From: Marek Lindner Date: Sat, 15 Feb 2014 01:41:19 +0000 (+0800) Subject: batman-adv: 2014.0.0 updated stability fixes X-Git-Url: http://git.openwrt.org/?p=feed%2Frouting.git;a=commitdiff_plain;h=2185559079f60ab6269a0ff8f25441ecf7f928ff batman-adv: 2014.0.0 updated stability fixes Signed-off-by: Marek Lindner --- diff --git a/batman-adv/Makefile b/batman-adv/Makefile index 4bfbe54..1054ae6 100644 --- a/batman-adv/Makefile +++ b/batman-adv/Makefile @@ -12,7 +12,7 @@ PKG_NAME:=batman-adv PKG_VERSION:=2014.0.0 BATCTL_VERSION:=2014.0.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MD5SUM:=8d58ecaede17dc05aab1b549dc09fa7d BATCTL_MD5SUM:=b0bcf29fef80ddcc33769e13f5937d0a diff --git a/batman-adv/patches/0001-batman-adv-fix-batman-adv-header-overhead-calculatio.patch b/batman-adv/patches/0001-batman-adv-fix-batman-adv-header-overhead-calculatio.patch index 31c2218..771a0e0 100644 --- a/batman-adv/patches/0001-batman-adv-fix-batman-adv-header-overhead-calculatio.patch +++ b/batman-adv/patches/0001-batman-adv-fix-batman-adv-header-overhead-calculatio.patch @@ -1,7 +1,7 @@ From 746d6436f88899a79c1cb3b27af0614510368bb7 Mon Sep 17 00:00:00 2001 From: Marek Lindner Date: Wed, 15 Jan 2014 20:31:18 +0800 -Subject: [PATCH 1/5] batman-adv: fix batman-adv header overhead calculation +Subject: [PATCH 01/13] batman-adv: fix batman-adv header overhead calculation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -34,5 +34,5 @@ index 4547bf0..fd85205 100644 /** -- -1.8.5.3 +1.9.0.rc3 diff --git a/batman-adv/patches/0002-batman-adv-fix-potential-kernel-paging-error-for-uni.patch b/batman-adv/patches/0002-batman-adv-fix-potential-kernel-paging-error-for-uni.patch index 30f5f55..66a0d14 100644 --- a/batman-adv/patches/0002-batman-adv-fix-potential-kernel-paging-error-for-uni.patch +++ b/batman-adv/patches/0002-batman-adv-fix-potential-kernel-paging-error-for-uni.patch @@ -1,8 +1,8 @@ From 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20L=C3=BCssing?= Date: Mon, 20 Jan 2014 11:06:44 +0100 -Subject: [PATCH 2/5] batman-adv: fix potential kernel paging error for unicast - transmissions +Subject: [PATCH 02/13] batman-adv: fix potential kernel paging error for + unicast transmissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -40,5 +40,5 @@ index b0a3d76..2035bd9 100644 /* inform the destination node that we are still missing a correct route -- -1.8.5.3 +1.9.0.rc3 diff --git a/batman-adv/patches/0003-batman-adv-fix-soft-interface-MTU-computation.patch b/batman-adv/patches/0003-batman-adv-fix-soft-interface-MTU-computation.patch index ac718c0..636adff 100644 --- a/batman-adv/patches/0003-batman-adv-fix-soft-interface-MTU-computation.patch +++ b/batman-adv/patches/0003-batman-adv-fix-soft-interface-MTU-computation.patch @@ -1,7 +1,7 @@ From 2b108ccd0533e1375e44c73ec58c69dde9a71687 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Tue, 21 Jan 2014 11:22:05 +0100 -Subject: [PATCH 3/5] batman-adv: fix soft-interface MTU computation +Subject: [PATCH 03/13] batman-adv: fix soft-interface MTU computation The current MTU computation always returns a value smaller than 1500bytes even if the real interfaces @@ -71,5 +71,5 @@ index 6792e03..0eb0b3b 100644 /* adjusts the MTU if a new interface with a smaller MTU appeared. */ -- -1.8.5.3 +1.9.0.rc3 diff --git a/batman-adv/patches/0004-batman-adv-fix-TT-TVLV-parsing-on-OGM-reception.patch b/batman-adv/patches/0004-batman-adv-fix-TT-TVLV-parsing-on-OGM-reception.patch