26 Jun, 2020
1 commit
-
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
17 Feb, 2020
1 commit
-
The new CONFIG_PROVE_RCU_LIST requires a condition statement in
(h)list_for_each_entry_rcu when the code might be executed in a non RCU
non-reader section with the writer lock. Otherwise lockdep might cause a
false positive warning like=============================
WARNING: suspicious RCU usage
-----------------------------
translation-table.c:940 RCU-list traversed in non-reader section!!batman-adv is (mostly) following the examples from the RCU documentation
and is using the normal list-traversal primitives instead of the RCU
list-traversal primitives when the writer (spin)lock is held.The remaining users of RCU list-traversal primitives with writer spinlock
have to be converted to the same style as the rest of the code.Reported-by: Madhuparna Bhowmik
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
01 Jan, 2020
1 commit
-
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
22 May, 2019
1 commit
-
A handler for BATADV_TVLV_ROAM was being registered when the
translation-table was initialized, but not unregistered when the
translation-table was freed. Unregister it.Fixes: 122edaa05940 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets")
Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com
Signed-off-by: Jeremy Sowden
Signed-off-by: Sven Eckelmann
06 Apr, 2019
1 commit
-
Minor comment merge conflict in mlx5.
Staging driver has a fixup due to the skb->xmit_more changes
in 'net-next', but was removed in 'net'.Signed-off-by: David S. Miller
25 Mar, 2019
4 commits
-
With this patch multicast packets with a limited number of destinations
(current default: 16) will be split and transmitted by the originator as
individual unicast transmissions.Wifi broadcasts with their low bitrate are still a costly undertaking.
In a mesh network this cost multiplies with the overall size of the mesh
network. Therefore using multiple unicast transmissions instead of
broadcast flooding is almost always less burdensome for the mesh
network.The maximum amount of unicast packets can be configured via the newly
introduced multicast_fanout parameter. If this limit is exceeded
distribution will fall back to classic broadcast flooding.The multicast-to-unicast conversion is performed on the initial
multicast sender node and counts on a final destination node, mesh-wide
basis (and not next hop, neighbor node basis).Signed-off-by: Linus Lüssing
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich -
All files got a SPDX-License-Identifier with commit 7db7d9f369a4
("batman-adv: Add SPDX license identifier above copyright header"). All the
required information about the license conditions can be found in
LICENSES/.Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich -
The batadv_hash_remove is a function which searches the hashtable for an
entry using a needle, a hashtable bucket selection function and a compare
function. It will lock the bucket list and delete an entry when the compare
function matches it with the needle. It returns the pointer to the
hlist_node which matches or NULL when no entry matches the needle.The batadv_tt_global_free is not itself protected in anyway to avoid that
any other function is modifying the hashtable between the search for the
entry and the call to batadv_hash_remove. It can therefore happen that the
entry either doesn't exist anymore or an entry was deleted which is not the
same object as the needle. In such an situation, the reference counter (for
the reference stored in the hashtable) must not be reduced for the needle.
Instead the reference counter of the actually removed entry has to be
reduced.Otherwise the reference counter will underflow and the object might be
freed before all its references were dropped. The kref helpers reported
this problem as:refcount_t: underflow; use-after-free.
Fixes: 7683fdc1e886 ("batman-adv: protect the local and the global trans-tables with rcu")
Reported-by: Martin Weinelt
Signed-off-by: Sven Eckelmann
Acked-by: Antonio Quartulli
Signed-off-by: Simon Wunderlich -
The batadv_hash_remove is a function which searches the hashtable for an
entry using a needle, a hashtable bucket selection function and a compare
function. It will lock the bucket list and delete an entry when the compare
function matches it with the needle. It returns the pointer to the
hlist_node which matches or NULL when no entry matches the needle.The batadv_tt_local_remove is not itself protected in anyway to avoid that
any other function is modifying the hashtable between the search for the
entry and the call to batadv_hash_remove. It can therefore happen that the
entry either doesn't exist anymore or an entry was deleted which is not the
same object as the needle. In such an situation, the reference counter (for
the reference stored in the hashtable) must not be reduced for the needle.
