1. 29 6月, 2016 1 次提交
    • S
      batman-adv: Fix use-after-free/double-free of tt_req_node · 9c4604a2
      Sven Eckelmann 提交于
      The tt_req_node is added and removed from a list inside a spinlock. But the
      locking is sometimes removed even when the object is still referenced and
      will be used later via this reference. For example batadv_send_tt_request
      can create a new tt_req_node (including add to a list) and later
      re-acquires the lock to remove it from the list and to free it. But at this
      time another context could have already removed this tt_req_node from the
      list and freed it.
      
      CPU#0
      
          batadv_batman_skb_recv from net_device 0
          -> batadv_iv_ogm_receive
            -> batadv_iv_ogm_process
              -> batadv_iv_ogm_process_per_outif
                -> batadv_tvlv_ogm_receive
                  -> batadv_tvlv_ogm_receive
                    -> batadv_tvlv_containers_process
                      -> batadv_tvlv_call_handler
                        -> batadv_tt_tvlv_ogm_handler_v1
                          -> batadv_tt_update_orig
                            -> batadv_send_tt_request
                              -> batadv_tt_req_node_new
                                 spin_lock(...)
                                 allocates new tt_req_node and adds it to list
                                 spin_unlock(...)
                                 return tt_req_node
      
      CPU#1
      
          batadv_batman_skb_recv from net_device 1
          -> batadv_recv_unicast_tvlv
            -> batadv_tvlv_containers_process
              -> batadv_tvlv_call_handler
                -> batadv_tt_tvlv_unicast_handler_v1
                  -> batadv_handle_tt_response
                     spin_lock(...)
                     tt_req_node gets removed from list and is freed
                     spin_unlock(...)
      
      CPU#0
      
                            <- returned to batadv_send_tt_request
                               spin_lock(...)
                               tt_req_node gets removed from list and is freed
                               MEMORY CORRUPTION/SEGFAULT/...
                               spin_unlock(...)
      
      This can only be solved via reference counting to allow multiple contexts
      to handle the list manipulation while making sure that only the last
      context holding a reference will free the object.
      
      Fixes: a73105b8 ("batman-adv: improved client announcement mechanism")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Tested-by: NMartin Weinelt <martin@darmstadt.freifunk.net>
      Tested-by: NAmadeus Alfa <amadeus@chemnitz.freifunk.net>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9c4604a2
  2. 10 5月, 2016 1 次提交
    • S
      batman-adv: add detection for complex bridge loops · cd9c7bfb
      Simon Wunderlich 提交于
      There are network setups where the current bridge loop avoidance can't
      detect bridge loops. The minimal setup affected would consist of two
      LANs and two separate meshes, connected in a ring like that:
      
         A...(mesh1)...B
         |             |
       (LAN1)        (LAN2)
         |             |
         C...(mesh2)...D
      
      Since both the meshes and backbones are separate, the bridge loop
      avoidance has not enough information to detect and avoid the loop
      in this case. Even if these scenarios can't be fixed easily,
      these kind of loops can be detected.
      
      This patch implements a periodic check (running every 60 seconds for
      now) which sends a broadcast frame with a random MAC address on
      each backbone VLAN. If a broadcast frame with the same MAC address
      is received shortly after on the mesh, we know that there must be a
      loop and report that incident as well as throw an uevent to let others
      handle that problem.
      Signed-off-by: NSimon Wunderlich <simon.wunderlich@open-mesh.com>
      [sven@narfation.org: fix conflicts with current version]
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <a@unstable.cc>
      cd9c7bfb
  3. 29 4月, 2016 3 次提交
    • S
      batman-adv: Fix reference counting of hardif_neigh_node object for neigh_node · abe59c65
      Sven Eckelmann 提交于
      The batadv_neigh_node was specific to a batadv_hardif_neigh_node and held
      an implicit reference to it. But this reference was never stored in form of
      a pointer in the batadv_neigh_node itself. Instead
      batadv_neigh_node_release depends on a consistent state of
      hard_iface->neigh_list and that batadv_hardif_neigh_get always returns the
      batadv_hardif_neigh_node object which it has a reference for. But
      batadv_hardif_neigh_get cannot guarantee that because it is working only
      with rcu_read_lock on this list. It can therefore happen that a neigh_addr
      is in this list twice or that batadv_hardif_neigh_get cannot find the
      batadv_hardif_neigh_node for an neigh_addr due to some other list
      operations taking place at the same time.
      
