|
|
@@ -0,0 +1,195 @@
|
|
|
+From: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
+Date: Thu, 9 Mar 2017 19:00:12 +0100
|
|
|
+Subject: batman-adv: backport a few maint patches
|
|
|
+
|
|
|
+In particular, this fixes packages of a certain range of sizes not being
|
|
|
+transmitted correctly, leading to hanging TCP connections.
|
|
|
+
|
|
|
+diff --git a/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch b/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch
|
|
|
+new file mode 100644
|
|
|
+index 0000000000000000000000000000000000000000..4d754ecda1451b5c3e25f74da97fab18b7a93c87
|
|
|
+--- /dev/null
|
|
|
++++ b/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch
|
|
|
+@@ -0,0 +1,64 @@
|
|
|
++From bcb7b6149bd9d1f41dae01ab47e74b8a931a650f Mon Sep 17 00:00:00 2001
|
|
|
++Message-Id: <bcb7b6149bd9d1f41dae01ab47e74b8a931a650f.1489082249.git.mschiffer@universe-factory.net>
|
|
|
++From: Sven Eckelmann <sven@narfation.org>
|
|
|
++Date: Sun, 12 Feb 2017 11:26:33 +0100
|
|
|
++Subject: [PATCH] batman-adv: Fix double free during fragment merge error
|
|
|
++
|
|
|
++The function batadv_frag_skb_buffer was supposed not to consume the skbuff
|
|
|
++on errors. This was followed in the helper function
|
|
|
++batadv_frag_insert_packet when the skb would potentially be inserted in the
|
|
|
++fragment queue. But it could happen that the next helper function
|
|
|
++batadv_frag_merge_packets would try to merge the fragments and fail. This
|
|
|
++results in a kfree_skb of all the enqueued fragments (including the just
|
|
|
++inserted one). batadv_recv_frag_packet would detect the error in
|
|
|
++batadv_frag_skb_buffer and try to free the skb again.
|
|
|
++
|
|
|
++The behavior of batadv_frag_skb_buffer (and its helper
|
|
|
++batadv_frag_insert_packet) must therefore be changed to always consume the
|
|
|
++skbuff to have a common behavior and avoid the double kfree_skb.
|
|
|
++
|
|
|
++Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge")
|
|
|
++Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
|
|
++---
|
|
|
++ net/batman-adv/fragmentation.c | 8 +++++---
|
|
|
++ 1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
++
|
|
|
++diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
|
|
|
++index 65536db1..c3e293a3 100644
|
|
|
++--- a/net/batman-adv/fragmentation.c
|
|
|
+++++ b/net/batman-adv/fragmentation.c
|
|
|
++@@ -233,8 +233,10 @@ err_unlock:
|
|
|
++ spin_unlock_bh(&chain->lock);
|
|
|
++
|
|
|
++ err:
|
|
|
++- if (!ret)
|
|
|
+++ if (!ret) {
|
|
|
++ kfree(frag_entry_new);
|
|
|
+++ kfree_skb(skb);
|
|
|
+++ }
|
|
|
++
|
|
|
++ return ret;
|
|
|
++ }
|
|
|
++@@ -305,7 +307,7 @@ free:
|
|
|
++ *
|
|
|
++ * There are three possible outcomes: 1) Packet is merged: Return true and
|
|
|
++ * set *skb to merged packet; 2) Packet is buffered: Return true and set *skb
|
|
|
++- * to NULL; 3) Error: Return false and leave skb as is.
|
|
|
+++ * to NULL; 3) Error: Return false and free skb.
|
|
|
++ *
|
|
|
++ * Return: true when packet is merged or buffered, false when skb is not not
|
|
|
++ * used.
