 16 Jun 2015 17:10:23 +0200
+Subject: [PATCH 04/10] batman-adv: Make NC capability changes atomic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bitwise OR/AND assignments in C aren't guaranteed to be atomic. One
+OGM handler might undo the set/clear of a specific bit from another
+handler run in between.
+
+Fix this by using the atomic set_bit()/clear_bit() functions.
+
+Fixes: 7dd9d8992b0c ("batman-adv: tvlv - add network coding container")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ network-coding.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/network-coding.c b/network-coding.c
+index 89e1d47..3ce493e 100644
+--- a/network-coding.c
++++ b/network-coding.c
+@@ -105,9 +105,9 @@ static void batadv_nc_tvlv_ogm_handler_v1(struct batadv_priv *bat_priv,
+ uint16_t tvlv_value_len)
+ {
+ if (flags & BATADV_TVLV_HANDLER_OGM_CIFNOTFND)
+- orig->capabilities &= ~BATADV_ORIG_CAPA_HAS_NC;
++ clear_bit(BATADV_ORIG_CAPA_HAS_NC, &orig->capabilities);
+ else
+- orig->capabilities |= BATADV_ORIG_CAPA_HAS_NC;
++ set_bit(BATADV_ORIG_CAPA_HAS_NC, &orig->capabilities);
+ }
+
+ /**
+--
+2.1.4
+
--- /dev/null
+From a51fa16ecf3f079518baaa56bffae343bd5694f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Tue, 16 Jun 2015 17:10:24 +0200
+Subject: [PATCH 05/10] batman-adv: Make TT capability changes atomic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bitwise OR/AND assignments in C aren't guaranteed to be atomic. One
+OGM handler might undo the set/clear of a specific bit from another
+handler run in between.
+
+Fix this by using the atomic set_bit()/clear_bit() functions.
+
+Fixes: 5d2121af6d31 ("batman-adv: introduce capability initialization bitfield")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ translation-table.c | 4 ++--
+ types.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/translation-table.c b/translation-table.c
+index b098e53..e95a424 100644
+--- a/translation-table.c
++++ b/translation-table.c
+@@ -1843,7 +1843,7 @@ void batadv_tt_global_del_orig(struct batadv_priv *bat_priv,
+ }
+ spin_unlock_bh(list_lock);
+ }
+- orig_node->capa_initialized &= ~BATADV_ORIG_CAPA_HAS_TT;
++ clear_bit(BATADV_ORIG_CAPA_HAS_TT, &orig_node->capa_initialized);
+ }
+
+ static bool batadv_tt_global_to_purge(struct batadv_tt_global_entry *tt_global,
+@@ -2802,7 +2802,7 @@ static void _batadv_tt_update_changes(struct batadv_priv *bat_priv,
+ return;
+ }
+ }
+- orig_node->capa_initialized |= BATADV_ORIG_CAPA_HAS_TT;
++ set_bit(BATADV_ORIG_CAPA_HAS_TT, &orig_node->capa_initialized);
+ }
+
+ static void batadv_tt_fill_gtable(struct batadv_priv *bat_priv,
+diff --git a/types.h b/types.h
+index e33b5aa..c6ec558 100644
+--- a/types.h
++++ b/types.h
+@@ -257,7 +257,7 @@ struct batadv_orig_node {
+ struct hlist_node mcast_want_all_ipv6_node;
+ #endif
+ unsigned long capabilities;
+- uint8_t capa_initialized;
++ unsigned long capa_initialized;
+ atomic_t last_ttvn;
+ unsigned char *tt_buff;
+ int16_t tt_buff_len;
+--
+2.1.4
+
--- /dev/null
+From 201a54ba710ab7f40b82ad3c109f702c47d0761f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Tue, 16 Jun 2015 17:10:25 +0200
+Subject: [PATCH 06/10] batman-adv: Make MCAST capability changes atomic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bitwise OR/AND assignments in C aren't guaranteed to be atomic. One
+OGM handler might undo the set/clear of a specific bit from another
+handler run in between.
+
+Fix this by using the atomic set_bit()/clear_bit() functions.
+
+Fixes: 77ec494490d6 ("batman-adv: Announce new capability via multicast TVLV")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ multicast.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/multicast.c b/multicast.c
+index 09f2838..00612bf 100644
+--- a/multicast.c
++++ b/multicast.c
+@@ -684,7 +684,7 @@ static void batadv_mcast_tvlv_ogm_handler_v1(struct batadv_priv *bat_priv,
+ !(orig->capabilities & BATADV_ORIG_CAPA_HAS_MCAST)) {
+ if (orig_initialized)
+ atomic_dec(&bat_priv->mcast.num_disabled);
+- orig->capabilities |= BATADV_ORIG_CAPA_HAS_MCAST;
++ set_bit(BATADV_ORIG_CAPA_HAS_MCAST, &orig->capabilities);
+ /* If mcast support is being switched off or if this is an initial
+ * OGM without mcast support then increase the disabled mcast
+ * node counter.
+@@ -693,10 +693,10 @@ static void batadv_mcast_tvlv_ogm_handler_v1(struct batadv_priv *bat_priv,
+ (orig->capabilities & BATADV_ORIG_CAPA_HAS_MCAST ||
+ !orig_initialized)) {
+ atomic_inc(&bat_priv->mcast.num_disabled);
+- orig->capabilities &= ~BATADV_ORIG_CAPA_HAS_MCAST;
++ clear_bit(BATADV_ORIG_CAPA_HAS_MCAST, &orig->capabilities);
+ }
+
+- orig->capa_initialized |= BATADV_ORIG_CAPA_HAS_MCAST;
++ set_bit(BATADV_ORIG_CAPA_HAS_MCAST, &orig->capa_initialized);
+
+ if (orig_mcast_enabled && tvlv_value &&
+ (tvlv_value_len >= sizeof(mcast_flags)))
+--
+2.1.4
+
--- /dev/null
+From 7f220ed1f063be00833bd34a013c8f3f45884031 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Tue, 16 Jun 2015 17:10:26 +0200
+Subject: [PATCH 07/10] batman-adv: Fix potential synchronization issues in
+ mcast tvlv handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So far the mcast tvlv handler did not anticipate the processing of
+multiple incoming OGMs from the same originator at the same time. This
+can lead to various issues:
+
+* Broken refcounting: For instance two mcast handlers might both assume
+ that an originator just got multicast capabilities and will together
+ wrongly decrease mcast.num_disabled by two, potentially leading to
+ an integer underflow.
+
+* Potential kernel panic on hlist_del_rcu(): Two mcast handlers might
+ one after another try to do an
+ hlist_del_rcu(&orig->mcast_want_all_*_node). The second one will
+ cause memory corruption / crashes.
+ (Reported by: Sven Eckelmann <sven@narfation.org>)
+
+Right in the beginning the code path makes assumptions about the current
+multicast related state of an originator and bases all updates on that. The
+easiest and least error prune way to fix the issues in this case is to
+serialize multiple mcast handler invocations with a spinlock.
+
+Fixes: 77ec494490d6 ("batman-adv: Announce new capability via multicast TVLV")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ multicast.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++-------------
+ originator.c | 4 ++++
+ types.h | 3 +++
+ 3 files changed, 56 insertions(+), 13 deletions(-)
+
+diff --git a/multicast.c b/multicast.c
+index 00612bf..b75bcc3 100644
+--- a/multicast.c
++++ b/multicast.c
+@@ -565,19 +565,26 @@ batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ *
+ * If the BATADV_MCAST_WANT_ALL_UNSNOOPABLES flag of this originator,
+ * orig, has toggled then this method updates counter and list accordingly.
++ *
++ * Caller needs to hold orig->mcast_handler_lock.
