b7eeef9b04
In particular, this fixes packages of a certain range of sizes not being transmitted correctly, leading to hanging TCP connections.
196 lines
8.0 KiB
Diff
196 lines
8.0 KiB
Diff
From: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
Date: Thu, 9 Mar 2017 19:00:12 +0100
|
|
Subject: batman-adv: backport a few maint patches
|
|
|
|
In particular, this fixes packages of a certain range of sizes not being
|
|
transmitted correctly, leading to hanging TCP connections.
|
|
|
|
diff --git a/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch b/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..4d754ecda1451b5c3e25f74da97fab18b7a93c87
|
|
--- /dev/null
|
|
+++ b/batman-adv/patches/1003-batman-adv-Fix-double-free-during-fragment-merge-err.patch
|
|
@@ -0,0 +1,64 @@
|
|
+From bcb7b6149bd9d1f41dae01ab47e74b8a931a650f Mon Sep 17 00:00:00 2001
|
|
+Message-Id: <bcb7b6149bd9d1f41dae01ab47e74b8a931a650f.1489082249.git.mschiffer@universe-factory.net>
|
|
+From: Sven Eckelmann <sven@narfation.org>
|
|
+Date: Sun, 12 Feb 2017 11:26:33 +0100
|
|
+Subject: [PATCH] batman-adv: Fix double free during fragment merge error
|
|
+
|
|
+The function batadv_frag_skb_buffer was supposed not to consume the skbuff
|
|
+on errors. This was followed in the helper function
|
|
+batadv_frag_insert_packet when the skb would potentially be inserted in the
|
|
+fragment queue. But it could happen that the next helper function
|
|
+batadv_frag_merge_packets would try to merge the fragments and fail. This
|
|
+results in a kfree_skb of all the enqueued fragments (including the just
|
|
+inserted one). batadv_recv_frag_packet would detect the error in
|
|
+batadv_frag_skb_buffer and try to free the skb again.
|
|
+
|
|
+The behavior of batadv_frag_skb_buffer (and its helper
|
|
+batadv_frag_insert_packet) must therefore be changed to always consume the
|
|
+skbuff to have a common behavior and avoid the double kfree_skb.
|
|
+
|
|
+Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge")
|
|
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
|
+---
|
|
+ net/batman-adv/fragmentation.c | 8 +++++---
|
|
+ 1 file changed, 5 insertions(+), 3 deletions(-)
|
|
+
|
|
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
|
|
+index 65536db1..c3e293a3 100644
|
|
+--- a/net/batman-adv/fragmentation.c
|
|
++++ b/net/batman-adv/fragmentation.c
|
|
+@@ -233,8 +233,10 @@ err_unlock:
|
|
+ spin_unlock_bh(&chain->lock);
|
|
+
|
|
+ err:
|
|
+- if (!ret)
|
|
++ if (!ret) {
|
|
+ kfree(frag_entry_new);
|
|
++ kfree_skb(skb);
|
|
++ }
|
|
+
|
|
+ return ret;
|
|
+ }
|
|
+@@ -305,7 +307,7 @@ free:
|
|
+ *
|
|
+ * There are three possible outcomes: 1) Packet is merged: Return true and
|
|
+ * set *skb to merged packet; 2) Packet is buffered: Return true and set *skb
|
|
+- * to NULL; 3) Error: Return false and leave skb as is.
|
|
++ * to NULL; 3) Error: Return false and free skb.
|
|
+ *
|
|
+ * Return: true when packet is merged or buffered, false when skb is not not
|
|
+ * used.
|
|
+@@ -330,9 +332,9 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
|
|
+ goto out_err;
|
|
+
|
|
+ out:
|
|
+- *skb = skb_out;
|
|
+ ret = true;
|
|
+ out_err:
|
|
++ *skb = skb_out;
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
+--
|
|
+2.12.0
|
|
+
|
|
diff --git a/batman-adv/patches/1004-batman-adv-Keep-fragments-equally-sized.patch b/batman-adv/patches/1004-batman-adv-Keep-fragments-equally-sized.patch
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..431c0b4a1a722c4c2ebae390bc0c90be18966023
|
|
--- /dev/null
|
|
+++ b/batman-adv/patches/1004-batman-adv-Keep-fragments-equally-sized.patch
|
|
@@ -0,0 +1,112 @@
|
|
+From 450247570eacc8b6cf5484fe61c50eff804c6416 Mon Sep 17 00:00:00 2001
|
|
+Message-Id: <450247570eacc8b6cf5484fe61c50eff804c6416.1489082253.git.mschiffer@universe-factory.net>
|
|
+From: Sven Eckelmann <sven@narfation.org>
|
|
+Date: Sat, 4 Mar 2017 17:29:25 +0100
|
|
+Subject: [PATCH] batman-adv: Keep fragments equally sized
|
|
+MIME-Version: 1.0
|
|
+Content-Type: text/plain; charset=UTF-8
|
|
+Content-Transfer-Encoding: 8bit
|
|
+
|
|
+The batman-adv fragmentation packets have the design problem that they
|
|
+cannot be refragmented and cannot handle padding by the underlying link.
|
|
+The latter often leads to problems when networks are incorrectly configured
|
|
+and don't use a common MTU.