      Instead add a batadv_hardif_neigh_node pointer directly in
      batadv_neigh_node which will be used for the reference counter decremented
      on release of batadv_neigh_node.
      
      Fixes: cef63419 ("batman-adv: add list of unique single hop neighbors per hard-interface")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <a@unstable.cc>
      abe59c65
    • S
      batman-adv: Fix reference counting of vlan object for tt_local_entry · a33d970d
      Sven Eckelmann 提交于
      The batadv_tt_local_entry was specific to a batadv_softif_vlan and held an
      implicit reference to it. But this reference was never stored in form of a
      pointer in the tt_local_entry itself. Instead batadv_tt_local_remove,
      batadv_tt_local_table_free and batadv_tt_local_purge_pending_clients depend
      on a consistent state of bat_priv->softif_vlan_list and that
      batadv_softif_vlan_get always returns the batadv_softif_vlan object which
      it has a reference for. But batadv_softif_vlan_get cannot guarantee that
      because it is working only with rcu_read_lock on this list. It can
      therefore happen that an vid is in this list twice or that
      batadv_softif_vlan_get cannot find the batadv_softif_vlan for an vid due to
      some other list operations taking place at the same time.
      
      Instead add a batadv_softif_vlan pointer directly in batadv_tt_local_entry
      which will be used for the reference counter decremented on release of
      batadv_tt_local_entry.
      
      Fixes: 35df3b29 ("batman-adv: fix TT VLAN inconsistency on VLAN re-add")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Acked-by: NAntonio Quartulli <a@unstable.cc>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <a@unstable.cc>
      a33d970d
    • A
      batman-adv: B.A.T.M.A.N V - make sure iface is reactivated upon NETDEV_UP event · b6cf5d49
      Antonio Quartulli 提交于
      At the moment there is no explicit reactivation of an hard-interface
      upon NETDEV_UP event. In case of B.A.T.M.A.N. IV the interface is
      reactivated as soon as the next OGM is scheduled for sending, but this
      mechanism does not work with B.A.T.M.A.N. V. The latter does not rely
      on the same scheduling mechanism as its predecessor and for this reason
      the hard-interface remains deactivated forever after being brought down
      once.
      
      This patch fixes the reactivation mechanism by adding a new routing API
      which explicitly allows each algorithm to perform any needed operation
      upon interface re-activation.
      
      Such API is optional and is implemented by B.A.T.M.A.N. V only and it
      just takes care of setting the iface status to ACTIVE
      Signed-off-by: NAntonio Quartulli <a@unstable.cc>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      b6cf5d49
  4. 29 2月, 2016 7 次提交
    • A
      batman-adv: ELP - compute the metric based on the estimated throughput · c833484e
      Antonio Quartulli 提交于
      In case of wireless interface retrieve the throughput by
      querying cfg80211. To perform this call a separate work
      must be scheduled because the function may sleep and this
      is not allowed within an RCU protected context (RCU in this
      case is used to iterate over all the neighbours).
      
      Use ethtool to retrieve information about an Ethernet link
      like HALF/FULL_DUPLEX and advertised bandwidth (e.g.
      100/10Mbps).
      
      The metric is updated each time a new ELP packet is sent,
      this way it is possible to timely react to a metric
      variation which can imply (for example) a neighbour
      disconnection.
      Signed-off-by: NAntonio Quartulli <antonio@open-mesh.com>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      c833484e
    • A
      batman-adv: keep track of when unicast packets are sent · 95d39278
      Antonio Quartulli 提交于
      To enable ELP to send probing packets over wireless links
      only if needed, batman-adv must keep track of the last time
      it sent a unicast packet towards every neighbour.
      