+ */
+ static void batadv_mcast_want_unsnoop_update(struct batadv_priv *bat_priv,
+ struct batadv_orig_node *orig,
+ uint8_t mcast_flags)
+ {
++ struct hlist_node *node = &orig->mcast_want_all_unsnoopables_node;
++ struct hlist_head *head = &bat_priv->mcast.want_all_unsnoopables_list;
++
+ /* switched from flag unset to set */
+ if (mcast_flags & BATADV_MCAST_WANT_ALL_UNSNOOPABLES &&
+ !(orig->mcast_flags & BATADV_MCAST_WANT_ALL_UNSNOOPABLES)) {
+ atomic_inc(&bat_priv->mcast.num_want_all_unsnoopables);
+
+ spin_lock_bh(&bat_priv->mcast.want_lists_lock);
+- hlist_add_head_rcu(&orig->mcast_want_all_unsnoopables_node,
+- &bat_priv->mcast.want_all_unsnoopables_list);
++ /* flag checks above + mcast_handler_lock prevents this */
++ BUG_ON(!hlist_unhashed(node));
++
++ hlist_add_head_rcu(node, head);
+ spin_unlock_bh(&bat_priv->mcast.want_lists_lock);
+ /* switched from flag set to unset */
+ } else if (!(mcast_flags & BATADV_MCAST_WANT_ALL_UNSNOOPABLES) &&
+@@ -585,7 +592,10 @@ static void batadv_mcast_want_unsnoop_update(struct batadv_priv *bat_priv,
+ atomic_dec(&bat_priv->mcast.num_want_all_unsnoopables);
+
+ spin_lock_bh(&bat_priv->mcast.want_lists_lock);
+- hlist_del_rcu(&orig->mcast_want_all_unsnoopables_node);
++ /* flag checks above + mcast_handler_lock prevents this */
++ BUG_ON(hlist_unhashed(node));
++
++ hlist_del_init_rcu(node);
+ spin_unlock_bh(&bat_priv->mcast.want_lists_lock);
+ }
+ }
+@@ -598,19 +608,26 @@ static void batadv_mcast_want_unsnoop_update(struct batadv_priv *bat_priv,
+ *
+ * If the BATADV_MCAST_WANT_ALL_IPV4 flag of this originator, orig, has
+ * toggled then this method updates counter and list accordingly.
++ *
++ * Caller needs to hold orig->mcast_handler_lock.
+ */
+ static void batadv_mcast_want_ipv4_update(struct batadv_priv *bat_priv,
+ struct batadv_orig_node *orig,
+ uint8_t mcast_flags)
+ {
++ struct hlist_node *node = &orig->mcast_want_all_ipv4_node;
++ struct hlist_head *head = &bat_priv->mcast.want_all_ipv4_list;
++
+ /* switched from flag unset to set */
+ if (mcast_flags & BATADV_MCAST_WANT_ALL_IPV4 &&
+ !(orig->mcast_flags & BATADV_MCAST_WANT_ALL_IPV4)) {
+ atomic_inc(&bat_priv->mcast.num_want_all_ipv4);
+
+ spin_lock_bh(&bat_priv->mcast.want_lists_lock);
+- hlist_add_head_rcu(&orig->mcast_want_all_ipv4_node,
+- &bat_priv->mcast.want_all_ipv4_list);
++ /* flag checks above + mcast_handler_lock prevents this */
++ BUG_ON(!hlist_unhashed(node));
++
++ hlist_add_head_rcu(node, head);
+ spin_unlock_bh(&bat_priv->mcast.want_lists_lock);
+ /* switched from flag set to unset */
+ } else if (!(mcast_flags & BATADV_MCAST_WANT_ALL_IPV4) &&
+@@ -618,7 +635,10 @@ static void batadv_mcast_want_ipv4_update(struct batadv_priv *bat_priv,
+ atomic_dec(&bat_priv->mcast.num_want_all_ipv4);
+
+ spin_lock_bh(&bat_priv->mcast.want_lists_lock);
+- hlist_del_rcu(&orig->mcast_want_all_ipv4_node);
++ /* flag checks above + mcast_handler_lock prevents this */
++ BUG_ON(hlist_unhashed(node));
++
++ hlist_del_init_rcu(node);
+ spin_unlock_bh(&bat_priv->mcast.want_lists_lock);
+ }
+ }
+@@ -631,19 +651,26 @@ static void batadv_mcast_want_ipv4_update(struct batadv_priv *bat_priv,
+ *
+ * If the BATADV_MCAST_WANT_ALL_IPV6 flag of this originator, orig, has
+ * toggled then this method updates counter and list accordingly.