|
|
|
++@@ -330,9 +332,9 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
|
|
|
++ goto out_err;
|
|
|
++
|
|
|
++ out:
|
|
|
++- *skb = skb_out;
|
|
|
++ ret = true;
|
|
|
++ out_err:
|
|
|
+++ *skb = skb_out;
|
|
|
++ return ret;
|
|
|
++ }
|
|
|
++
|
|
|
++--
|
|
|
++2.12.0
|
|
|
++
|
|
|
+diff --git a/batman-adv/patches/1004-batman-adv-Keep-fragments-equally-sized.patch b/batman-adv/patches/1004-batman-adv-Keep-fragments-equally-sized.patch
|
|
|
+new file mode 100644
|
|
|
+index 0000000000000000000000000000000000000000..431c0b4a1a722c4c2ebae390bc0c90be18966023
|
|
|
+--- /dev/null
|
|
|
++++ b/batman-adv/patches/1004-batman-adv-Keep-fragments-equally-sized.patch
|
|
|
+@@ -0,0 +1,112 @@
|
|
|
++From 450247570eacc8b6cf5484fe61c50eff804c6416 Mon Sep 17 00:00:00 2001
|
|
|
++Message-Id: <450247570eacc8b6cf5484fe61c50eff804c6416.1489082253.git.mschiffer@universe-factory.net>
|
|
|
++From: Sven Eckelmann <sven@narfation.org>
|
|
|
++Date: Sat, 4 Mar 2017 17:29:25 +0100
|
|
|
++Subject: [PATCH] batman-adv: Keep fragments equally sized
|
|
|
++MIME-Version: 1.0
|
|
|
++Content-Type: text/plain; charset=UTF-8
|
|
|
++Content-Transfer-Encoding: 8bit
|
|
|
++
|
|
|
++The batman-adv fragmentation packets have the design problem that they
|
|
|
++cannot be refragmented and cannot handle padding by the underlying link.
|
|
|
++The latter often leads to problems when networks are incorrectly configured
|
|
|
++and don't use a common MTU.
|
|
|
++
|
|
|
++The sender could for example fragment a 1271 byte frame (plus external
|
|
|
++ethernet header (14) and batadv unicast header (10)) to fit in a 1280 bytes
|
|
|
++large MTU of the underlying link (max. 1294 byte frames). This would create
|
|
|
++a 1294 bytes large frame (fragment 2) and a 55 bytes large frame
|
|
|
++(fragment 1). The extra 54 bytes are the fragment header (20) added to each
|
|
|
++fragment and the external ethernet header (14) for the second fragment.
|
|
|
++
|
|
|
++Let us assume that the next hop is then not able to transport 1294 bytes to
|
|
|
++its next hop. The 1294 byte large frame will be dropped but the 55 bytes
|
|
|
++large fragment will still be forwarded to its destination.
|
|
|
++
|
|
|
++Or let us assume that the underlying hardware requires that each frame has
|
|
|
++a minimum size (e.g. 60 bytes). Then it will pad the 55 bytes frame to 60
|
|
|
++bytes. The receiver of the 60 bytes frame will no longer be able to
|
|
|
++correctly assemble the two frames together because it is not aware that 5
|
|
|
++bytes of the 60 bytes frame are padding and don't belong to the reassembled
|
|
|
++frame.
|
|
|
++
|
|
|
++This can partly be avoided by splitting frames more equally. In this
|
|
|
++example, the 675 and 674 bytes large fragment frames could both potentially
|
|
|
++reach its destination without being too large or too small.
