Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-5.1.y 2019-07-26T07:12:29Z 2019-07-26T07:12:29Z Sven Eckelmann sven@narfation.org 2019-06-02T08:57:31Z urn:sha1:a2b46e78fa4c60142477626b4be53001f7d7a79b [ Upstream commit 9e6b5648bbc4cd48fab62cecbb81e9cc3c6e7e88 ] The state of slave interfaces are handled differently depending on whether the interface is up or not. All active interfaces (IFF_UP) will transmit OGMs. But for B.A.T.M.A.N. IV, also non-active interfaces are scheduling (low TTL) OGMs on active interfaces. The code which setups and schedules the OGMs must therefore already be called when the interfaces gets added as slave interface and the transmit function must then check whether it has to send out the OGM or not on the specific slave interface. But the commit f0d97253fb5f ("batman-adv: remove ogm_emit and ogm_schedule API calls") moved the setup code from the enable function to the activate function. The latter is called either when the added slave was already up when batadv_hardif_enable_interface processed the new interface or when a NETDEV_UP event was received for this slave interfac. As result, each NETDEV_UP would schedule a new OGM worker for the interface and thus OGMs would be send a lot more than expected. Fixes: f0d97253fb5f ("batman-adv: remove ogm_emit and ogm_schedule API calls") Reported-by: Linus Lüssing <linus.luessing@c0d3.blue> Tested-by: Linus Lüssing <linus.luessing@c0d3.blue> Acked-by: Marek Lindner <mareklindner@neomailbox.ch> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-07-26T07:12:23Z Jeremy Sowden jeremy@azazel.net 2019-05-21T19:58:57Z urn:sha1:6c2ab28a434c00b091a5ab56b6cf96773ad74d92 [ Upstream commit 17f78dd1bd624a4dd78ed5db3284a63ee807fcc3 ] A handler for BATADV_TVLV_ROAM was being registered when the translation-table was initialized, but not unregistered when the translation-table was freed. Unregister it. Fixes: 122edaa05940 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets") Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-06-15T09:53:04Z Sven Eckelmann sven@narfation.org 2019-03-17T09:50:50Z urn:sha1:b7630b793d60048a5683e57d60dde24fd4b749cd [ Upstream commit c2d8b9a6c17a3848136b3eb31f26d3c5880acd89 ] The send functions in batman-adv are expected to consume the skb when either the data is queued up for the underlying driver or when some precondition failed. batadv_dat_send_data didn't do this and instead created a copy of the skb, modified it and queued the copy up for transmission. The caller has to take care that the skb is handled correctly (for example free'd) when batadv_dat_send_data returns. This unclear behavior already lead to memory leaks in the recent past. Renaming the function to batadv_dat_forward_data should make it easier to identify that the data is forwarded but the skb is not actually send+consumed. Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-05-31T13:43:49Z Linus Lüssing linus.luessing@c0d3.blue 2019-02-14T15:52:43Z urn:sha1:d08c911b0a9da6d5c6913c1f9a676a15c78ab119 [ Upstream commit 099e6cc1582dc2903fecb898bbeae8f7cf4262c7 ] Currently incoming ARP Replies, for example via a DHT-PUT message, do not update the timeout for an already existing DAT entry. These ARP Replies are dropped instead. This however defeats the purpose of the DHCPACK snooping, for instance. Right now, a DAT entry in the DHT will be purged every five minutes, likely leading to a mesh-wide ARP Request broadcast after this timeout. Which then recreates the entry. The idea of the DHCPACK snooping is to be able to update an entry before a timeout happens, to avoid ARP Request flooding. This patch fixes this issue by updating a DAT entry on incoming ARP Replies even if a matching DAT entry already exists. While still filtering the ARP Reply towards the soft-interface, to avoid duplicate messages on the client device side. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> Acked-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-05-31T13:43:13Z Linus Lüssing linus.luessing@c0d3.blue 2019-04-24T01:19:14Z urn:sha1:2eec11f7e066d5559ec6b37c029941f23137eb8b commit a3c7cd0cdf1107f891aff847ad481e34df727055 upstream. Syzbot has reported some issues with the locking assumptions made for the multicast tt/tvlv worker: It was able to trigger the WARN_ON() in batadv_mcast_mla_tt_retract() and batadv_mcast_mla_tt_add(). While hard/not reproduceable for us so far it seems that the delayed_work_pending() we use might not be quite safe from reordering. Therefore this patch adds an explicit, new spinlock to protect the update of the mla_list and flags in bat_priv and then removes the WARN_ON(delayed_work_pending()). Reported-by: syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com Reported-by: syzbot+050927a651272b145a5d@syzkaller.appspotmail.com Reported-by: syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com Reported-by: syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com Fixes: cbebd363b2e9 ("batman-adv: Use own timer for multicast TT and TVLV updates") Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-03-25T08:31:19Z Sven Eckelmann sven@narfation.org 2019-03-03T18:25:26Z urn:sha1:438b3d3fae4346a49fe12fa7cc1dc9327f006a91 The throughput_override sysfs file is not