++ *
++ * Caller needs to hold orig->mcast_handler_lock.
+ */
+ static void batadv_mcast_want_ipv6_update(struct batadv_priv *bat_priv,
+ struct batadv_orig_node *orig,
+ uint8_t mcast_flags)
+ {
++ struct hlist_node *node = &orig->mcast_want_all_ipv6_node;
++ struct hlist_head *head = &bat_priv->mcast.want_all_ipv6_list;
++
+ /* switched from flag unset to set */
+ if (mcast_flags & BATADV_MCAST_WANT_ALL_IPV6 &&
+ !(orig->mcast_flags & BATADV_MCAST_WANT_ALL_IPV6)) {
+ atomic_inc(&bat_priv->mcast.num_want_all_ipv6);
+
+ spin_lock_bh(&bat_priv->mcast.want_lists_lock);
+- hlist_add_head_rcu(&orig->mcast_want_all_ipv6_node,
+- &bat_priv->mcast.want_all_ipv6_list);
++ /* flag checks above + mcast_handler_lock prevents this */
++ BUG_ON(!hlist_unhashed(node));
++
++ hlist_add_head_rcu(node, head);
+ spin_unlock_bh(&bat_priv->mcast.want_lists_lock);
+ /* switched from flag set to unset */
+ } else if (!(mcast_flags & BATADV_MCAST_WANT_ALL_IPV6) &&
+@@ -651,7 +678,10 @@ static void batadv_mcast_want_ipv6_update(struct batadv_priv *bat_priv,
+ atomic_dec(&bat_priv->mcast.num_want_all_ipv6);
+
+ spin_lock_bh(&bat_priv->mcast.want_lists_lock);
+- hlist_del_rcu(&orig->mcast_want_all_ipv6_node);
++ /* flag checks above + mcast_handler_lock prevents this */
++ BUG_ON(hlist_unhashed(node));
++
++ hlist_del_init_rcu(node);
+ spin_unlock_bh(&bat_priv->mcast.want_lists_lock);
+ }
+ }
+@@ -674,6 +704,11 @@ static void batadv_mcast_tvlv_ogm_handler_v1(struct batadv_priv *bat_priv,
+ uint8_t mcast_flags = BATADV_NO_FLAGS;
+ bool orig_initialized;
+
++ if (orig_mcast_enabled && tvlv_value &&
++ (tvlv_value_len >= sizeof(mcast_flags)))
++ mcast_flags = *(uint8_t *)tvlv_value;
++
++ spin_lock_bh(&orig->mcast_handler_lock);
+ orig_initialized = orig->capa_initialized & BATADV_ORIG_CAPA_HAS_MCAST;
+
+ /* If mcast support is turned on decrease the disabled mcast node
+@@ -698,15 +733,12 @@ static void batadv_mcast_tvlv_ogm_handler_v1(struct batadv_priv *bat_priv,
+
+ set_bit(BATADV_ORIG_CAPA_HAS_MCAST, &orig->capa_initialized);
+
+- if (orig_mcast_enabled && tvlv_value &&
+- (tvlv_value_len >= sizeof(mcast_flags)))
+- mcast_flags = *(uint8_t *)tvlv_value;
+-
+ batadv_mcast_want_unsnoop_update(bat_priv, orig, mcast_flags);
+ batadv_mcast_want_ipv4_update(bat_priv, orig, mcast_flags);
+ batadv_mcast_want_ipv6_update(bat_priv, orig, mcast_flags);
+
+ orig->mcast_flags = mcast_flags;
++ spin_unlock_bh(&orig->mcast_handler_lock);
+ }
+
+ /**
+@@ -740,6 +772,8 @@ void batadv_mcast_purge_orig(struct batadv_orig_node *orig)
+ {
+ struct batadv_priv *bat_priv = orig->bat_priv;
+
++ spin_lock_bh(&orig->mcast_handler_lock);
++
+ if (!(orig->capabilities & BATADV_ORIG_CAPA_HAS_MCAST) &&
