batman-adv: 2014.0.0 updated stability fixes
authorMarek Lindner <mareklindner@neomailbox.ch>
Sat, 15 Feb 2014 01:41:19 +0000 (09:41 +0800)
committerMarek Lindner <mareklindner@neomailbox.ch>
Sat, 15 Feb 2014 01:41:19 +0000 (09:41 +0800)
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
15 files changed:
batman-adv/Makefile
batman-adv/patches/0001-batman-adv-fix-batman-adv-header-overhead-calculatio.patch
batman-adv/patches/0002-batman-adv-fix-potential-kernel-paging-error-for-uni.patch
batman-adv/patches/0003-batman-adv-fix-soft-interface-MTU-computation.patch
batman-adv/patches/0004-batman-adv-fix-TT-TVLV-parsing-on-OGM-reception.patch
batman-adv/patches/0005-batman-adv-release-vlan-object-after-checking-the-CR.patch
batman-adv/patches/0006-batman-adv-properly-check-pskb_may_pull-return-value.patch [new file with mode: 0644]
batman-adv/patches/0007-batman-adv-remove-useless-assignment.patch [new file with mode: 0644]
batman-adv/patches/0007-batman-adv-use-vlan_-eth_hdr-instead-of-skb-data-in-.patch [deleted file]
batman-adv/patches/0008-batman-adv-backport-eth_hdr-compat-fix-to-avoid-kern.patch [new file with mode: 0644]
batman-adv/patches/0009-batman-adv-fix-potential-orig_node-reference-leak.patch [new file with mode: 0644]
batman-adv/patches/0010-batman-adv-fix-memory-access-by-setting-mac_header-i.patch [new file with mode: 0644]
batman-adv/patches/0011-batman-adv-fix-TT-CRC-computation-by-ensuring-byte-o.patch [new file with mode: 0644]
batman-adv/patches/0012-batman-adv-free-skb-on-TVLV-parsing-success.patch [new file with mode: 0644]
batman-adv/patches/0013-batman-adv-avoid-double-free-when-orig_node-initiali.patch [new file with mode: 0644]

index 4bfbe54..1054ae6 100644 (file)
@@ -12,7 +12,7 @@ PKG_NAME:=batman-adv
 
 PKG_VERSION:=2014.0.0
 BATCTL_VERSION:=2014.0.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_MD5SUM:=8d58ecaede17dc05aab1b549dc09fa7d
 BATCTL_MD5SUM:=b0bcf29fef80ddcc33769e13f5937d0a
 
index 31c2218..771a0e0 100644 (file)
@@ -1,7 +1,7 @@
 From 746d6436f88899a79c1cb3b27af0614510368bb7 Mon Sep 17 00:00:00 2001
 From: Marek Lindner <mareklindner@neomailbox.ch>
 Date: Wed, 15 Jan 2014 20:31:18 +0800
-Subject: [PATCH 1/5] batman-adv: fix batman-adv header overhead calculation
+Subject: [PATCH 01/13] batman-adv: fix batman-adv header overhead calculation
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -34,5 +34,5 @@ index 4547bf0..fd85205 100644
  
  /**
 -- 
-1.8.5.3
+1.9.0.rc3
 
index 30f5f55..66a0d14 100644 (file)
@@ -1,8 +1,8 @@
 From 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@web.de>
 Date: Mon, 20 Jan 2014 11:06:44 +0100
-Subject: [PATCH 2/5] batman-adv: fix potential kernel paging error for unicast
- transmissions
+Subject: [PATCH 02/13] batman-adv: fix potential kernel paging error for
unicast transmissions
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -40,5 +40,5 @@ index b0a3d76..2035bd9 100644
  
        /* inform the destination node that we are still missing a correct route
 -- 
-1.8.5.3
+1.9.0.rc3
 
index ac718c0..636adff 100644 (file)
@@ -1,7 +1,7 @@
 From 2b108ccd0533e1375e44c73ec58c69dde9a71687 Mon Sep 17 00:00:00 2001
 From: Antonio Quartulli <antonio@meshcoding.com>
 Date: Tue, 21 Jan 2014 11:22:05 +0100
-Subject: [PATCH 3/5] batman-adv: fix soft-interface MTU computation
+Subject: [PATCH 03/13] batman-adv: fix soft-interface MTU computation
 