index d34225f..abb6f9b 100644 --- a/batman-adv/patches/0004-batman-adv-fix-TT-TVLV-parsing-on-OGM-reception.patch +++ b/batman-adv/patches/0004-batman-adv-fix-TT-TVLV-parsing-on-OGM-reception.patch @@ -1,7 +1,7 @@ From db13d361ff6abf57090acfdeb0f5cedd8dd7f02e Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Mon, 27 Jan 2014 12:23:28 +0100 -Subject: [PATCH 4/5] batman-adv: fix TT-TVLV parsing on OGM reception +Subject: [PATCH 04/13] batman-adv: fix TT-TVLV parsing on OGM reception When accessing a TT-TVLV container in the OGM RX path the variable pointing to the list of changes to apply is @@ -31,5 +31,5 @@ index 3fca99d..45b6155 100644 ttvn, tt_change); -- -1.8.5.3 +1.9.0.rc3 diff --git a/batman-adv/patches/0005-batman-adv-release-vlan-object-after-checking-the-CR.patch b/batman-adv/patches/0005-batman-adv-release-vlan-object-after-checking-the-CR.patch index 58b95e8..d8cab28 100644 --- a/batman-adv/patches/0005-batman-adv-release-vlan-object-after-checking-the-CR.patch +++ b/batman-adv/patches/0005-batman-adv-release-vlan-object-after-checking-the-CR.patch @@ -1,7 +1,7 @@ From dc08c045b46bdd9a5c81068a89f9f2a78d3d4bbd Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Tue, 28 Jan 2014 02:06:47 +0100 -Subject: [PATCH 5/5] batman-adv: release vlan object after checking the CRC +Subject: [PATCH 05/13] batman-adv: release vlan object after checking the CRC There is a refcounter unbalance in the CRC checking routine invoked on OGM reception. A vlan object is retrieved (thus @@ -46,5 +46,5 @@ index 45b6155..05c2a9b 100644 } -- -1.8.5.3 +1.9.0.rc3 diff --git a/batman-adv/patches/0006-batman-adv-properly-check-pskb_may_pull-return-value.patch b/batman-adv/patches/0006-batman-adv-properly-check-pskb_may_pull-return-value.patch new file mode 100644 index 0000000..daf15af --- /dev/null +++ b/batman-adv/patches/0006-batman-adv-properly-check-pskb_may_pull-return-value.patch @@ -0,0 +1,34 @@ +From eabdc3175b1d119cd673f36d06264cddb4803ace Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Thu, 30 Jan 2014 00:12:24 +0100 +Subject: [PATCH 06/13] batman-adv: properly check pskb_may_pull return value + +pskb_may_pull() returns 1 on success and 0 in case of failure, +therefore checking for the return value being negative does +not make sense at all. + +This way if the function fails we will probably read beyond the current +skb data buffer. Fix this by doing the proper check. + +Signed-off-by: Antonio Quartulli +Signed-off-by: Marek Lindner +--- + routing.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/routing.c b/routing.c +index f28920f..f7579d0 100644 +--- a/routing.c ++++ b/routing.c +@@ -833,7 +833,7 @@ static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv, + int is_old_ttvn; + + /* check if there is enough data before accessing it */ +- if (pskb_may_pull(skb, hdr_len + ETH_HLEN) < 0) ++ if (!pskb_may_pull(skb, hdr_len + ETH_HLEN)) + return 0; + + /* create a copy of the skb (in case of for re-routing) to modify it. */ +-- +1.9.0.rc3 + diff --git a/batman-adv/patches/0007-batman-adv-remove-useless-assignment.patch b/batman-adv/patches/0007-batman-adv-remove-useless-assignment.patch new file mode 100644 index 0000000..c9bf294 --- /dev/null +++ b/batman-adv/patches/0007-batman-adv-remove-useless-assignment.patch @@ -0,0 +1,30 @@ +From 9a91d33c0ea234faf59ee7543d5253e6809a6b6f Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Thu, 30 Jan 2014 13:57:27 +0100 +Subject: [PATCH 07/13] batman-adv: remove useless assignment + +Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb + ("batman-adv: fix potential kernel paging error for unicast transmissions") + +Signed-off-by: Antonio Quartulli +Signed-off-by: Marek Lindner +--- + send.