Instead the reference counter of the actually removed entry has to be
reduced.Otherwise the reference counter will underflow and the object might be
freed before all its references were dropped. The kref helpers reported
this problem as:refcount_t: underflow; use-after-free.
Fixes: ef72706a0543 ("batman-adv: protect tt_local_entry from concurrent delete events")
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
04 Jan, 2019
1 commit
-
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
12 Nov, 2018
1 commit
-
The netlink dump functionality transfers a large number of entries from the
kernel to userspace. It is rather likely that the transfer has to
interrupted and later continued. During that time, it can happen that
either new entries are added or removed. The userspace could than either
receive some entries multiple times or miss entries.Commit 670dc2833d14 ("netlink: advertise incomplete dumps") introduced a
mechanism to inform userspace about this problem. Userspace can then decide
whether it is necessary or not to retry dumping the information again.The netlink dump functions have to be switched to exclusive locks to avoid
changes while the current message is prepared. The already existing
generation sequence counter from the hash helper can be used for this
simple hash.Reported-by: Matthias Schiffer
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
06 Sep, 2018
1 commit
-
The function batadv_tt_global_orig_entry_add is responsible for adding new
tt_orig_list_entry to the orig_list. It first checks whether the entry
already is in the list or not. If it is, then the creation of a new entry
is aborted.But the lock for the list is only held when the list is really modified.
This could lead to duplicated entries because another context could create
an entry with the same key between the check and the list manipulation.The check and the manipulation of the list must therefore be in the same
locked code section.Fixes: d657e621a0f5 ("batman-adv: add reference counting for type batadv_tt_orig_list_entry")
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
23 Jun, 2018
2 commits
-
When a (broken) node wrongly sends multicast TT entries with a ROAM
flag then this causes any receiving node to drop all entries for the
same multicast MAC address announced by other nodes, leading to
packet loss.Fix this DoS vector by only storing TT sync flags. For multicast TT
non-sync'ing flag bits like ROAM are unused so far anyway.Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets")
Reported-by: Leonardo Mörlein
Signed-off-by: Linus Lüssing
Signed-off-by: Simon Wunderlich -
Since commit 54e22f265e87 ("batman-adv: fix TT sync flag inconsistencies")
TT sync flags and TT non-sync'd flags are supposed to be stored
separately.The previous patch missed to apply this separation on a TT entry with
only a single TT orig entry.This is a minor fix because with only a single TT orig entry the DDoS
issue the former patch solves does not apply.Fixes: 54e22f265e87 ("batman-adv: fix TT sync flag inconsistencies")
Signed-off-by: Linus Lüssing
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
13 May, 2018
2 commits
-
A translation table TVLV changset sent with an OGM consists
of a number of headers (one per VLAN) plus the changeset
itself (addition and/or deletion of entries).The per-VLAN headers are used by OGM recipients for consistency
checks. Said consistency check might determine that a full
translation table request is needed to restore consistency. If
the TT sender adds per-VLAN headers of empty VLANs into the OGM,
recipients are led to believe to have reached an inconsistent
state and thus request a full table update. The full table does
not contain empty VLANs (due to missing entries) the cycle
restarts when the next OGM is issued.Consequently, when the translation table TVLV headers are
composed, empty VLANs are to be excluded.Fixes: 21a57f6e7a3b ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: Marek Lindner
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich -
The previous TT sync fix so far only fixed TT responses issued by the
target node directly. So far, TT responses issued by intermediate nodes
still lead to the wrong flags being added, leading to CRC mismatches.This behaviour was observed at Freifunk Hannover in a 800 nodes setup
where a considerable amount of nodes were still infected with 'WI'
TT flags even with (most) nodes having the previous TT sync fix applied.I was able to reproduce the issue with intermediate TT responses in a
four node test setup and this patch fixes this issue by ensuring to
use the per originator instead of the summarized, OR'd ones.Fixes: e9c00136a475 ("batman-adv: fix tt_global_entries flags update")
