From a424cd5a2c956ef1f0353d7e5f2b7fbc4af7d2d8 Mon Sep 17 00:00:00 2001
From: Simon Wunderlich <simon@open-mesh.com>
Date: Wed, 26 Mar 2014 15:46:21 +0100
-Subject: [PATCH 1/6] batman-adv: fix neigh_ifinfo imbalance
+Subject: [PATCH 1/9] batman-adv: fix neigh_ifinfo imbalance
The neigh_ifinfo object must be freed if it has been used in
batadv_iv_ogm_process_per_outif().
batadv_neigh_node_free_ref(router);
if (router_router)
--
-1.9.0
+2.0.0.rc2
From cdd09f69871ce8c98b8ae9fa0583f73938768943 Mon Sep 17 00:00:00 2001
From: Simon Wunderlich <simon@open-mesh.com>
Date: Wed, 26 Mar 2014 15:46:22 +0100
-Subject: [PATCH 2/6] batman-adv: fix neigh reference imbalance
+Subject: [PATCH 2/9] batman-adv: fix neigh reference imbalance
When an interface is removed from batman-adv, the orig_ifinfo of a
orig_node may be removed without releasing the router first.
}
--
-1.9.0
+2.0.0.rc2
From 72125152cc46e55793329984428032769648904e Mon Sep 17 00:00:00 2001
From: Simon Wunderlich <simon@open-mesh.com>
Date: Wed, 26 Mar 2014 15:46:23 +0100
-Subject: [PATCH 3/6] batman-adv: always run purge_orig_neighbors
+Subject: [PATCH 3/9] batman-adv: always run purge_orig_neighbors
The current code will not execute batadv_purge_orig_neighbors() when an
orig_ifinfo has already been purged. However we need to run it in any
/* first for NULL ... */
--
-1.9.0
+2.0.0.rc2
From 9b9cdbe28e2b9c8bdf9c761f22ba9655963d13d4 Mon Sep 17 00:00:00 2001
From: Simon Wunderlich <simon@open-mesh.com>
Date: Wed, 26 Mar 2014 15:46:24 +0100
-Subject: [PATCH 4/6] batman-adv: fix removing neigh_ifinfo
+Subject: [PATCH 4/9] batman-adv: fix removing neigh_ifinfo
When an interface is removed separately, all neighbors need to be
checked if they have a neigh_ifinfo structure for that particular
}
--
-1.9.0
+2.0.0.rc2
From 1c2e700fa93e6de3a2ae3725cf437504683b894a Mon Sep 17 00:00:00 2001
From: Antonio Quartulli <antonio@open-mesh.com>
Date: Sat, 29 Mar 2014 17:27:38 +0100
-Subject: [PATCH 5/6] batman-adv: fix local TT check for outgoing arp requests
+Subject: [PATCH 5/9] batman-adv: fix local TT check for outgoing arp requests
in DAT
Change introduced by d6bd8b36fa1f3d72a6fd5942a6e9bde6ddafcd0d
goto out;
}
--
-1.9.0
+2.0.0.rc2
From 31f391475cc08724e96ab060ef4aa6503d11da8e Mon Sep 17 00:00:00 2001
From: Antonio Quartulli <antonio@open-mesh.com>
Date: Mon, 31 Mar 2014 13:48:10 +0200
-Subject: [PATCH 6/6] batman-adv: change the MAC of each VLAN upon
+Subject: [PATCH 6/9] batman-adv: change the MAC of each VLAN upon
ndo_set_mac_address
The MAC address of the soft-interface is used to initialise
return 0;
}
--
-1.9.0
+2.0.0.rc2
--- /dev/null
+From 2ac2c94590d49e69ad8400a9df959533195143ed Mon Sep 17 00:00:00 2001
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Thu, 24 Apr 2014 03:44:25 +0800
+Subject: [PATCH 7/9] batman-adv: fix indirect hard_iface NULL dereference
+
+If hard_iface is NULL and goto out is made batadv_hardif_free_ref()
+doesn't check for NULL before dereferencing it to get to refcount.
+
+Introduced in f13f960797fd1969b3c0470cc97435ddfb6aecb4
+("batman-adv: add debugfs support to view multiif tables").