+ orig->capa_initialized & BATADV_ORIG_CAPA_HAS_MCAST)
+ atomic_dec(&bat_priv->mcast.num_disabled);
+@@ -747,4 +781,6 @@ void batadv_mcast_purge_orig(struct batadv_orig_node *orig)
+ batadv_mcast_want_unsnoop_update(bat_priv, orig, BATADV_NO_FLAGS);
+ batadv_mcast_want_ipv4_update(bat_priv, orig, BATADV_NO_FLAGS);
+ batadv_mcast_want_ipv6_update(bat_priv, orig, BATADV_NO_FLAGS);
++
++ spin_unlock_bh(&orig->mcast_handler_lock);
+ }
+diff --git a/originator.c b/originator.c
+index e3900e4..a2ba182 100644
+--- a/originator.c
++++ b/originator.c
+@@ -658,11 +658,15 @@ struct batadv_orig_node *batadv_orig_node_new(struct batadv_priv *bat_priv,
+ INIT_HLIST_HEAD(&orig_node->neigh_list);
+ INIT_LIST_HEAD(&orig_node->vlan_list);
+ INIT_HLIST_HEAD(&orig_node->ifinfo_list);
++ INIT_HLIST_NODE(&orig_node->mcast_want_all_unsnoopables_node);
++ INIT_HLIST_NODE(&orig_node->mcast_want_all_ipv4_node);
++ INIT_HLIST_NODE(&orig_node->mcast_want_all_ipv6_node);
+ spin_lock_init(&orig_node->bcast_seqno_lock);
+ spin_lock_init(&orig_node->neigh_list_lock);
+ spin_lock_init(&orig_node->tt_buff_lock);
+ spin_lock_init(&orig_node->tt_lock);
+ spin_lock_init(&orig_node->vlan_list_lock);
++ spin_lock_init(&orig_node->mcast_handler_lock);
+
+ batadv_nc_init_orig(orig_node);
+
+diff --git a/types.h b/types.h
+index c6ec558..65dc6bf 100644
+--- a/types.h
++++ b/types.h
+@@ -204,6 +204,7 @@ struct batadv_orig_bat_iv {
+ * @batadv_dat_addr_t: address of the orig node in the distributed hash
+ * @last_seen: time when last packet from this node was received
+ * @bcast_seqno_reset: time when the broadcast seqno window was reset
++ * @mcast_handler_lock: synchronizes mcast-capability and -flag changes
+ * @mcast_flags: multicast flags announced by the orig node
+ * @mcast_want_all_unsnoop_node: a list node for the
+ * mcast.want_all_unsnoopables list
+@@ -251,6 +252,8 @@ struct batadv_orig_node {
+ unsigned long last_seen;
+ unsigned long bcast_seqno_reset;
+ #ifdef CONFIG_BATMAN_ADV_MCAST
++ /* synchronizes mcast tvlv specific orig changes */
++ spinlock_t mcast_handler_lock;
+ uint8_t mcast_flags;
+ struct hlist_node mcast_want_all_unsnoopables_node;
+ struct hlist_node mcast_want_all_ipv4_node;
+--
+2.1.4
+
--- /dev/null
+From 256776ef8562744f90ac9379364df4cf88291b49 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Thu, 18 Jun 2015 06:47:19 +0200
+Subject: [PATCH 08/10] batman-adv: Fix compile error on deactivated MCAST
+ feature
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some members of "struct batadv_orig_node" are not available if compiling
+without the multicast optimizations feature.
+
+Fix this by moving their initialization into the right #ifdef's.