below the meshif but below a hardif. The kobj has therefore not a pointer which can be used to find the batadv_priv data. The pointer stored in the hardif object must be used instead to find the correct meshif private data. Fixes: 7e6f461efe25 ("batman-adv: Trigger genl notification on sysfs config change") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2019-03-25T08:31:19Z Anders Roxell anders.roxell@linaro.org 2019-02-22T15:25:54Z urn:sha1:ca8c3b922e7032aff6cc3fd05548f4df1f3df90e When CONFIG_CFG80211 isn't enabled the compiler correcly warns about 'sinfo.pertid' may be unused. It can also happen for other error conditions that it not warn about. net/batman-adv/bat_v_elp.c: In function ‘batadv_v_elp_get_throughput.isra.0’: include/net/cfg80211.h:6370:13: warning: ‘sinfo.pertid’ may be used uninitialized in this function [-Wmaybe-uninitialized] kfree(sinfo->pertid); ~~~~~^~~~~~~~ Rework so that we only release '&sinfo' if cfg80211_get_station returns zero. Fixes: 7d652669b61d ("batman-adv: release station info tidstats") Signed-off-by: Anders Roxell <anders.roxell@linaro.org> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2019-03-25T08:31:19Z Sven Eckelmann sven@narfation.org 2019-02-23T13:27:10Z urn:sha1:f131a56880d10932931e74773fb8702894a94a75 The batadv_hash_remove is a function which searches the hashtable for an entry using a needle, a hashtable bucket selection function and a compare function. It will lock the bucket list and delete an entry when the compare function matches it with the needle. It returns the pointer to the hlist_node which matches or NULL when no entry matches the needle. The batadv_tt_global_free is not itself protected in anyway to avoid that any other function is modifying the hashtable between the search for the entry and the call to batadv_hash_remove. It can therefore happen that the entry either doesn't exist anymore or an entry was deleted which is not the same object as the needle. In such an situation, the reference counter (for the reference stored in the hashtable) must not be reduced for the needle. Instead the reference counter of the actually removed entry has to be reduced. Otherwise the reference counter will underflow and the object might be freed before all its references were dropped. The kref helpers reported this problem as: refcount_t: underflow; use-after-free. Fixes: 7683fdc1e886 ("batman-adv: protect the local and the global trans-tables with rcu") Reported-by: Martin Weinelt <martin@linuxlounge.net> Signed-off-by: Sven Eckelmann <sven@narfation.org> Acked-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2019-03-25T08:31:19Z Sven Eckelmann sven@narfation.org 2019-02-23T13:27:10Z urn:sha1:3d65b9accab4a7ed5038f6df403fbd5e298398c7 The batadv_hash_remove is a function which searches the hashtable for an entry using a needle, a hashtable bucket selection function and a compare function. It will lock the bucket list and delete an entry when the compare function matches it with the needle. It returns the pointer to the hlist_node which matches or NULL when no entry matches the needle. The batadv_tt_local_remove is not itself protected in anyway to avoid that any other function is modifying the hashtable between the search for the entry and the call to batadv_hash_remove. It can therefore happen that the entry either doesn't exist anymore or an entry was deleted which is not the same object as the needle. In such an situation, the reference counter (for the reference stored in the hashtable) must not be reduced for the needle. Instead the reference counter of the actually removed entry has to be reduced. Otherwise the reference counter will underflow and the object might be freed before all its references were dropped. The kref helpers reported this problem as: refcount_t: underflow; use-after-free. Fixes: ef72706a0543 ("batman-adv: protect tt_local_entry from concurrent delete events") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2019-03-25T08:31:19Z Sven Eckelmann sven@narfation.org 2019-02-23T13:27:10Z urn:sha1:4ba104f468bbfc27362c393815d03aa18fb7a20f The batadv_hash_remove is a function which searches the hashtable for an entry using a needle, a hashtable bucket selection function and a compare function. It will lock the bucket list and delete an entry when the compare function matches it with the needle. It returns the pointer to the hlist_node which matches or NULL when no entry matches the needle. The batadv_bla_del_claim is not itself protected in anyway to avoid that any other function is modifying the hashtable between the search for the entry and the call to batadv_hash_remove. It can therefore happen that the entry either doesn't exist anymore or an entry was deleted which is not the same object as the needle. In such an situation, the reference counter (for the reference stored in the hashtable) must not be reduced for the needle. Instead the reference counter of the actually removed entry has to be reduced. Otherwise the reference counter will underflow and the object might be freed before all its references were dropped. The kref helpers reported this problem as: refcount_t: underflow; use-after-free. Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>