 The current MTU computation always returns a value
 smaller than 1500bytes even if the real interfaces
@@ -71,5 +71,5 @@ index 6792e03..0eb0b3b 100644
  
  /* adjusts the MTU if a new interface with a smaller MTU appeared. */
 -- 
-1.8.5.3
+1.9.0.rc3
 
index d34225f..abb6f9b 100644 (file)
@@ -1,7 +1,7 @@
 From db13d361ff6abf57090acfdeb0f5cedd8dd7f02e Mon Sep 17 00:00:00 2001
 From: Antonio Quartulli <antonio@meshcoding.com>
 Date: Mon, 27 Jan 2014 12:23:28 +0100
-Subject: [PATCH 4/5] batman-adv: fix TT-TVLV parsing on OGM reception
+Subject: [PATCH 04/13] batman-adv: fix TT-TVLV parsing on OGM reception
 
 When accessing a TT-TVLV container in the OGM RX path
 the variable pointing to the list of changes to apply is
@@ -31,5 +31,5 @@ index 3fca99d..45b6155 100644
                                         ttvn, tt_change);
  
 -- 
-1.8.5.3
+1.9.0.rc3
 
index 58b95e8..d8cab28 100644 (file)
@@ -1,7 +1,7 @@
 From dc08c045b46bdd9a5c81068a89f9f2a78d3d4bbd Mon Sep 17 00:00:00 2001
 From: Antonio Quartulli <antonio@meshcoding.com>
 Date: Tue, 28 Jan 2014 02:06:47 +0100
-Subject: [PATCH 5/5] batman-adv: release vlan object after checking the CRC
+Subject: [PATCH 05/13] batman-adv: release vlan object after checking the CRC
 
 There is a refcounter unbalance in the CRC checking routine
 invoked on OGM reception. A vlan object is retrieved (thus
@@ -46,5 +46,5 @@ index 45b6155..05c2a9b 100644
        }
  