+
+Fixes: 7f220ed1f063 ("batman-adv: Fix potential synchronization issues in mcast tvlv handler")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ originator.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/originator.c b/originator.c
+index a2ba182..a5276db 100644
+--- a/originator.c
++++ b/originator.c
+@@ -658,15 +658,11 @@ struct batadv_orig_node *batadv_orig_node_new(struct batadv_priv *bat_priv,
+ INIT_HLIST_HEAD(&orig_node->neigh_list);
+ INIT_LIST_HEAD(&orig_node->vlan_list);
+ INIT_HLIST_HEAD(&orig_node->ifinfo_list);
+- INIT_HLIST_NODE(&orig_node->mcast_want_all_unsnoopables_node);
+- INIT_HLIST_NODE(&orig_node->mcast_want_all_ipv4_node);
+- INIT_HLIST_NODE(&orig_node->mcast_want_all_ipv6_node);
+ spin_lock_init(&orig_node->bcast_seqno_lock);
+ spin_lock_init(&orig_node->neigh_list_lock);
+ spin_lock_init(&orig_node->tt_buff_lock);
+ spin_lock_init(&orig_node->tt_lock);
+ spin_lock_init(&orig_node->vlan_list_lock);
+- spin_lock_init(&orig_node->mcast_handler_lock);
+
+ batadv_nc_init_orig(orig_node);
+
+@@ -682,8 +678,13 @@ struct batadv_orig_node *batadv_orig_node_new(struct batadv_priv *bat_priv,
+ orig_node->last_seen = jiffies;
+ reset_time = jiffies - 1 - msecs_to_jiffies(BATADV_RESET_PROTECTION_MS);
+ orig_node->bcast_seqno_reset = reset_time;
++
+ #ifdef CONFIG_BATMAN_ADV_MCAST
+ orig_node->mcast_flags = BATADV_NO_FLAGS;
++ INIT_HLIST_NODE(&orig_node->mcast_want_all_unsnoopables_node);
++ INIT_HLIST_NODE(&orig_node->mcast_want_all_ipv4_node);
++ INIT_HLIST_NODE(&orig_node->mcast_want_all_ipv6_node);
++ spin_lock_init(&orig_node->mcast_handler_lock);
+ #endif
+
+ /* create a vlan object for the "untagged" LAN */
+--
+2.1.4
+
--- /dev/null
+From 2c2dfd886a400057ccbc66f1507c94ed909d2a89 Mon Sep 17 00:00:00 2001
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Tue, 9 Jun 2015 21:24:36 +0800
+Subject: [PATCH 09/10] batman-adv: fix kernel crash due to missing NULL checks
+
+batadv_softif_vlan_get() may return NULL which has to be verified
+by the caller.
+
+Fixes: 9729d20 ("batman-adv: fix TT VLAN inconsistency on VLAN re-add")
+
+Reported-by: Ryan Thompson <ryan@eero.com>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Acked-by: Antonio Quartulli <antonio@meshcoding.com>
+---
+ soft-interface.c | 3 +++
+ translation-table.c | 19 +++++++++++++++----
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/soft-interface.c b/soft-interface.c
+index da89336..7841a4b 100644
+--- a/soft-interface.c
++++ b/soft-interface.c
+@@ -455,6 +455,9 @@ out:
+ */
+ void batadv_softif_vlan_free_ref(struct batadv_softif_vlan *vlan)
+ {
++ if (!vlan)
++ return;
++
+ if (atomic_dec_and_test(&vlan->refcount)) {
+ spin_lock_bh(&vlan->bat_priv->softif_vlan_list_lock);
+ hlist_del_rcu(&vlan->list);
+diff --git a/translation-table.c b/translation-table.c
+index e95a424..807a4e6 100644
+--- a/translation-table.c
++++ b/translation-table.c
+@@ -26,6 +26,7 @@
+ #include "bridge_loop_avoidance.h"
+ #include "multicast.h"
+
++#include <linux/bug.h>
+ #include <linux/crc32c.h>
+
+ /* hash class keys */
+@@ -575,6 +576,9 @@ bool batadv_tt_local_add(struct net_device *soft_iface, const uint8_t *addr,
+
+ /* increase the refcounter of the related vlan */
+ vlan = batadv_softif_vlan_get(bat_priv, vid);
++ if (WARN(!vlan, "adding TT local entry %pM to non-existent VLAN %d",