+
+Reported-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Acked-by: Antonio Quartulli <antonio@meshcoding.com>
+---
+ originator.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/originator.c b/originator.c
+index aa2468b..35b42f8 100644
+--- a/originator.c
++++ b/originator.c
+@@ -1074,7 +1074,8 @@ int batadv_orig_hardif_seq_print_text(struct seq_file *seq, void *offset)
+ bat_priv->bat_algo_ops->bat_orig_print(bat_priv, seq, hard_iface);
+
+ out:
+- batadv_hardif_free_ref(hard_iface);
++ if (hard_iface)
++ batadv_hardif_free_ref(hard_iface);
+ return 0;
+ }
+
+--
+2.0.0.rc2
+
--- /dev/null
+From 113f264b60bc4f50011a8f736d74f91ff7da11f1 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@open-mesh.com>
+Date: Wed, 23 Apr 2014 14:05:16 +0200
+Subject: [PATCH 8/9] batman-adv: fix reference counting imbalance while
+ sending fragment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In the new fragmentation code the batadv_frag_send_packet()
+function obtains a reference to the primary_if, but it does
+not release it upon return.
+
+This reference imbalance prevents the primary_if (and then
+the related netdevice) to be properly released on shut down.
+
+Fix this by releasing the primary_if in batadv_frag_send_packet().
+
+Introduced by db56e4ecf5c2b179a0101138eacc2ec52b6ef45d
+("batman-adv: Fragment and send skbs larger than mtu")
+
+Cc: Martin Hundebøll <martin@hundeboll.net>
+Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Acked-by: Martin Hundebøll <martin@hundeboll.net>
+---
+ fragmentation.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/fragmentation.c b/fragmentation.c
+index 88df9b1..cc1cfd6 100644
+--- a/fragmentation.c
++++ b/fragmentation.c
+@@ -418,12 +418,13 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
+ struct batadv_neigh_node *neigh_node)
+ {
+ struct batadv_priv *bat_priv;
+- struct batadv_hard_iface *primary_if;
++ struct batadv_hard_iface *primary_if = NULL;
+ struct batadv_frag_packet frag_header;
+ struct sk_buff *skb_fragment;
+ unsigned mtu = neigh_node->if_incoming->net_dev->mtu;
+ unsigned header_size = sizeof(frag_header);
+ unsigned max_fragment_size, max_packet_size;
++ bool ret = false;
+
+ /* To avoid merge and refragmentation at next-hops we never send
+ * fragments larger than BATADV_FRAG_MAX_FRAG_SIZE
+@@ -483,7 +484,11 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
+ skb->len + ETH_HLEN);
+ batadv_send_skb_packet(skb, neigh_node->if_incoming, neigh_node->addr);
+
+- return true;
++ ret = true;
++
+ out_err:
+- return false;
++ if (primary_if)
++ batadv_hardif_free_ref(primary_if);
++
++ return ret;
+ }
+--
+2.0.0.rc2
+
--- /dev/null
+From 8dbdee55810adceecf51548d44da893076c99219 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@open-mesh.com>
+Date: Fri, 2 May 2014 01:35:13 +0200
+Subject: [PATCH 9/9] batman-adv: increase orig refcount when storing ref in
+ gw_node
+
+A pointer to the orig_node representing a bat-gateway is
+stored in the gw_node->orig_node member, but the refcount
+for such orig_node is never increased.
+This leads to memory faults when gw_node->orig_node is accessed
+and the originator has already been freed.
+
+Fix this by increasing the refcount on gw_node creation
+and decreasing it on gw_node free.
+
+Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+---
+ gateway_client.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/gateway_client.c b/gateway_client.c
+index d7fafc1..d5a40ab 100644
+--- a/gateway_client.c
++++ b/gateway_client.c
+@@ -42,8 +42,10 @@
+
+ static void batadv_gw_node_free_ref(struct batadv_gw_node *gw_node)
+ {
+- if (atomic_dec_and_test(&gw_node->refcount))
++ if (atomic_dec_and_test(&gw_node->refcount)) {
++ batadv_orig_node_free_ref(gw_node->orig_node);
+ kfree_rcu(gw_node, rcu);
++ }
+ }
+
+ static struct batadv_gw_node *
+@@ -406,9 +408,14 @@ static void batadv_gw_node_add(struct batadv_priv *bat_priv,
+ if (gateway->bandwidth_down == 0)
+ return;
+
++ if (!atomic_inc_not_zero(&orig_node->refcount))
++ return;
++
+ gw_node = kzalloc(sizeof(*gw_node), GFP_ATOMIC);
+- if (!gw_node)
++ if (!gw_node) {
++ batadv_orig_node_free_ref(orig_node);
+ return;
++ }
+
+ INIT_HLIST_NODE(&gw_node->list);
+ gw_node->orig_node = orig_node;
+--
+2.0.0.rc2
+