 -- 
-1.8.5.3
+1.9.0.rc3
 
diff --git a/batman-adv/patches/0006-batman-adv-properly-check-pskb_may_pull-return-value.patch b/batman-adv/patches/0006-batman-adv-properly-check-pskb_may_pull-return-value.patch
new file mode 100644 (file)
index 0000000..daf15af
--- /dev/null
@@ -0,0 +1,34 @@
+From eabdc3175b1d119cd673f36d06264cddb4803ace Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@meshcoding.com>
+Date: Thu, 30 Jan 2014 00:12:24 +0100
+Subject: [PATCH 06/13] batman-adv: properly check pskb_may_pull return value
+
+pskb_may_pull() returns 1 on success and 0 in case of failure,
+therefore checking for the return value being negative does
+not make sense at all.
+
+This way if the function fails we will probably read beyond the current
+skb data buffer. Fix this by doing the proper check.
+
+Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ routing.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/routing.c b/routing.c
+index f28920f..f7579d0 100644
+--- a/routing.c
++++ b/routing.c
+@@ -833,7 +833,7 @@ static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
+       int is_old_ttvn;
+       /* check if there is enough data before accessing it */
+-      if (pskb_may_pull(skb, hdr_len + ETH_HLEN) < 0)
++      if (!pskb_may_pull(skb, hdr_len + ETH_HLEN))
+               return 0;
+       /* create a copy of the skb (in case of for re-routing) to modify it. */
+-- 
+1.9.0.rc3
+
diff --git a/batman-adv/patches/0007-batman-adv-remove-useless-assignment.patch b/batman-adv/patches/0007-batman-adv-remove-useless-assignment.patch
new file mode 100644 (file)
index 0000000..c9bf294
--- /dev/null
@@ -0,0 +1,30 @@
+From 9a91d33c0ea234faf59ee7543d5253e6809a6b6f Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@meshcoding.com>
+Date: Thu, 30 Jan 2014 13:57:27 +0100
+Subject: [PATCH 07/13] batman-adv: remove useless assignment
+
+Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb
+   ("batman-adv: fix potential kernel paging error for unicast transmissions")
+
+Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ send.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/send.c b/send.c
+index 2035bd9..75be770 100644
+--- a/send.c
++++ b/send.c
+@@ -256,7 +256,7 @@ static int batadv_send_skb_unicast(struct batadv_priv *bat_priv,
+                                  struct batadv_orig_node *orig_node,
+                                  unsigned short vid)
+ {
+-      struct ethhdr *ethhdr = (struct ethhdr *)skb->data;
++      struct ethhdr *ethhdr;
+       struct batadv_unicast_packet *unicast_packet;
+       int ret = NET_XMIT_DROP;
+-- 
+1.9.0.rc3
+
diff --git a/batman-adv/patches/0007-batman-adv-use-vlan_-eth_hdr-instead-of-skb-data-in-.patch b/batman-adv/patches/0007-batman-adv-use-vlan_-eth_hdr-instead-of-skb-data-in-.patch
deleted file mode 100644 (file)
index 56fee68..0000000
+++ /dev/null
@@ -1,49 +0,0 @@
-From f9170f22998a276e04b4c7d91da4c373609d28b3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@web.de>
-Date: Sun, 19 Jan 2014 22:22:45 +0100
-Subject: [PATCH] batman-adv: use vlan_/eth_hdr() instead of skb->data in
- interface_tx path
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Our .ndo_start_xmit handler (batadv_interface_tx()) can rely on having
-the skb mac header pointer set correctly since the following commit
-present in kernels >= 3.9:
-
-"net: reset mac header in dev_start_xmit()" (6d1ccff627)
-
-Therefore we can safely use eth_hdr() and vlan_eth_hdr() instead of
-skb->data now, which spares us some ugly type casts.
-
-Signed-off-by: Linus Lüssing <linus.luessing@web.de>
-Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
----
- compat.h | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/compat.h b/compat.h
-index 57c9d96..9692ed2 100644
---- a/compat.h
-+++ b/compat.h
-@@ -302,6 +302,17 @@ static int batadv_interface_set_mac_addr(struct net_device *dev, void *p) \
- }\
- static int __batadv_interface_set_mac_addr(x, y)
-+#define batadv_interface_tx(x, y) \
-+__batadv_interface_tx(struct sk_buff *skb, struct net_device *soft_iface); \
-+static int batadv_interface_tx(struct sk_buff *skb, \
-+                             struct net_device *soft_iface) \