++ addr, BATADV_PRINT_VID(vid)))
++ goto out;
+
+ batadv_dbg(BATADV_DBG_TT, bat_priv,
+ "Creating new local tt entry: %pM (vid: %d, ttvn: %d)\n",
+@@ -1047,6 +1051,9 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
+
+ /* decrease the reference held for this vlan */
+ vlan = batadv_softif_vlan_get(bat_priv, vid);
++ if (!vlan)
++ goto out;
++
+ batadv_softif_vlan_free_ref(vlan);
+ batadv_softif_vlan_free_ref(vlan);
+
+@@ -1147,8 +1154,10 @@ static void batadv_tt_local_table_free(struct batadv_priv *bat_priv)
+ /* decrease the reference held for this vlan */
+ vlan = batadv_softif_vlan_get(bat_priv,
+ tt_common_entry->vid);
+- batadv_softif_vlan_free_ref(vlan);
+- batadv_softif_vlan_free_ref(vlan);
++ if (vlan) {
++ batadv_softif_vlan_free_ref(vlan);
++ batadv_softif_vlan_free_ref(vlan);
++ }
+
+ batadv_tt_local_entry_free_ref(tt_local);
+ }
+@@ -3188,8 +3197,10 @@ static void batadv_tt_local_purge_pending_clients(struct batadv_priv *bat_priv)
+
+ /* decrease the reference held for this vlan */
+ vlan = batadv_softif_vlan_get(bat_priv, tt_common->vid);
+- batadv_softif_vlan_free_ref(vlan);
+- batadv_softif_vlan_free_ref(vlan);
++ if (vlan) {
++ batadv_softif_vlan_free_ref(vlan);
++ batadv_softif_vlan_free_ref(vlan);
++ }
+
+ batadv_tt_local_entry_free_ref(tt_local);
+ }
+--
+2.1.4
+
--- /dev/null
+From af912d77181f252e6fdd324592d006e30bc82909 Mon Sep 17 00:00:00 2001
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Wed, 17 Jun 2015 20:01:36 +0800
+Subject: [PATCH 10/10] batman-adv: protect tt_local_entry from concurrent
+ delete events
+
+The tt_local_entry deletion performed in batadv_tt_local_remove() was neither
+protecting against simultaneous deletes nor checking whether the element was
+still part of the list before calling hlist_del_rcu().
+
+Replacing the hlist_del_rcu() call with batadv_hash_remove() provides adequate
+protection via hash spinlocks as well as an is-element-still-in-hash check to
+avoid 'blind' hash removal.
+
+Fixes: 2443ba3 ("batman-adv: roaming handling mechanism redesign")
+
+Reported-by: alfonsname@web.de
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Acked-by: Antonio Quartulli <antonio@meshcoding.com>
+---
+ translation-table.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/translation-table.c b/translation-table.c
+index 807a4e6..dfe8896 100644
+--- a/translation-table.c
++++ b/translation-table.c
+@@ -1019,6 +1019,7 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
+ struct batadv_tt_local_entry *tt_local_entry;
+ uint16_t flags, curr_flags = BATADV_NO_FLAGS;
+ struct batadv_softif_vlan *vlan;
++ void *tt_entry_exists;
+
+ tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid);
+ if (!tt_local_entry)
+@@ -1046,7 +1047,15 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
+ * immediately purge it
+ */
+ batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL);
+- hlist_del_rcu(&tt_local_entry->common.hash_entry);
++
++ tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash,
++ batadv_compare_tt,
++ batadv_choose_tt,
++ &tt_local_entry->common);
++ if (!tt_entry_exists)
++ goto out;
++
++ /* extra call to free the local tt entry */
+ batadv_tt_local_entry_free_ref(tt_local_entry);
+
+ /* decrease the reference held for this vlan */
+--
+2.1.4
+
projects / feed / routing.git / commitdiff