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/send.c b/send.c +index 2035bd9..75be770 100644 +--- a/send.c ++++ b/send.c +@@ -256,7 +256,7 @@ static int batadv_send_skb_unicast(struct batadv_priv *bat_priv, + struct batadv_orig_node *orig_node, + unsigned short vid) + { +- struct ethhdr *ethhdr = (struct ethhdr *)skb->data; ++ struct ethhdr *ethhdr; + struct batadv_unicast_packet *unicast_packet; + int ret = NET_XMIT_DROP; + +-- +1.9.0.rc3 + diff --git a/batman-adv/patches/0007-batman-adv-use-vlan_-eth_hdr-instead-of-skb-data-in-.patch b/batman-adv/patches/0007-batman-adv-use-vlan_-eth_hdr-instead-of-skb-data-in-.patch deleted file mode 100644 index 56fee68..0000000 --- a/batman-adv/patches/0007-batman-adv-use-vlan_-eth_hdr-instead-of-skb-data-in-.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f9170f22998a276e04b4c7d91da4c373609d28b3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Linus=20L=C3=BCssing?= -Date: Sun, 19 Jan 2014 22:22:45 +0100 -Subject: [PATCH] batman-adv: use vlan_/eth_hdr() instead of skb->data in - interface_tx path -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Our .ndo_start_xmit handler (batadv_interface_tx()) can rely on having -the skb mac header pointer set correctly since the following commit -present in kernels >= 3.9: - -"net: reset mac header in dev_start_xmit()" (6d1ccff627) - -Therefore we can safely use eth_hdr() and vlan_eth_hdr() instead of -skb->data now, which spares us some ugly type casts. - -Signed-off-by: Linus Lüssing -Signed-off-by: Marek Lindner ---- - compat.h | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/compat.h b/compat.h -index 57c9d96..9692ed2 100644 ---- a/compat.h -+++ b/compat.h -@@ -302,6 +302,17 @@ static int batadv_interface_set_mac_addr(struct net_device *dev, void *p) \ - }\ - static int __batadv_interface_set_mac_addr(x, y) - -+#define batadv_interface_tx(x, y) \ -+__batadv_interface_tx(struct sk_buff *skb, struct net_device *soft_iface); \ -+static int batadv_interface_tx(struct sk_buff *skb, \ -+ struct net_device *soft_iface) \ -+{ \ -+ skb_reset_mac_header(skb); \ -+ return __batadv_interface_tx(skb, soft_iface); \ -+} \ -+static int __batadv_interface_tx(struct sk_buff *skb, \ -+ struct net_device *soft_iface) -+ - #define netdev_master_upper_dev_link netdev_set_master - #define netdev_upper_dev_unlink(slave, master) netdev_set_master(slave, NULL) - #define netdev_master_upper_dev_get(dev) \ --- -1.8.5.3 - diff --git a/batman-adv/patches/0008-batman-adv-backport-eth_hdr-compat-fix-to-avoid-kern.patch b/batman-adv/patches/0008-batman-adv-backport-eth_hdr-compat-fix-to-avoid-kern.patch new file mode 100644 index 0000000..a84f4bb --- /dev/null +++ b/batman-adv/patches/0008-batman-adv-backport-eth_hdr-compat-fix-to-avoid-kern.patch @@ -0,0 +1,43 @@ +From b921e8f70aa929766856decfe79ee8e78ba21e23 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Sun, 2 Feb 2014 22:53:11 +0800 +Subject: [PATCH 08/13] batman-adv: backport eth_hdr() compat fix to avoid + kernel oops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb + ("batman-adv: fix potential kernel paging error for unicast transmissions") + +Signed-off-by: Marek Lindner +CC: Linus Lüssing +--- + compat.