Reported-by: Leonardo Mörlein
Signed-off-by: Linus Lüssing
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
10 May, 2018
1 commit
-
The functions batadv_tt_prepare_tvlv_local_data and
batadv_tt_prepare_tvlv_global_data are responsible for preparing a buffer
which can be used to store the TVLV container for TT and add the VLAN
information to it.This will be done in three phases:
1. count the number of VLANs and their entries
2. allocate the buffer using the counters from the previous step and limits
from the caller (parameter tt_len)
3. insert the VLAN information to the bufferThe step 1 and 3 operate on a list which contains the VLANs. The access to
these lists must be protected with an appropriate lock or otherwise they
might operate on on different entries. This could for example happen when
another context is adding VLAN entries to this list.This could lead to a buffer overflow in these functions when enough entries
were added between step 1 and 3 to the VLAN lists that the buffer room for
the entries (*tt_change) is smaller then the now required extra buffer for
new VLAN entries.Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: Sven Eckelmann
Acked-by: Antonio Quartulli
Signed-off-by: Simon Wunderlich
27 Feb, 2018
1 commit
-
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
22 Dec, 2017
1 commit
-
The header file is used by different userspace programs to inject packets
or to decode sniffed packets. It should therefore be available to them as
userspace header.Also other components in the kernel (like the flow dissector) require
access to the packet definitions to be able to decode ETH_P_BATMAN ethernet
packets.Signed-off-by: Sven Eckelmann
Signed-off-by: David S. Miller
16 Dec, 2017
6 commits
-
According to the kernel-doc documentation, externally visible functions
should be documented. This refers to all all non-static function which can
(and will) be used by functions in other sources files.Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich -
The documentation describing kernel-doc comments for functions ("How to
format kernel-doc comments") uses parentheses at the end of the function
name. Using this format allows to use a consistent style when adding
documentation to a function and when referencing this function in a
different kernel-doc section.Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich -
The linux/net.h provides the net_ratelimited_function. It should
therefore be included directly before it is used.Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich -
commit bc6245e5efd7 ("bug: split BUILD_BUG stuff out into
") added a new header for BUILD_BUG_ON. It should
therefore be included instead of linux/bug.hSigned-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich -
The linux/gfp.h provides the GFP_ATOMIC and GFP_KERNEL define. It should
therefore be included instead of linux/fs.h.Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich -
The "Linux kernel licensing rules" require that each file has a SPDX
license identifier as first line (and sometimes as second line).The FSFE REUSE practices [1] would also require the same tags but have no
restrictions on the placement in the source file. Using the "Linux kernel
licensing rules" is therefore also fulfilling the FSFE REUSE practices
requirements at the same time.[1] https://reuse.software/practices/
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
31 Jul, 2017
1 commit
-
This patch fixes an issue in the translation table code potentially
leading to a TT Request + Response storm. The issue may occur for nodes
involving BLA and an inconsistent configuration of the batman-adv AP
isolation feature. However, since the new multicast optimizations, a
single, malformed packet may lead to a mesh-wide, persistent
Denial-of-Service, too.The issue occurs because nodes are currently OR-ing the TT sync flags of
all originators announcing a specific MAC address via the
translation table. When an intermediate node now receives a TT Request
and wants to answer this on behalf of the destination node, then this
intermediate node now responds with an altered flag field and broken
CRC. The next OGM of the real destination will lead to a CRC mismatch
and triggering a TT Request and Response again.Furthermore, the OR-ing is currently never undone as long as at least
one originator announcing the according MAC address remains, leading to
the potential persistency of this issue.This patch fixes this issue by storing the flags used in the CRC
calculation on a a per TT orig entry basis to be able to respond with
the correct, original flags in an intermediate TT Response for one
