From d452a7c2cf1c0da4e034666a50dc0e7aa9ddc592 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Tue, 28 Mar 2017 14:41:09 +0200
Subject: [PATCH] batman-adv: fix broken double-free backport leading to
 frequent crashes

---
 ...ble-free-during-fragment-merge-error.patch | 51 ++++++++++++
 ...an-adv-Keep-fragments-equally-sized.patch} | 77 +------------------
 2 files changed, 53 insertions(+), 75 deletions(-)
 create mode 100644 patches/packages/routing/0004-batman-adv-Fix-double-free-during-fragment-merge-error.patch
 rename patches/packages/routing/{0004-batman-adv-backport-a-few-maint-patches.patch => 0005-batman-adv-Keep-fragments-equally-sized.patch} (64%)

diff --git a/patches/packages/routing/0004-batman-adv-Fix-double-free-during-fragment-merge-error.patch b/patches/packages/routing/0004-batman-adv-Fix-double-free-during-fragment-merge-error.patch
new file mode 100644
index 00000000..d3969711
--- /dev/null
+++ b/patches/packages/routing/0004-batman-adv-Fix-double-free-during-fragment-merge-error.patch
@@ -0,0 +1,51 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 28 Mar 2017 14:39:48 +0200
+Subject: batman-adv: Fix double free during fragment merge error
+
+diff --git a/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch b/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..42748aac79d082e67a8552690b3aa6e7f5ec7d12
+--- /dev/null
++++ b/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch
+@@ -0,0 +1,41 @@
++From ee1415285ddb56a3c15b5b70d7b403637486382c Mon Sep 17 00:00:00 2001
++Message-Id: <ee1415285ddb56a3c15b5b70d7b403637486382c.1490704674.git.mschiffer@universe-factory.net>
++From: Matthias Schiffer <mschiffer@universe-factory.net>
++Date: Tue, 28 Mar 2017 14:35:12 +0200
++Subject: [PATCH] batman-adv: Fix double free during fragment merge error
++
++The function batadv_frag_skb_buffer was supposed not to consume the skbuff
++on errors. This was followed in the helper function
++batadv_frag_insert_packet when the skb would potentially be inserted in the
++fragment queue. But it could happen that the next helper function
++batadv_frag_merge_packets would try to merge the fragments and fail. This
++results in a kfree_skb of all the enqueued fragments (including the just
++inserted one). batadv_recv_frag_packet would detect the error in
++batadv_frag_skb_buffer and try to free the skb again.
++
++The behavior of batadv_frag_skb_buffer must therefore be changed to return
++true when batadv_frag_merge_packets fails.
++
++Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge")
++Signed-off-by: Sven Eckelmann <sven@narfation.org>
++[Matthias Schiffer: backport to batman-adv 2016.2]
++---
++ net/batman-adv/fragmentation.c | 2 --
++ 1 file changed, 2 deletions(-)
++
++diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
++index 65536db1..21e5b79f 100644
++--- a/net/batman-adv/fragmentation.c
+++++ b/net/batman-adv/fragmentation.c
++@@ -326,8 +326,6 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
++ 		goto out;
++ 
++ 	skb_out = batadv_frag_merge_packets(&head);
++-	if (!skb_out)
++-		goto out_err;
++ 
++ out:
++ 	*skb = skb_out;
++-- 
++2.12.1
++
diff --git a/patches/packages/routing/0004-batman-adv-backport-a-few-maint-patches.patch b/patches/packages/routing/0005-batman-adv-Keep-fragments-equally-sized.patch
similarity index 64%
rename from patches/packages/routing/0004-batman-adv-backport-a-few-maint-patches.patch
rename to patches/packages/routing/0005-batman-adv-Keep-fragments-equally-sized.patch
index 9b8a0223..f6055234 100644
--- a/patches/packages/routing/0004-batman-adv-backport-a-few-maint-patches.patch
+++ b/patches/packages/routing/0005-batman-adv-Keep-fragments-equally-sized.patch
@@ -1,80 +1,7 @@
 From: Matthias Schiffer <mschiffer@universe-factory.net>
-Date: Thu, 9 Mar 2017 19:00:12 +0100
-Subject: batman-adv: backport a few maint patches
+Date: Tue, 28 Mar 2017 14:40:20 +0200
+Subject: batman-adv: Keep fragments equally sized
 
-In particular, this fixes packages of a certain range of sizes not being
-transmitted correctly, leading to hanging TCP connections.
-
-diff --git a/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch b/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch
-new file mode 100644
-index 0000000000000000000000000000000000000000..4d754ecda1451b5c3e25f74da97fab18b7a93c87
---- /dev/null
-+++ b/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch
-@@ -0,0 +1,64 @@
-+From bcb7b6149bd9d1f41dae01ab47e74b8a931a650f Mon Sep 17 00:00:00 2001
-+Message-Id: <bcb7b6149bd9d1f41dae01ab47e74b8a931a650f.1489082249.git.mschiffer@universe-factory.net>
-+From: Sven Eckelmann <sven@narfation.org>
-+Date: Sun, 12 Feb 2017 11:26:33 +0100
-+Subject: [PATCH] batman-adv: Fix double free during fragment merge error
-+
-+The function batadv_frag_skb_buffer was supposed not to consume the skbuff
-+on errors. This was followed in the helper function
-+batadv_frag_insert_packet when the skb would potentially be inserted in the
-+fragment queue. But it could happen that the next helper function
-+batadv_frag_merge_packets would try to merge the fragments and fail. This
-+results in a kfree_skb of all the enqueued fragments (including the just
-+inserted one). batadv_recv_frag_packet would detect the error in
-+batadv_frag_skb_buffer and try to free the skb again.
-+
-+The behavior of batadv_frag_skb_buffer (and its helper
-+batadv_frag_insert_packet) must therefore be changed to always consume the
-+skbuff to have a common behavior and avoid the double kfree_skb.
-+
-+Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge")
-+Signed-off-by: Sven Eckelmann <sven@narfation.org>
-+---
-+ net/batman-adv/fragmentation.c | 8 +++++---
-+ 1 file changed, 5 insertions(+), 3 deletions(-)
-+
-+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
-+index 65536db1..c3e293a3 100644
-+--- a/net/batman-adv/fragmentation.c
-++++ b/net/batman-adv/fragmentation.c
-+@@ -233,8 +233,10 @@ err_unlock:
-+ 	spin_unlock_bh(&chain->lock);
-+ 
-+ err:
-+-	if (!ret)
-++	if (!ret) {
-+ 		kfree(frag_entry_new);
-++		kfree_skb(skb);
-++	}
-+ 
-+ 	return ret;
-+ }
-+@@ -305,7 +307,7 @@ free:
-+  *
-+  * There are three possible outcomes: 1) Packet is merged: Return true and
-+  * set *skb to merged packet; 2) Packet is buffered: Return true and set *skb
-+- * to NULL; 3) Error: Return false and leave skb as is.
-++ * to NULL; 3) Error: Return false and free skb.
-+  *
-+  * Return: true when packet is merged or buffered, false when skb is not not
-+  * used.
-+@@ -330,9 +332,9 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
-+ 		goto out_err;
-+ 
-+ out:
-+-	*skb = skb_out;
-+ 	ret = true;
-+ out_err:
-++	*skb = skb_out;
-+ 	return ret;
-+ }
-+ 
-+-- 
-+2.12.0
-+
 diff --git a/batman-adv/patches/1004-batman-adv-Keep-fragments-equally-sized.patch b/batman-adv/patches/1004-batman-adv-Keep-fragments-equally-sized.patch
 new file mode 100644
 index 0000000000000000000000000000000000000000..431c0b4a1a722c4c2ebae390bc0c90be18966023
-- 
GitLab