      For this purpose a 2 main changes are introduced:
      1) a new member of the elp_neigh_node structure stores the
         last time a unicast packet was sent towards this neighbour;
      2) a wrapper function for sending unicast packets is
         implemented. This function will simply update the member
         describe din point 1) and then forward the packet to the
         real sending routine.
      
      Point 2) implies that any code-path leading to a unicast
      sending now has to use the new wrapper.
      Signed-off-by: NAntonio Quartulli <antonio@open-mesh.com>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      95d39278
    • A
      batman-adv: add throughput override attribute to hard_ifaces · 0b5ecc68
      Antonio Quartulli 提交于
      This attribute is exported to user space to disable the link
      throughput auto-detection by setting a fixed value.
      The throughput override value is used when batman-adv is
      computing the link throughput towards a neighbour.
      
      If the value is set to 0 then batman-adv will try to detect
      the throughput by itself.
      Signed-off-by: NAntonio Quartulli <antonio@open-mesh.com>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      0b5ecc68
    • A
      batman-adv: OGMv2 - implement originators logic · 9323158e
      Antonio Quartulli 提交于
      Add the support for recognising new originators in the
      network and rebroadcast their OGMs.
      Signed-off-by: NAntonio Quartulli <antonio@open-mesh.com>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      9323158e
    • A
      batman-adv: OGMv2 - add basic infrastructure · 0da00359
      Antonio Quartulli 提交于
      This is the initial implementation of the new OGM protocol
      (version 2). It has been designed to work on top of the
      newly added ELP.
      
      In the previous version the OGM protocol was used to both
      measure link qualities and flood the network with the metric
      information. In this version the protocol is in charge of
      the latter task only, leaving the former to ELP.
      
      This means being able to decouple the interval used by the
      neighbor discovery from the OGM broadcasting, which revealed
      to be costly in dense networks and needed to be relaxed so
      leading to a less responsive routing protocol.
      Signed-off-by: NAntonio Quartulli <antonio@open-mesh.com>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      0da00359
    • L
      batman-adv: ELP - creating neighbor structures · 162bd64c
      Linus Luessing 提交于
      Initially developed by Linus during a 6 months trainee study
      period in Ascom (Switzerland) AG.
      Signed-off-by: NLinus Luessing <linus.luessing@web.de>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <antonio@open-mesh.com>
      162bd64c
    • L
      batman-adv: ELP - adding basic infrastructure · d6f94d91
      Linus Luessing 提交于
      The B.A.T.M.A.N. protocol originally only used a single
      message type (called OGM) to determine the link qualities to
      the direct neighbors and spreading these link quality
      information through the whole mesh. This procedure is
      summarized on the BATMAN concept page and explained in
      details in the RFC draft published in 2008.
      
      This approach was chosen for its simplicity during the
      protocol design phase and the implementation. However, it
      also bears some drawbacks:
      
       *  Wireless interfaces usually come with some packet loss,
          therefore a higher broadcast rate is desirable to allow
          a fast reaction on flaky connections.
          Other interfaces of the same host might be connected to
          Ethernet LANs / VPNs / etc which rarely exhibit packet
          loss would benefit from a lower broadcast rate to reduce
          overhead.
       *  It generally is more desirable to detect local link
          quality changes at a faster rate than propagating all
          these changes through the entire mesh (the far end of
          the mesh does not need to care about local link quality
          changes that much). Other optimizations strategies, like
          reducing overhead, might be possible if OGMs weren't
          used for all tasks in the mesh at the same time.
      
      As a result detecting local link qualities shall be handled
      by an independent message type, ELP, whereas the OGM message
      type remains responsible for flooding the mesh with these
      link quality information and determining the overall path
      transmit qualities.
      
      Developed by Linus during a 6 months trainee study period in
      Ascom (Switzerland) AG.
      Signed-off-by: NLinus Luessing <linus.luessing@web.de>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <antonio@open-mesh.com>
      d6f94d91
  5. 10 2月, 2016 18 次提交
  6. 02 2月, 2016 4 次提交
  7. 09 1月, 2016 4 次提交
  8. 16 12月, 2015 2 次提交