thing. And to be able to correctly unset sync flags once all nodes
announcing a sync flag vanish for another.Fixes: e9c00136a475 ("batman-adv: fix tt_global_entries flags update")
Signed-off-by: Linus Lüssing
Acked-by: Antonio Quartulli
[sw: typo in commit message]
Signed-off-by: Simon Wunderlich
09 Jun, 2017
2 commits
-
Signed-off-by: Simon Wunderlich
Signed-off-by: Sven Eckelmann -
This change has been made for local TT already, add another one for
global TT - but only for temporary entries (aka speedy join), to prevent
inconsistencies between local and global tables in case an older
batman-adv version is still announcing those entries from its local
table.Signed-off-by: Simon Wunderlich
Signed-off-by: Sven Eckelmann
17 Mar, 2017
2 commits
-
The BATADV_PRINT_VID is not free of of possible side-effects. This can be
avoided when the the macro is converted to a simple inline function.Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich -
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
26 Jan, 2017
2 commits
-
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich -
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
07 Dec, 2016
1 commit
02 Dec, 2016
1 commit
-
batadv_tt_prepare_tvlv_local_data can fail to allocate the memory for the
new TVLV block. The caller is informed about this problem with the returned
length of 0. Not checking this value results in an invalid memory access
when either tt_data or tt_change is accessed.Reported-by: Dan Carpenter
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
09 Nov, 2016
1 commit
-
batman-adv is requiring the type of wifi device in different contexts. Some
of them can take the rtnl semaphore and some of them already have the
semaphore taken. But even others don't allow that the semaphore will be
taken.The data has to be retrieved when the hardif is added to batman-adv because
some of the wifi information for an hardif will only be available with rtnl
lock. It can then be cached in the batadv_hard_iface and the functions
is_wifi_netdev and is_cfg80211_netdev can just compare the correct bits
without imposing extra locking requirements.Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
30 Oct, 2016
1 commit
-
Instead of latching onto the OGM period, this patch introduces a worker
dedicated to multicast TT and TVLV updates.The reasoning is, that upon roaming especially the translation table
should be updated timely to minimize connectivity issues.With BATMAN V, the idea is to greatly increase the OGM interval to
reduce overhead. Unfortunately, right now this could lead to
a bad user experience if multicast traffic is involved.Therefore this patch introduces a fixed 500ms update interval for
multicast TT entries and the multicast TVLV.Signed-off-by: Linus Lüssing
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
18 Oct, 2016
1 commit
-
The variables "tt_local_entry" and "tt_global_entry" were eventually
checked again despite of a corresponding null pointer test before.* Avoid this double check by reordering a function call sequence
and the better selection of jump targets.* Omit the initialisation for these variables at the beginning then.
Signed-off-by: Markus Elfring
Signed-off-by: Sven Eckelmann
Signed-off-by: Simon Wunderlich
09 Aug, 2016
3 commits
-
The files provided by batman-adv via debugfs are currently converted to
netlink. Tools which are not yet converted to use the netlink interface may
still rely on the old debugfs files. But systems which already upgraded
their tools can save some space by disabling this feature. The default
configuration of batman-adv on amd64 can reduce the size of the module by
around 11% when this feature is disabled.$ size net/batman-adv/batman-adv.ko*
text data bss dec hex filename
150507 10395 4160 165062 284c6 net/batman-adv/batman-adv.ko.y
137106 7099 2112 146317 23b8d net/batman-adv/batman-adv.ko.nSigned-off-by: Sven Eckelmann
Signed-off-by: Marek Lindner
Signed-off-by: Simon Wunderlich -
It is hard to understand why the refcnt is increased when it isn't done
near the actual place the new reference is used. So using kref_get right
before the place which requires the reference and in the same function
helps to avoid accidental problems caused by incorrect reference counting.Signed-off-by: Sven Eckelmann
Signed-off-by: Marek Lindner
Signed-off-by: Simon Wunderlich -
It is hard to understand why the refcnt is increased when it isn't done
near the actual place the new reference is used. So using kref_get right
before the place which requires the reference and in the same function
helps to avoid accidental problems caused by incorrect reference counting.Signed-off-by: Sven Eckelmann
Signed-off-by: Marek Lindner
Signed-off-by: Simon Wunderlich