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/compat.h b/compat.h +index a4ab202..deea92b 100644 +--- a/compat.h ++++ b/compat.h +@@ -289,6 +289,17 @@ static int batadv_interface_set_mac_addr(struct net_device *dev, void *p) \ + }\ + static int __batadv_interface_set_mac_addr(x, y) + ++#define batadv_interface_tx(x, y) \ ++__batadv_interface_tx(struct sk_buff *skb, struct net_device *soft_iface); \ ++static int batadv_interface_tx(struct sk_buff *skb, \ ++ struct net_device *soft_iface) \ ++{ \ ++ skb_reset_mac_header(skb); \ ++ return __batadv_interface_tx(skb, soft_iface); \ ++} \ ++static int __batadv_interface_tx(struct sk_buff *skb, \ ++ struct net_device *soft_iface) ++ + #define netdev_master_upper_dev_link netdev_set_master + #define netdev_upper_dev_unlink(slave, master) netdev_set_master(slave, NULL) + #define netdev_master_upper_dev_get(dev) \ +-- +1.9.0.rc3 + diff --git a/batman-adv/patches/0009-batman-adv-fix-potential-orig_node-reference-leak.patch b/batman-adv/patches/0009-batman-adv-fix-potential-orig_node-reference-leak.patch new file mode 100644 index 0000000..ac48bb9 --- /dev/null +++ b/batman-adv/patches/0009-batman-adv-fix-potential-orig_node-reference-leak.patch @@ -0,0 +1,34 @@ +From cb4d66e6803b854663ee758e3eecbda183b0b007 Mon Sep 17 00:00:00 2001 +From: Simon Wunderlich +Date: Sat, 8 Feb 2014 16:45:06 +0100 +Subject: [PATCH 09/13] batman-adv: fix potential orig_node reference leak + +Since batadv_orig_node_new() sets the refcount to two, assuming that +the calling function will use a reference for putting the orig_node into +a hash or similar, both references must be freed if initialization of +the orig_node fails. Otherwise that object may be leaked in that error +case. + +Reported-by: Antonio Quartulli +Signed-off-by: Simon Wunderlich +Signed-off-by: Marek Lindner +--- + bat_iv_ogm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/bat_iv_ogm.c b/bat_iv_ogm.c +index 6f4fcdc..c07e59f 100644 +--- a/bat_iv_ogm.c ++++ b/bat_iv_ogm.c +@@ -256,6 +256,8 @@ batadv_iv_ogm_orig_get(struct batadv_priv *bat_priv, const uint8_t *addr) + free_bcast_own: + kfree(orig_node->bat_iv.bcast_own); + free_orig_node: ++ /* free twice, as batadv_orig_node_new sets refcount to 2 */ ++ batadv_orig_node_free_ref(orig_node); + batadv_orig_node_free_ref(orig_node); + + return NULL; +-- +1.9.0.rc3 + diff --git a/batman-adv/patches/0010-batman-adv-fix-memory-access-by-setting-mac_header-i.patch b/batman-adv/patches/0010-batman-adv-fix-memory-access-by-setting-mac_header-i.patch new file mode 100644 index 0000000..af29228 --- /dev/null +++ b/batman-adv/patches/0010-batman-adv-fix-memory-access-by-setting-mac_header-i.patch @@ -0,0 +1,44 @@ +From df99b07081eeda5cca292afe2dcc5cb3bf5be154 Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Tue, 11 Feb 2014 11:26:43 +0100 +Subject: [PATCH 10/13] batman-adv: fix memory access by setting mac_header in + DAT + +In the TX path we now have functions that rely on the +skb->mac_header field. DAT does not set such field when +creating its own ARP packets thus leading to wrong memory +access. + +Fix it by always setting the mac_header after having forged +the ARP packet. + +Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb +("batman-adv: fix potential kernel paging error for unicast transmissions") + +Reported-by: Russel Senior +Signed-off-by: Antonio Quartulli +Tested-by: Russel Senior +Signed-off-by: Marek Lindner +--- + distributed-arp-table.