|
|
+
|
|
+The sender could for example fragment a 1271 byte frame (plus external
|
|
+ethernet header (14) and batadv unicast header (10)) to fit in a 1280 bytes
|
|
+large MTU of the underlying link (max. 1294 byte frames). This would create
|
|
+a 1294 bytes large frame (fragment 2) and a 55 bytes large frame
|
|
+(fragment 1). The extra 54 bytes are the fragment header (20) added to each
|
|
+fragment and the external ethernet header (14) for the second fragment.
|
|
+
|
|
+Let us assume that the next hop is then not able to transport 1294 bytes to
|
|
+its next hop. The 1294 byte large frame will be dropped but the 55 bytes
|
|
+large fragment will still be forwarded to its destination.
|
|
+
|
|
+Or let us assume that the underlying hardware requires that each frame has
|
|
+a minimum size (e.g. 60 bytes). Then it will pad the 55 bytes frame to 60
|
|
+bytes. The receiver of the 60 bytes frame will no longer be able to
|
|
+correctly assemble the two frames together because it is not aware that 5
|
|
+bytes of the 60 bytes frame are padding and don't belong to the reassembled
|
|
+frame.
|
|
+
|
|
+This can partly be avoided by splitting frames more equally. In this
|
|
+example, the 675 and 674 bytes large fragment frames could both potentially
|
|
+reach its destination without being too large or too small.
|
|
+
|
|
+Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
|
|
+Fixes: db56e4ecf5c2 ("batman-adv: Fragment and send skbs larger than mtu")
|
|
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
|
+Acked-by: Linus Lüssing <linus.luessing@c0d3.blue>
|
|
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
|
|
+---
|
|
+ net/batman-adv/fragmentation.c | 20 +++++++++++++-------
|
|
+ 1 file changed, 13 insertions(+), 7 deletions(-)
|
|
+
|
|
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
|
|
+index c3e293a3..89882ed7 100644
|
|
+--- a/net/batman-adv/fragmentation.c
|
|
++++ b/net/batman-adv/fragmentation.c
|
|
+@@ -396,7 +396,7 @@ out:
|
|
+ * batadv_frag_create - create a fragment from skb
|
|
+ * @skb: skb to create fragment from
|
|
+ * @frag_head: header to use in new fragment
|
|
+- * @mtu: size of new fragment
|
|
++ * @fragment_size: size of new fragment
|
|
+ *
|
|
+ * Split the passed skb into two fragments: A new one with size matching the
|
|
+ * passed mtu and the old one with the rest. The new skb contains data from the
|
|
+@@ -406,11 +406,11 @@ out:
|
|
+ */
|
|
+ static struct sk_buff *batadv_frag_create(struct sk_buff *skb,
|
|
+ struct batadv_frag_packet *frag_head,
|
|
+- unsigned int mtu)
|
|
++ unsigned int fragment_size)
|
|
+ {
|
|
+ struct sk_buff *skb_fragment;
|
|
+ unsigned int header_size = sizeof(*frag_head);
|
|
+- unsigned int fragment_size = mtu - header_size;
|
|
++ unsigned int mtu = fragment_size + header_size;
|
|
+
|
|
+ skb_fragment = netdev_alloc_skb(NULL, mtu + ETH_HLEN);
|
|
+ if (!skb_fragment)
|
|
+@@ -448,7 +448,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
|
|
+ struct sk_buff *skb_fragment;
|
|
+ unsigned int mtu = neigh_node->if_incoming->net_dev->mtu;
|
|
+ unsigned int header_size = sizeof(frag_header);
|
|
+- unsigned int max_fragment_size, max_packet_size;
|
|
++ unsigned int max_fragment_size, num_fragments;
|
|
+ bool ret = false;
|
|
+
|
|
+ /* To avoid merge and refragmentation at next-hops we never send
|
|
+@@ -456,10 +456,15 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
|
|
+ */
|
|
+ mtu = min_t(unsigned int, mtu, BATADV_FRAG_MAX_FRAG_SIZE);
|
|
+ max_fragment_size = mtu - header_size;
|
|
+- max_packet_size = max_fragment_size * BATADV_FRAG_MAX_FRAGMENTS;
|
|
++
|
|
++ if (skb->len == 0 || max_fragment_size == 0)
|
|
++ return -EINVAL;
|
|
++
|
|
++ num_fragments = (skb->len - 1) / max_fragment_size + 1;
|
|
++ max_fragment_size = (skb->len - 1) / num_fragments + 1;
|
|
+
|
|
+ /* Don't even try to fragment, if we need more than 16 fragments */
|
|
+- if (skb->len > max_packet_size)
|
|
++ if (num_fragments > BATADV_FRAG_MAX_FRAGMENTS)
|
|
+ goto out_err;
|
|
+
|
|
+ bat_priv = orig_node->bat_priv;
|
|
+@@ -480,7 +485,8 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
|
|
+
|
|
+ /* Eat and send fragments from the tail of skb */
|
|
+ while (skb->len > max_fragment_size) {
|
|
+- skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
|
|
++ skb_fragment = batadv_frag_create(skb, &frag_header,
|
|
++ max_fragment_size);
|
|
+ if (!skb_fragment)
|
|
+ goto out_err;
|
|
+
|
|
+--
|
|
+2.12.0
|
|
+
|