-+{ \
-+      skb_reset_mac_header(skb); \
-+      return __batadv_interface_tx(skb, soft_iface); \
-+} \
-+static int __batadv_interface_tx(struct sk_buff *skb, \
-+                               struct net_device *soft_iface)
-+
- #define netdev_master_upper_dev_link netdev_set_master
- #define netdev_upper_dev_unlink(slave, master) netdev_set_master(slave, NULL)
- #define netdev_master_upper_dev_get(dev) \
--- 
-1.8.5.3
-
diff --git a/batman-adv/patches/0008-batman-adv-backport-eth_hdr-compat-fix-to-avoid-kern.patch b/batman-adv/patches/0008-batman-adv-backport-eth_hdr-compat-fix-to-avoid-kern.patch
new file mode 100644 (file)
index 0000000..a84f4bb
--- /dev/null
@@ -0,0 +1,43 @@
+From b921e8f70aa929766856decfe79ee8e78ba21e23 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@web.de>
+Date: Sun, 2 Feb 2014 22:53:11 +0800
+Subject: [PATCH 08/13] batman-adv: backport eth_hdr() compat fix to avoid
+ kernel oops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb
+   ("batman-adv: fix potential kernel paging error for unicast transmissions")
+
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+CC: Linus Lüssing <linus.luessing@web.de>
+---
+ compat.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/compat.h b/compat.h
+index a4ab202..deea92b 100644
+--- a/compat.h
++++ b/compat.h
+@@ -289,6 +289,17 @@ static int batadv_interface_set_mac_addr(struct net_device *dev, void *p) \
+ }\
+ static int __batadv_interface_set_mac_addr(x, y)
++#define batadv_interface_tx(x, y) \
++__batadv_interface_tx(struct sk_buff *skb, struct net_device *soft_iface); \
++static int batadv_interface_tx(struct sk_buff *skb, \
++                             struct net_device *soft_iface) \
++{ \
++      skb_reset_mac_header(skb); \
++      return __batadv_interface_tx(skb, soft_iface); \
++} \
++static int __batadv_interface_tx(struct sk_buff *skb, \
++                               struct net_device *soft_iface)
++
+ #define netdev_master_upper_dev_link netdev_set_master
+ #define netdev_upper_dev_unlink(slave, master) netdev_set_master(slave, NULL)
+ #define netdev_master_upper_dev_get(dev) \
+-- 
+1.9.0.rc3
+
diff --git a/batman-adv/patches/0009-batman-adv-fix-potential-orig_node-reference-leak.patch b/batman-adv/patches/0009-batman-adv-fix-potential-orig_node-reference-leak.patch
new file mode 100644 (file)
index 0000000..ac48bb9
--- /dev/null
@@ -0,0 +1,34 @@
+From cb4d66e6803b854663ee758e3eecbda183b0b007 Mon Sep 17 00:00:00 2001
+From: Simon Wunderlich <sw@simonwunderlich.de>
+Date: Sat, 8 Feb 2014 16:45:06 +0100
+Subject: [PATCH 09/13] batman-adv: fix potential orig_node reference leak
+
+Since batadv_orig_node_new() sets the refcount to two, assuming that
+the calling function will use a reference for putting the orig_node into
+a hash or similar, both references must be freed if initialization of
+the orig_node fails. Otherwise that object may be leaked in that error
+case.
+
+Reported-by: Antonio Quartulli <antonio@meshcoding.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ bat_iv_ogm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/bat_iv_ogm.c b/bat_iv_ogm.c
+index 6f4fcdc..c07e59f 100644
+--- a/bat_iv_ogm.c
++++ b/bat_iv_ogm.c
+@@ -256,6 +256,8 @@ batadv_iv_ogm_orig_get(struct batadv_priv *bat_priv, const uint8_t *addr)
+ free_bcast_own:
+       kfree(orig_node->bat_iv.bcast_own);
+ free_orig_node:
++      /* free twice, as batadv_orig_node_new sets refcount to 2 */
++      batadv_orig_node_free_ref(orig_node);
+       batadv_orig_node_free_ref(orig_node);
+       return NULL;
+-- 
+1.9.0.rc3
+
diff --git a/batman-adv/patches/0010-batman-adv-fix-memory-access-by-setting-mac_header-i.patch b/batman-adv/patches/0010-batman-adv-fix-memory-access-by-setting-mac_header-i.patch
new file mode 100644 (file)
index 0000000..af29228
--- /dev/null
@@ -0,0 +1,44 @@
+From df99b07081eeda5cca292afe2dcc5cb3bf5be154 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@meshcoding.com>
+Date: Tue, 11 Feb 2014 11:26:43 +0100
+Subject: [PATCH 10/13] batman-adv: fix memory access by setting mac_header in
+ DAT
+
+In the TX path we now have functions that rely on the
+skb->mac_header field. DAT does not set such field when
+creating its own ARP packets thus leading to wrong memory
+access.
+
+Fix it by always setting the mac_header after having forged
+the ARP packet.
+
+Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb
+("batman-adv: fix potential kernel paging error for unicast transmissions")
+
+Reported-by: Russel Senior <russell@personaltelco.net>
+Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
+Tested-by: Russel Senior <russell@personaltelco.net>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ distributed-arp-table.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/distributed-arp-table.c b/distributed-arp-table.c
+index 6da587a..0b69b61 100644
+--- a/distributed-arp-table.c
++++ b/distributed-arp-table.c
+@@ -1028,6 +1028,11 @@ bool batadv_dat_snoop_incoming_arp_request(struct batadv_priv *bat_priv,
+       if (!skb_new)
+               goto out;
++      /* the rest of the TX path assumes that the mac_header offset pointing
++       * to the inner Ethernet header has been set, therefore reset it now.
++       */
++      skb_reset_mac_header(skb_new);
++
+       if (vid & BATADV_VLAN_HAS_TAG)
+               skb_new = vlan_insert_tag(skb_new, htons(ETH_P_8021Q),
+                                         vid & VLAN_VID_MASK);
+-- 
+1.9.0.rc3
+
diff --git a/batman-adv/patches/0011-batman-adv-fix-TT-CRC-computation-by-ensuring-byte-o.patch b/batman-adv/patches/0011-batman-adv-fix-TT-CRC-computation-by-ensuring-byte-o.patch
new file mode 100644 (file)
index 0000000..c4281a5
--- /dev/null
@@ -0,0 +1,82 @@
+From be4385eacf30ad55a5cf4574768624ce8141a0c7 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@open-mesh.com>
+Date: Tue, 11 Feb 2014 17:05:06 +0100
+Subject: [PATCH 11/13] batman-adv: fix TT CRC computation by ensuring byte
+ order
+
+When computing the CRC on a 2byte variable the order of
+the bytes obviously alters the final result. This means
+that computing the CRC over the same value on two archs
+having different endianess leads to different numbers.
+
+The global and local translation table CRC computation
+routine makes this mistake while processing the clients
+VIDs. The result is a continuous CRC mismatching between
+nodes having different endianess.
+
+Fix this by converting the VID to Network Order before
+processing it. This guarantees that every node uses the same
+byte order.
+
+Introduced by 21a57f6e7a3b4455dfe68ee07a7b901d9e7f200b
+("batman-adv: make the TT CRC logic VLAN specific")
+
+Reported-by: Russel Senior <russell@personaltelco.net>
+Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
+Tested-by: Russell Senior <russell@personaltelco.net>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ translation-table.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/translation-table.c b/translation-table.c
+index 05c2a9b..24e3267 100644
+--- a/translation-table.c
++++ b/translation-table.c
+@@ -1961,6 +1961,7 @@ static uint32_t batadv_tt_global_crc(struct batadv_priv *bat_priv,
+       struct hlist_head *head;
+       uint32_t i, crc_tmp, crc = 0;
+       uint8_t flags;
++      __be16 tmp_vid;
+       for (i = 0; i < hash->size; i++) {
+               head = &hash->table[i];
+@@ -1997,8 +1998,11 @@ static uint32_t batadv_tt_global_crc(struct batadv_priv *bat_priv,
+                                                            orig_node))
+                               continue;
+-                      crc_tmp = crc32c(0, &tt_common->vid,
+-                                       sizeof(tt_common->vid));
++                      /* use network order to read the VID: this ensures that
++                       * every node reads the bytes in the same order.
++                       */
++                      tmp_vid = htons(tt_common->vid);
++                      crc_tmp = crc32c(0, &tmp_vid, sizeof(tmp_vid));
+                       /* compute the CRC on flags that have to be kept in sync
+                        * among nodes
+@@ -2032,6 +2036,7 @@ static uint32_t batadv_tt_local_crc(struct batadv_priv *bat_priv,
+       struct hlist_head *head;
+       uint32_t i, crc_tmp, crc = 0;
+       uint8_t flags;
++      __be16 tmp_vid;
+       for (i = 0; i < hash->size; i++) {
+               head = &hash->table[i];
+@@ -2050,8 +2055,11 @@ static uint32_t batadv_tt_local_crc(struct batadv_priv *bat_priv,
+                       if (tt_common->flags & BATADV_TT_CLIENT_NEW)
+                               continue;
+-                      crc_tmp = crc32c(0, &tt_common->vid,
+-                                       sizeof(tt_common->vid));
++                      /* use network order to read the VID: this ensures that
++                       * every node reads the bytes in the same order.
++                       */
++                      tmp_vid = htons(tt_common->vid);
++                      crc_tmp = crc32c(0, &tmp_vid, sizeof(tmp_vid));
+                       /* compute the CRC on flags that have to be kept in sync
+                        * among nodes
+-- 
+1.9.0.rc3
+
diff --git a/batman-adv/patches/0012-batman-adv-free-skb-on-TVLV-parsing-success.patch b/batman-adv/patches/0012-batman-adv-free-skb-on-TVLV-parsing-success.patch
new file mode 100644 (file)
index 0000000..9d9dc8d
--- /dev/null
@@ -0,0 +1,37 @@
+From 9289542085d7e298b90c7b6fb6efb509dab69d8b Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@open-mesh.com>
+Date: Tue, 11 Feb 2014 17:05:07 +0100
+Subject: [PATCH 12/13] batman-adv: free skb on TVLV parsing success
+
+When the TVLV parsing routine succeed the skb is left
+untouched thus leading to a memory leak.
+
+Fix this by consuming the skb in case of success.
+
+Introduced by 0b6aa0d43767889eeda43a132cf5e73df4e63bf2
+("batman-adv: tvlv - basic infrastructure")
+
+Reported-by: Russel Senior <russell@personaltelco.net>
+Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
+Tested-by: Russell Senior <russell@personaltelco.net>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ routing.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/routing.c b/routing.c
+index f7579d0..71bf698 100644
+--- a/routing.c
++++ b/routing.c
+@@ -1063,6 +1063,8 @@ int batadv_recv_unicast_tvlv(struct sk_buff *skb,
+       if (ret != NET_RX_SUCCESS)
+               ret = batadv_route_unicast_packet(skb, recv_if);
++      else
++              consume_skb(skb);
+       return ret;
+ }
+-- 
+1.9.0.rc3
+
diff --git a/batman-adv/patches/0013-batman-adv-avoid-double-free-when-orig_node-initiali.patch b/batman-adv/patches/0013-batman-adv-avoid-double-free-when-orig_node-initiali.patch
new file mode 100644 (file)
index 0000000..03d9b86
--- /dev/null
@@ -0,0 +1,47 @@
+From d4acda1cb9cca135e7b91777bb2680518b3cffa0 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@meshcoding.com>
+Date: Sat, 15 Feb 2014 02:17:20 +0100
+Subject: [PATCH 13/13] batman-adv: avoid double free when orig_node
+ initialization fails
+
+In the failure path of the orig_node initialization routine
+the orig_node->bat_iv.bcast_own field is free'd twice: first
+in batadv_iv_ogm_orig_get() and then later in
+batadv_orig_node_free_rcu().
+
+Fix it by removing the kfree in batadv_iv_ogm_orig_get().
+
+Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ bat_iv_ogm.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/bat_iv_ogm.c b/bat_iv_ogm.c
+index c07e59f..fdf4322 100644
+--- a/bat_iv_ogm.c
++++ b/bat_iv_ogm.c
+@@ -243,18 +243,16 @@ batadv_iv_ogm_orig_get(struct batadv_priv *bat_priv, const uint8_t *addr)
+       size = bat_priv->num_ifaces * sizeof(uint8_t);
+       orig_node->bat_iv.bcast_own_sum = kzalloc(size, GFP_ATOMIC);
+       if (!orig_node->bat_iv.bcast_own_sum)
+-              goto free_bcast_own;
++              goto free_orig_node;
+       hash_added = batadv_hash_add(bat_priv->orig_hash, batadv_compare_orig,
+                                    batadv_choose_orig, orig_node,
+                                    &orig_node->hash_entry);
+       if (hash_added != 0)
+-              goto free_bcast_own;
++              goto free_orig_node;
+       return orig_node;
+-free_bcast_own:
+-      kfree(orig_node->bat_iv.bcast_own);
+ free_orig_node:
+       /* free twice, as batadv_orig_node_new sets refcount to 2 */
+       batadv_orig_node_free_ref(orig_node);
+-- 
+1.9.0.rc3
+