|
|
|
++
|
|
|
++Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
|
|
|
++Fixes: db56e4ecf5c2 ("batman-adv: Fragment and send skbs larger than mtu")
|
|
|
++Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
|
|
++Acked-by: Linus Lüssing <linus.luessing@c0d3.blue>
|
|
|
++Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
|
|
|
++---
|
|
|
++ net/batman-adv/fragmentation.c | 20 +++++++++++++-------
|
|
|
++ 1 file changed, 13 insertions(+), 7 deletions(-)
|
|
|
++
|
|
|
++diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
|
|
|
++index c3e293a3..89882ed7 100644
|
|
|
++--- a/net/batman-adv/fragmentation.c
|
|
|
+++++ b/net/batman-adv/fragmentation.c
|
|
|
++@@ -396,7 +396,7 @@ out:
|
|
|
++ * batadv_frag_create - create a fragment from skb
|
|
|
++ * @skb: skb to create fragment from
|
|
|
++ * @frag_head: header to use in new fragment
|
|
|
++- * @mtu: size of new fragment
|
|
|
+++ * @fragment_size: size of new fragment
|
|
|
++ *
|
|
|
++ * Split the passed skb into two fragments: A new one with size matching the
|
|
|
++ * passed mtu and the old one with the rest. The new skb contains data from the
|
|
|
++@@ -406,11 +406,11 @@ out:
|
|
|
++ */
|
|
|
++ static struct sk_buff *batadv_frag_create(struct sk_buff *skb,
|
|
|
++ struct batadv_frag_packet *frag_head,
|
|
|
++- unsigned int mtu)
|
|
|
+++ unsigned int fragment_size)
|
|
|
++ {
|
|
|
++ struct sk_buff *skb_fragment;
|
|
|
++ unsigned int header_size = sizeof(*frag_head);
|
|
|
++- unsigned int fragment_size = mtu - header_size;
|
|
|
+++ unsigned int mtu = fragment_size + header_size;
|
|
|
++
|
|
|
++ skb_fragment = netdev_alloc_skb(NULL, mtu + ETH_HLEN);
|
|
|
++ if (!skb_fragment)
|
|
|
++@@ -448,7 +448,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
|
|
|
++ struct sk_buff *skb_fragment;
|
|
|
++ unsigned int mtu = neigh_node->if_incoming->net_dev->mtu;
|
|
|
++ unsigned int header_size = sizeof(frag_header);
|
|
|
++- unsigned int max_fragment_size, max_packet_size;
|
|
|
+++ unsigned int max_fragment_size, num_fragments;
|
|
|
++ bool ret = false;
|
|
|
++
|
|
|
++ /* To avoid merge and refragmentation at next-hops we never send
|
|
|
++@@ -456,10 +456,15 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
|
|
|
++ */
|
|
|
++ mtu = min_t(unsigned int, mtu, BATADV_FRAG_MAX_FRAG_SIZE);
|
|
|
++ max_fragment_size = mtu - header_size;
|
|
|
++- max_packet_size = max_fragment_size * BATADV_FRAG_MAX_FRAGMENTS;
|
|
|
+++
|
|
|
+++ if (skb->len == 0 || max_fragment_size == 0)
|
|
|
+++ return -EINVAL;
|
|
|
+++
|
|
|
+++ num_fragments = (skb->len - 1) / max_fragment_size + 1;
|
|
|
+++ max_fragment_size = (skb->len - 1) / num_fragments + 1;
|
|
|
++
|
|
|
++ /* Don't even try to fragment, if we need more than 16 fragments */
|
|
|
++- if (skb->len > max_packet_size)
|
|
|
+++ if (num_fragments > BATADV_FRAG_MAX_FRAGMENTS)
|
|
|
++ goto out_err;
|
|
|
++
|
|
|
++ bat_priv = orig_node->bat_priv;
|
|
|
++@@ -480,7 +485,8 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
|
|
|
++
|
|
|
++ /* Eat and send fragments from the tail of skb */
|
|
|
++ while (skb->len > max_fragment_size) {
|
|
|
++- skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
|
|
|
+++ skb_fragment = batadv_frag_create(skb, &frag_header,
|
|
|
+++ max_fragment_size);
|
|
|
++ if (!skb_fragment)
|
|
|
++ goto out_err;
|
|
|
++
|
|
|
++--
|
|
|
++2.12.0
|
|
|
++
|
Matthias Schiffer