--- /dev/null
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Wed, 24 Apr 2019 03:19:14 +0200
+Subject: batman-adv: mcast: fix multicast tt/tvlv worker locking
+
+Syzbot has reported some issues with the locking assumptions made for
+the multicast tt/tvlv worker: It was able to trigger the WARN_ON() in
+batadv_mcast_mla_tt_retract() and batadv_mcast_mla_tt_add().
+While hard/not reproduceable for us so far it seems that the
+delayed_work_pending() we use might not be quite safe from reordering.
+
+Therefore this patch adds an explicit, new spinlock to protect the
+update of the mla_list and flags in bat_priv and then removes the
+WARN_ON(delayed_work_pending()).
+
+Reported-by: syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com
+Reported-by: syzbot+050927a651272b145a5d@syzkaller.appspotmail.com
+Reported-by: syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com
+Reported-by: syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com
+Fixes: 40b384052672 ("batman-adv: Use own timer for multicast TT and TVLV updates")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/b736cf8119cfbc9d95fef90c8832fdec6e8f29c7
+
+diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c
+index 53b329d24461819b4cf0d4118cfa5b0eb8d7261b..0286c651468443197434ccf0fcf25aaa66a0c7e9 100644
+--- a/net/batman-adv/main.c
++++ b/net/batman-adv/main.c
+@@ -160,6 +160,7 @@ int batadv_mesh_init(struct net_device *soft_iface)
+ spin_lock_init(&bat_priv->tt.commit_lock);
+ spin_lock_init(&bat_priv->gw.list_lock);
+ #ifdef CONFIG_BATMAN_ADV_MCAST
++ spin_lock_init(&bat_priv->mcast.mla_lock);
+ spin_lock_init(&bat_priv->mcast.want_lists_lock);
+ #endif
+ spin_lock_init(&bat_priv->tvlv.container_list_lock);
+diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
+index a35f597e8c8bf4f15ad0f01aff29849d2bebe36f..39640d3d6fbdf8244344db6e79f2d769eb0972d9 100644
+--- a/net/batman-adv/multicast.c
++++ b/net/batman-adv/multicast.c
+@@ -325,8 +325,6 @@ static void batadv_mcast_mla_list_free(struct hlist_head *mcast_list)
+ * translation table except the ones listed in the given mcast_list.
+ *
+ * If mcast_list is NULL then all are retracted.
+- *
+- * Do not call outside of the mcast worker! (or cancel mcast worker first)
+ */
+ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
+ struct hlist_head *mcast_list)
+@@ -334,8 +332,6 @@ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
+ struct batadv_hw_addr *mcast_entry;
+ struct hlist_node *tmp;
+
+- WARN_ON(delayed_work_pending(&bat_priv->mcast.work));
+-
+ hlist_for_each_entry_safe(mcast_entry, tmp, &bat_priv->mcast.mla_list,
+ list) {
+ if (mcast_list &&
+@@ -359,8 +355,6 @@ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
+ *
+ * Adds multicast listener announcements from the given mcast_list to the
+ * translation table if they have not been added yet.
+- *
+- * Do not call outside of the mcast worker! (or cancel mcast worker first)
+ */
+ static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv,
+ struct hlist_head *mcast_list)
+@@ -368,8 +362,6 @@ static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv,
+ struct batadv_hw_addr *mcast_entry;
+ struct hlist_node *tmp;
+
+- WARN_ON(delayed_work_pending(&bat_priv->mcast.work));
+-
+ if (!mcast_list)
+ return;
+
+@@ -658,7 +650,10 @@ static void batadv_mcast_mla_update(struct work_struct *work)
+ priv_mcast = container_of(delayed_work, struct batadv_priv_mcast, work);
+ bat_priv = container_of(priv_mcast, struct batadv_priv, mcast);
+
++ spin_lock(&bat_priv->mcast.mla_lock);
+ __batadv_mcast_mla_update(bat_priv);
++ spin_unlock(&bat_priv->mcast.mla_lock);
++
+ batadv_mcast_start_timer(bat_priv);
+ }
+
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index 476b052ad9824d4cbcd6218dce40b603e3400fd2..6d07898d8d1a21007b3e68d5d2511b478110f659 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -1215,6 +1215,11 @@ struct batadv_priv_mcast {
+ /** @num_disabled: number of nodes that have no mcast tvlv */
+ atomic_t num_disabled;
+
++ /**
++ * @mla_lock: a lock protecting mla_list and mla_flags
++ */
++ spinlock_t mla_lock;
++
+ /**
+ * @num_want_all_unsnoopables: number of nodes wanting unsnoopable IP
+ * traffic
--- /dev/null
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Tue, 21 May 2019 20:58:57 +0100
+Subject: batman-adv: fix for leaked TVLV handler.
+
+A handler for BATADV_TVLV_ROAM was being registered when the
+translation-table was initialized, but not unregistered when the
+translation-table was freed. Unregister it.
+
+Fixes: 3de4e64df0f1 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets")
+Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/87445d81c360a5f9833546114e98ffd2c1fd3a4d
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 554fd886e652c7c206ff43a5627d342ccbcc2123..c29aadc5bd8b2020ba67779c517cc1e4ea9f6569 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -3821,6 +3821,8 @@ static void batadv_tt_purge(struct work_struct *work)
+ */
+ void batadv_tt_free(struct batadv_priv *bat_priv)
+ {
++ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_ROAM, 1);
++
+ batadv_tvlv_container_unregister(bat_priv, BATADV_TVLV_TT, 1);
+ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_TT, 1);
+
projects / feed / routing.git / commitdiff