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/distributed-arp-table.c b/distributed-arp-table.c +index 6da587a..0b69b61 100644 +--- a/distributed-arp-table.c ++++ b/distributed-arp-table.c +@@ -1028,6 +1028,11 @@ bool batadv_dat_snoop_incoming_arp_request(struct batadv_priv *bat_priv, + if (!skb_new) + goto out; + ++ /* the rest of the TX path assumes that the mac_header offset pointing ++ * to the inner Ethernet header has been set, therefore reset it now. ++ */ ++ skb_reset_mac_header(skb_new); ++ + if (vid & BATADV_VLAN_HAS_TAG) + skb_new = vlan_insert_tag(skb_new, htons(ETH_P_8021Q), + vid & VLAN_VID_MASK); +-- +1.9.0.rc3 + diff --git a/batman-adv/patches/0011-batman-adv-fix-TT-CRC-computation-by-ensuring-byte-o.patch b/batman-adv/patches/0011-batman-adv-fix-TT-CRC-computation-by-ensuring-byte-o.patch new file mode 100644 index 0000000..c4281a5 --- /dev/null +++ b/batman-adv/patches/0011-batman-adv-fix-TT-CRC-computation-by-ensuring-byte-o.patch @@ -0,0 +1,82 @@ +From be4385eacf30ad55a5cf4574768624ce8141a0c7 Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Tue, 11 Feb 2014 17:05:06 +0100 +Subject: [PATCH 11/13] batman-adv: fix TT CRC computation by ensuring byte + order + +When computing the CRC on a 2byte variable the order of +the bytes obviously alters the final result. This means +that computing the CRC over the same value on two archs +having different endianess leads to different numbers. + +The global and local translation table CRC computation +routine makes this mistake while processing the clients +VIDs. The result is a continuous CRC mismatching between +nodes having different endianess. + +Fix this by converting the VID to Network Order before +processing it. This guarantees that every node uses the same +byte order. + +Introduced by 21a57f6e7a3b4455dfe68ee07a7b901d9e7f200b +("batman-adv: make the TT CRC logic VLAN specific") + +Reported-by: Russel Senior +Signed-off-by: Antonio Quartulli +Tested-by: Russell Senior +Signed-off-by: Marek Lindner +--- + translation-table.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/translation-table.c b/translation-table.c +index 05c2a9b..24e3267 100644 +--- a/translation-table.c ++++ b/translation-table.c +@@ -1961,6 +1961,7 @@ static uint32_t batadv_tt_global_crc(struct batadv_priv *bat_priv, + struct hlist_head *head; + uint32_t i, crc_tmp, crc = 0; + uint8_t flags; ++ __be16 tmp_vid; + + for (i = 0; i < hash->size; i++) { + head = &hash->table[i]; +@@ -1997,8 +1998,11 @@ static uint32_t batadv_tt_global_crc(struct batadv_priv *bat_priv, + orig_node)) + continue; + +- crc_tmp = crc32c(0, &tt_common->vid, +- sizeof(tt_common->vid)); ++ /* use network order to read the VID: this ensures that ++ * every node reads the bytes in the same order. ++ */ ++ tmp_vid = htons(tt_common->vid); ++ crc_tmp = crc32c(0, &tmp_vid, sizeof(tmp_vid)); + + /* compute the CRC on flags that have to be kept in sync + * among nodes +@@ -2032,6 +2036,7 @@ static uint32_t batadv_tt_local_crc(struct batadv_priv *bat_priv, + struct hlist_head *head; + uint32_t i, crc_tmp, crc = 0; + uint8_t flags; ++ __be16 tmp_vid; + + for (i = 0; i < hash->size; i++) { + head = &hash->table[i]; +@@ -2050,8 +2055,11 @@ static uint32_t batadv_tt_local_crc(struct batadv_priv *bat_priv, + if (tt_common->flags & BATADV_TT_CLIENT_NEW) + continue; + +- crc_tmp = crc32c(0, &tt_common->vid, +- sizeof(tt_common->vid)); ++ /* use network order to read the VID: this ensures that ++ * every node reads the bytes in the same order. ++ */ ++ tmp_vid = htons(tt_common->vid); ++ crc_tmp = crc32c(0, &tmp_vid, sizeof(tmp_vid)); + + /* compute the CRC on flags that have to be kept in sync + * among nodes +-- +1.9.0.rc3 + diff --git a/batman-adv/patches/0012-batman-adv-free-skb-on-TVLV-parsing-success.patch b/batman-adv/patches/0012-batman-adv-free-skb-on-TVLV-parsing-success.patch new file mode 100644 index 0000000..9d9dc8d --- /dev/null +++ b/batman-adv/patches/0012-batman-adv-free-skb-on-TVLV-parsing-success.patch @@ -0,0 +1,37 @@ +From 9289542085d7e298b90c7b6fb6efb509dab69d8b Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Tue, 11 Feb 2014 17:05:07 +0100 +Subject: [PATCH 12/13] batman-adv: free skb on TVLV parsing success + +When the TVLV parsing routine succeed the skb is left +untouched thus leading to a memory leak. + +Fix this by consuming the skb in case of success. + +Introduced by 0b6aa0d43767889eeda43a132cf5e73df4e63bf2 +("batman-adv: tvlv - basic infrastructure") + +Reported-by: Russel Senior +Signed-off-by: Antonio Quartulli +Tested-by: Russell Senior +Signed-off-by: Marek Lindner +--- + routing.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/routing.c b/routing.c +index f7579d0..71bf698 100644 +--- a/routing.c ++++ b/routing.c +@@ -1063,6 +1063,8 @@ int batadv_recv_unicast_tvlv(struct sk_buff *skb, + + if (ret != NET_RX_SUCCESS) + ret = batadv_route_unicast_packet(skb, recv_if); ++ else ++ consume_skb(skb); + + return ret; + } +-- +1.9.0.rc3 + diff --git a/batman-adv/patches/0013-batman-adv-avoid-double-free-when-orig_node-initiali.patch b/batman-adv/patches/0013-batman-adv-avoid-double-free-when-orig_node-initiali.patch new file mode 100644 index 0000000..03d9b86 --- /dev/null +++ b/batman-adv/patches/0013-batman-adv-avoid-double-free-when-orig_node-initiali.patch @@ -0,0 +1,47 @@ +From d4acda1cb9cca135e7b91777bb2680518b3cffa0 Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Sat, 15 Feb 2014 02:17:20 +0100 +Subject: [PATCH 13/13] batman-adv: avoid double free when orig_node + initialization fails + +In the failure path of the orig_node initialization routine +the orig_node->bat_iv.bcast_own field is free'd twice: first +in batadv_iv_ogm_orig_get() and then later in +batadv_orig_node_free_rcu(). + +Fix it by removing the kfree in batadv_iv_ogm_orig_get(). + +Signed-off-by: Antonio Quartulli +Signed-off-by: Marek Lindner +--- + bat_iv_ogm.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/bat_iv_ogm.c b/bat_iv_ogm.c +index c07e59f..fdf4322 100644 +--- a/bat_iv_ogm.c ++++ b/bat_iv_ogm.c +@@ -243,18 +243,16 @@ batadv_iv_ogm_orig_get(struct batadv_priv *bat_priv, const uint8_t *addr) + size = bat_priv->num_ifaces * sizeof(uint8_t); + orig_node->bat_iv.bcast_own_sum = kzalloc(size, GFP_ATOMIC); + if (!orig_node->bat_iv.bcast_own_sum) +- goto free_bcast_own; ++ goto free_orig_node; + + hash_added = batadv_hash_add(bat_priv->orig_hash, batadv_compare_orig, + batadv_choose_orig, orig_node, + &orig_node->hash_entry); + if (hash_added != 0) +- goto free_bcast_own; ++ goto free_orig_node; + + return orig_node; + +-free_bcast_own: +- kfree(orig_node->bat_iv.bcast_own); + free_orig_node: + /* free twice, as batadv_orig_node_new sets refcount to 2 */ + batadv_orig_node_free_ref(orig_node); +-- +1.9.0.rc3 +