batman-adv: Merge bugfixes from 2018.4

* Use explicit tvlv padding for ELP packets
* Expand merged fragment buffer for full packet

Signed-off-by: Sven Eckelmann <sven@narfation.org>

batman-adv/Makefile

@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=batman-adv
 
 PKG_VERSION:=2018.1
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 PKG_HASH:=b866b28dbbe5c9238abbdf5abbc30fc526dea56898ce4c1bd76d5c017843048b
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz

batman-adv/patches/0022-batman-adv-Use-explicit-tvlv-padding-for-ELP-packets.patch

@@ -0,0 +1,55 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Tue, 30 Oct 2018 12:17:10 +0100
+Subject: [PATCH] batman-adv: Use explicit tvlv padding for ELP packets
+
+The announcement messages of batman-adv COMPAT_VERSION 15 have the
+possibility to announce additional information via a dynamic TVLV part.
+This part is optional for the ELP packets and currently not parsed by the
+Linux implementation. Still out-of-tree versions are using it to transport
+things like neighbor hashes to optimize the rebroadcast behavior.
+
+Since the ELP broadcast packets are smaller than the minimal ethernet
+packet, it often has to be padded. This is often done (as specified in
+RFC894) with octets of zero and thus work perfectly fine with the TVLV
+part (making it a zero length and thus empty). But not all ethernet
+compatible hardware seems to follow this advice. To avoid ambiguous
+situations when parsing the TVLV header, just force the 4 bytes (TVLV
+length + padding) after the required ELP header to zero.
+
+Fixes: a4b88af77e28 ("batman-adv: ELP - adding basic infrastructure")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/974337ee9773c4bd0a2d5c322306cf2bea445e11
+---
+ net/batman-adv/bat_v_elp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index 83b46654449df72ceda6ca3177f72e7faf0603ab..9aa3c7b2e9bad6c50b2939b6dbf5a9a2e713b93b 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -339,19 +339,21 @@ static void batadv_v_elp_periodic_work(struct work_struct *work)
+  */
+ int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface)
+ {
++	static const size_t tvlv_padding = sizeof(__be32);
+ 	struct batadv_elp_packet *elp_packet;
+ 	unsigned char *elp_buff;
+ 	u32 random_seqno;
+ 	size_t size;
+ 	int res = -ENOMEM;
+
+-	size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN;
++	size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN + tvlv_padding;
+ 	hard_iface->bat_v.elp_skb = dev_alloc_skb(size);
+ 	if (!hard_iface->bat_v.elp_skb)
+ 		goto out;
+
+ 	skb_reserve(hard_iface->bat_v.elp_skb, ETH_HLEN + NET_IP_ALIGN);
+-	elp_buff = skb_put_zero(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN);
++	elp_buff = skb_put_zero(hard_iface->bat_v.elp_skb,
++				BATADV_ELP_HLEN + tvlv_padding);
+ 	elp_packet = (struct batadv_elp_packet *)elp_buff;
+
+ 	elp_packet->packet_type = BATADV_ELP;

batman-adv/patches/0023-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch

@@ -0,0 +1,44 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 7 Nov 2018 23:09:12 +0100
+Subject: [PATCH] batman-adv: Expand merged fragment buffer for full packet
+
+The complete size ("total_size") of the fragmented packet is stored in the
+fragment header and in the size of the fragment chain. When the fragments
+are ready for merge, the skbuff's tail of the first fragment is expanded to
+have enough room after the data pointer for at least total_size. This means
+that it gets expanded by total_size - first_skb->len.
+
+But this is ignoring the fact that after expanding the buffer, the fragment
+header is pulled by from this buffer. Assuming that the tailroom of the
+buffer was already 0, the buffer after the data pointer of the skbuff is
+now only total_size - len(fragment_header) large. When the merge function
+is then processing the remaining fragments, the code to copy the data over
+to the merged skbuff will cause an skb_over_panic when it tries to actually
+put enough data to fill the total_size bytes of the packet.
+
+The size of the skb_pull must therefore also be taken into account when the
+buffer's tailroom is expanded.
+
+Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge")
+Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
+Co-authored-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: other, https://patchwork.open-mesh.org/patch/17616/
+---
+ net/batman-adv/fragmentation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index 0fddc17106bd8a0e3f064fee9adba7c226f34682..5b71a289d04fc80de6c20e7a24d621727c77825a 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -275,7 +275,7 @@ batadv_frag_merge_packets(struct hlist_head *chain)
+ 	kfree(entry);
+
+ 	packet = (struct batadv_frag_packet *)skb_out->data;
+-	size = ntohs(packet->total_size);
++	size = ntohs(packet->total_size) + hdr_size;
+
+ 	/* Make room for the rest of the fragments. */
+ 	if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {