nodogsplash2: update to 2.1.2

Fixes a path traversal attack.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>

alfred/Makefile

@@ -14,6 +14,7 @@ PKG_NAME:=alfred
 PKG_VERSION:=2016.5
 PKG_RELEASE:=0
 PKG_MD5SUM:=e03d422ed3b5a162b90e8af13389523f
+PKG_HASH:=37b3babf7f37643cf296be11fb82d5730cf441a5a56f72fba96edae9f149c9d2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.open-mesh.org/batman/releases/batman-adv-$(PKG_VERSION)

batctl/Makefile

@@ -10,8 +10,9 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=batctl
 
 PKG_VERSION:=2016.5
-PKG_RELEASE:=0
+PKG_RELEASE:=1
 PKG_MD5SUM:=7b33fb47c7fa5b317e9a152a286999fc
+PKG_HASH:=07edeb1d87a548285be8c499542790a158fc8d94ef7ebb295f27ebf710024ae9
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.open-mesh.org/batman/releases/batman-adv-$(PKG_VERSION)

batctl/patches/0001-batctl-change-PATH_BUFF_LEN-to-maximal-possible-valu.patch

@@ -0,0 +1,43 @@
+From: Philipp Psurek <philipp.psurek@gmail.com>
+Date: Tue, 13 Jun 2017 10:25:59 +0200
+Subject: batctl: change PATH_BUFF_LEN to maximal possible value
+
+The output of
+
+snprintf(path_buff, PATH_BUFF_LEN, SYS_ROUTING_ALGO_FMT, iface_dir->d_name)
+
+in sys.c can be between 34 and 289 bytes and should not write into a
+destination of size 200.
+
+Signed-off-by: Philipp Psurek <philipp.psurek@gmail.com>
+[sw: use higher limits to be future-proof]
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/620226bf8cff30e6dd966c8fe922b2d4cddf843b
+
+diff --git a/functions.c b/functions.c
+index abd588209337dcfa04be9aadbf4ba39bb46771bb..676012bb56f9f8aa757b4805e27d904181ee2d27 100644
+--- a/functions.c
++++ b/functions.c
+@@ -59,7 +59,7 @@
+ #include "debugfs.h"
+ #include "netlink.h"
+ 
+-#define PATH_BUFF_LEN 200
++#define PATH_BUFF_LEN 400
+ 
+ static struct timespec start_time;
+ static char *host_name;
+diff --git a/functions.h b/functions.h
+index 95cd6cf32b0c97cc36f7a81a7d8b126a0bbc389b..99e9085b4f392452d0e0b711dac334559408c1fb 100644
+--- a/functions.h
++++ b/functions.h
+@@ -31,7 +31,7 @@
+ #define ETH_STR_LEN 17
+ #define BATMAN_ADV_TAG "batman-adv:"
+ 
+-#define PATH_BUFF_LEN 200
++#define PATH_BUFF_LEN 400
+ 
+ /* return time delta from start to end in milliseconds */
+ void start_timer(void);

batctl/patches/0002-batctl-suppress-implicit-fallthrough-compiler-warnin.patch

@@ -0,0 +1,40 @@
+From: Philipp Psurek <philipp.psurek@gmail.com>
+Date: Tue, 13 Jun 2017 13:08:24 +0200
+Subject: batctl: suppress implicit-fallthrough compiler warning
+
+GCC 7.1.0 complains about an intended fallthrough.
+“__attribute__ ((fallthrough))” in this part of code would suppress this
+warning. Because older GCC compiler don’t understand this statement attribute
+and because there is already a comment in the source containing
+“falls?[ \t-]*thr(ough|u)” we can suppress the warning with the
+“-Wimplicit-fallthrough=2” warning option. Unintended fallthroughs without a
+comment would trigger this warning again.
+
+To avoid compiler recognition in the Makefile a simply change of the comment
+is sufficient to suppress the warning. For some reason only stand alone
+comments mentioned in [1] are recognized so the comment has to be split up into
+two parts.
+
+[1] https://gcc.gnu.org/onlinedocs/gcc-7.1.0/gcc/Warning-Options.html#index-Wimplicit-fallthrough_003d
+
+Signed-off-by: Philipp Psurek <philipp.psurek@gmail.com>
+[sw: Put the second comment part into a new line to avoid clutter]
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/50ee3c45feeda6d8c04ee127097badf99f78a26e
+
+diff --git a/tp_meter.c b/tp_meter.c
+index f95b8391ff3426200697034f1087274ca9e5a9dd..ec0dc4802c638471ff3c38bd344e31c208b634a5 100644
+--- a/tp_meter.c
++++ b/tp_meter.c
+@@ -498,8 +498,9 @@ int tp_meter(char *mesh_iface, int argc, char **argv)
+ 		break;
+ 	case BATADV_TP_REASON_CANCEL:
+ 		printf("CANCEL received: test aborted\n");
+-		/* fall through and print the partial result */
++		/* fall through */
+ 	case BATADV_TP_REASON_COMPLETE:
++		/* print the partial result */
+ 		if (result.test_time > 0) {
+ 			throughput = result.total_bytes * 1000;
+ 			throughput /= result.test_time;

batctl/patches/0003-batctl-Print-dummy-value-when-localtime-failed.patch

@@ -0,0 +1,30 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 23 Nov 2017 15:04:35 +0100
+Subject: batctl: Print dummy value when localtime failed
+
+localtime can return NULL when the local time could not be calculated.
+Accessing this NULL pointer is not allowed.
+
+Fixes: 05f27bfcd302 ("add arp packets , change output")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/09dd2dc0b4945c83bd07ad4bce64062239d901fb
+
+diff --git a/tcpdump.c b/tcpdump.c
+index 2125b66d0871c4a127425bfad0135a9f565cfb78..db9c46afecf3de94dbd4d9292df1fe0812fb8bfc 100644
+--- a/tcpdump.c
++++ b/tcpdump.c
+@@ -103,7 +103,11 @@ static int print_time(void)
+ 	gettimeofday(&tv, NULL);
+ 	tm = localtime(&tv.tv_sec);
+ 
+-	printf("%02d:%02d:%02d.%06ld ", tm->tm_hour, tm->tm_min, tm->tm_sec, tv.tv_usec);
++	if (tm)
++		printf("%02d:%02d:%02d.%06ld ", tm->tm_hour, tm->tm_min, tm->tm_sec, tv.tv_usec);
++	else
++		printf("00:00:00.000000 ");
++
+ 	return 1;
+ }
+ 

batctl/patches/0004-batctl-Handle-failure-during-hash_iterator-allocatio.patch

@@ -0,0 +1,26 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 23 Nov 2017 15:04:36 +0100
+Subject: batctl: Handle failure during hash_iterator allocation
+
+The iterator functions should not try to start the iteration when the
+iterator could not be allocated.
+
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/aa316bf6d1b2cf0ab7189ed8620c17f5018d4d37
+
+diff --git a/hash.c b/hash.c
+index 08d47b5b8f812d718f9463c548d73fbffb49b1b3..c6f735c64b573928441b41936646d195bc0da4bb 100644
+--- a/hash.c
++++ b/hash.c
+@@ -120,6 +120,9 @@ struct hash_it_t *hash_iterate(struct hashtable_t *hash,
+ 
+ 	if (iter_in == NULL) {
+ 		iter = debugMalloc(sizeof(struct hash_it_t), 301);
++		if (!iter)
++			return NULL;
++
+ 		iter->index =  -1;
+ 		iter->bucket = NULL;
+ 		iter->prev_bucket = NULL;

batctl/patches/0005-batctl-Handle-allocation-error-for-path_buff.patch

@@ -0,0 +1,53 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 23 Nov 2017 15:04:37 +0100
+Subject: batctl: Handle allocation error for path_buff
+
+Fixes: 5a1af99276b0 ("batctl: adapt batctl to new sysfs interface handling")
+Fixes: 306fcb4480c9 ("batctl: support for multiple mesh clouds")
+Fixes: af115c9acf44 ("batctl: support new gateway sysfs API")
+Fixes: 2c2cb260ad2e ("batctl: list supported and configured routing algorithms")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/3b52283a5f60d1c6ec11628d031e72f0a28a720f
+
+diff --git a/sys.c b/sys.c
+index b52434072b34b949c73de8346f8c2dce615423a4..3047b5f6eebf26290f2d8c4840d52bb1bddc3e3f 100644
+--- a/sys.c
++++ b/sys.c
+@@ -153,6 +153,11 @@ int handle_loglevel(char *mesh_iface, int argc, char **argv)
+ 	}
+ 
+ 	path_buff = malloc(PATH_BUFF_LEN);
++	if (!path_buff) {
++		fprintf(stderr, "Error - could not allocate path buffer: out of memory ?\n");
++		return EXIT_FAILURE;
++	}
++
+ 	snprintf(path_buff, PATH_BUFF_LEN, SYS_BATIF_PATH_FMT, mesh_iface);
+ 
+ 	if (argc != 1) {
+@@ -253,6 +258,11 @@ int handle_sys_setting(char *mesh_iface, int setting, int argc, char **argv)
+ 
+ 	/* prepare the classic path */
+ 	path_buff = malloc(PATH_BUFF_LEN);
++	if (!path_buff) {
++		fprintf(stderr, "Error - could not allocate path buffer: out of memory ?\n");
++		return EXIT_FAILURE;
++	}
++
+ 	snprintf(path_buff, PATH_BUFF_LEN, SYS_BATIF_PATH_FMT, mesh_iface);
+ 
+ 	/* if the specified interface is a VLAN then change the path to point
+@@ -325,6 +335,11 @@ int handle_gw_setting(char *mesh_iface, int argc, char **argv)
+ 	}
+ 
+ 	path_buff = malloc(PATH_BUFF_LEN);
++	if (!path_buff) {
++		fprintf(stderr, "Error - could not allocate path buffer: out of memory ?\n");
++		return EXIT_FAILURE;
++	}
++
+ 	snprintf(path_buff, PATH_BUFF_LEN, SYS_BATIF_PATH_FMT, mesh_iface);
+ 
+ 	if (argc == 1) {

batctl/patches/0006-batctl-Handle-nlmsg_alloc-errors.patch

@@ -0,0 +1,60 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 23 Nov 2017 15:04:38 +0100
+Subject: batctl: Handle nlmsg_alloc errors
+
+nlmsg_alloc may return NULL on errors. The processing has to be aborted
+when this happens.
+
+Fixes: d8dd1ff1a0fe ("batctl: Use netlink to replace some of debugfs")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/27e9937635ffbfe33f7f3297aff911718b8deb56
+
+diff --git a/netlink.c b/netlink.c
+index 5f4325b0bb6b4a41860a75bd0851e446c5af9a88..64afeedac46bf3eab14a1d89d7db4491fbef8d81 100644
+--- a/netlink.c
++++ b/netlink.c
+@@ -302,6 +302,11 @@ static char *netlink_get_info(int ifindex, uint8_t nl_cmd, const char *header)
+ 		return NULL;
+ 
+ 	msg = nlmsg_alloc();
++	if (!msg) {
++		nl_socket_free(sock);
++		return NULL;
++	}
++
+ 	genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, family, 0, 0,
+ 		    BATADV_CMD_GET_MESH_INFO, 1);
+ 
+@@ -399,6 +404,11 @@ int netlink_print_routing_algos(void)
+ 		return -EOPNOTSUPP;
+ 
+ 	msg = nlmsg_alloc();
++	if (!msg) {
++		last_err = -ENOMEM;
++		goto err_free_sock;
++	}
++
+ 	genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, family, 0, NLM_F_DUMP,
+ 		    BATADV_CMD_GET_ROUTING_ALGOS, 1);
+ 
+@@ -415,6 +425,8 @@ int netlink_print_routing_algos(void)
+ 	nl_cb_err(cb, NL_CB_CUSTOM, print_error, NULL);
+ 
+ 	nl_recvmsgs(sock, cb);
++
++err_free_sock:
+ 	nl_socket_free(sock);
+ 
+ 	if (!last_err)
+@@ -1131,6 +1143,9 @@ static int netlink_print_common(char *mesh_iface, char *orig_iface,
+ 								 header);
+ 
+ 		msg = nlmsg_alloc();
++		if (!msg)
++			continue;
++
+ 		genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, family, 0,
+ 			    NLM_F_DUMP, nl_cmd, 1);
+ 

batctl/patches/0007-batctl-Handle-nl_socket_alloc-errors.patch

@@ -0,0 +1,47 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 23 Nov 2017 15:04:39 +0100
+Subject: batctl: Handle nl_socket_alloc errors
+
+nl_socket_alloc may return NULL on errors. The processing has to be aborted
+when this happens.
+
+Fixes: d8dd1ff1a0fe ("batctl: Use netlink to replace some of debugfs")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/bc6cd37e0d3ce08e3b89e3123ffa87dc55f24c09
+
+diff --git a/netlink.c b/netlink.c
+index 64afeedac46bf3eab14a1d89d7db4491fbef8d81..107ca52a4866e25b7b04428d770a885ca4e826d2 100644
+--- a/netlink.c
++++ b/netlink.c
+@@ -295,6 +295,9 @@ static char *netlink_get_info(int ifindex, uint8_t nl_cmd, const char *header)
+ 	};
+ 
+ 	sock = nl_socket_alloc();
++	if (!sock)
++		return NULL;
++
+ 	genl_connect(sock);
+ 
+ 	family = genl_ctrl_resolve(sock, BATADV_NL_NAME);
+@@ -397,6 +400,9 @@ int netlink_print_routing_algos(void)
+ 	};
+ 
+ 	sock = nl_socket_alloc();
++	if (!sock)
++		return -ENOMEM;
++
+ 	genl_connect(sock);
+ 
+ 	family = genl_ctrl_resolve(sock, BATADV_NL_NAME);
+@@ -1104,6 +1110,9 @@ static int netlink_print_common(char *mesh_iface, char *orig_iface,
+ 	int family;
+ 
+ 	sock = nl_socket_alloc();
++	if (!sock)
++		return -ENOMEM;
++
+ 	genl_connect(sock);
+ 
+ 	family = genl_ctrl_resolve(sock, BATADV_NL_NAME);

batctl/patches/0008-batctl-Handle-nl_cb_alloc-errors.patch

@@ -0,0 +1,69 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 23 Nov 2017 15:04:40 +0100
+Subject: batctl: Handle nl_cb_alloc errors
+
+nl_cb_alloc may return NULL on errors. The processing has to be aborted
+when this happens.
+
+Fixes: d8dd1ff1a0fe ("batctl: Use netlink to replace some of debugfs")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/0a14f8800dac67d706827e9be7745e2319f5412c
+
+diff --git a/netlink.c b/netlink.c
+index 107ca52a4866e25b7b04428d770a885ca4e826d2..3eb66c9de30c21722bb1e348b055838ea14d18cf 100644
+--- a/netlink.c
++++ b/netlink.c
+@@ -320,11 +320,15 @@ static char *netlink_get_info(int ifindex, uint8_t nl_cmd, const char *header)
+ 	nlmsg_free(msg);
+ 
+ 	cb = nl_cb_alloc(NL_CB_DEFAULT);
++	if (!cb)
++		goto err_free_sock;
++
+ 	nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, info_callback, &opts);
+ 	nl_cb_err(cb, NL_CB_CUSTOM, print_error, NULL);
+ 
+ 	nl_recvmsgs(sock, cb);
+ 
++err_free_sock:
+ 	nl_socket_free(sock);
+ 
+ 	return opts.remaining_header;
+@@ -425,6 +429,11 @@ int netlink_print_routing_algos(void)
+ 	opts.remaining_header = strdup("Available routing algorithms:\n");
+ 
+ 	cb = nl_cb_alloc(NL_CB_DEFAULT);
++	if (!cb) {
++		last_err = -ENOMEM;
++		goto err_free_sock;
++	}
++
+ 	nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, netlink_print_common_cb,
+ 		  &opts);
+ 	nl_cb_set(cb, NL_CB_FINISH, NL_CB_CUSTOM, stop_callback, NULL);
+@@ -1134,9 +1143,14 @@ static int netlink_print_common(char *mesh_iface, char *orig_iface,
+ 		}
+ 	}
+ 
++	cb = nl_cb_alloc(NL_CB_DEFAULT);
++	if (!cb) {
++		last_err = -ENOMEM;
++		goto err_free_sock;
++	}
++
+ 	bat_hosts_init(read_opt);
+ 
+-	cb = nl_cb_alloc(NL_CB_DEFAULT);
+ 	nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, netlink_print_common_cb, &opts);
+ 	nl_cb_set(cb, NL_CB_FINISH, NL_CB_CUSTOM, stop_callback, NULL);
+ 	nl_cb_err(cb, NL_CB_CUSTOM, print_error, NULL);
+@@ -1181,6 +1195,7 @@ static int netlink_print_common(char *mesh_iface, char *orig_iface,
+ 
+ 	bat_hosts_free();
+ 
++err_free_sock:
+ 	nl_socket_free(sock);
+ 
+ 	return last_err;

batctl/patches/0009-batctl-Free-nl_sock-on-genl_ctrl_resolve-error.patch

@@ -0,0 +1,56 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 23 Nov 2017 15:04:41 +0100
+Subject: batctl: Free nl_sock on genl_ctrl_resolve error
+
+genl_ctrl_resolve may return NULL on errors. The code must then free the
+socket which was used to start the genl_ctrl_resolve and stop the function
+with an error code.
+
+Fixes: d8dd1ff1a0fe ("batctl: Use netlink to replace some of debugfs")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/cdac2f843c616caaa2a0d3847aeec84c200c62d6
+
+diff --git a/netlink.c b/netlink.c
+index 3eb66c9de30c21722bb1e348b055838ea14d18cf..ee58ce8bf16e224374940dddaff61f7b3c5aa4bb 100644
+--- a/netlink.c
++++ b/netlink.c
+@@ -301,8 +301,10 @@ static char *netlink_get_info(int ifindex, uint8_t nl_cmd, const char *header)
+ 	genl_connect(sock);
+ 
+ 	family = genl_ctrl_resolve(sock, BATADV_NL_NAME);
+-	if (family < 0)
++	if (family < 0) {
++		nl_socket_free(sock);
+ 		return NULL;
++	}
+ 
+ 	msg = nlmsg_alloc();
+ 	if (!msg) {
+@@ -410,8 +412,10 @@ int netlink_print_routing_algos(void)
+ 	genl_connect(sock);
+ 
+ 	family = genl_ctrl_resolve(sock, BATADV_NL_NAME);
+-	if (family < 0)
+-		return -EOPNOTSUPP;
++	if (family < 0) {
++		last_err = -EOPNOTSUPP;
++		goto err_free_sock;
++	}
+ 
+ 	msg = nlmsg_alloc();
+ 	if (!msg) {
+@@ -1125,8 +1129,10 @@ static int netlink_print_common(char *mesh_iface, char *orig_iface,
+ 	genl_connect(sock);
+ 
+ 	family = genl_ctrl_resolve(sock, BATADV_NL_NAME);
+-	if (family < 0)
+-		return -EOPNOTSUPP;
++	if (family < 0) {
++		last_err = -EOPNOTSUPP;
++		goto err_free_sock;
++	}
+ 
+ 	ifindex = if_nametoindex(mesh_iface);
+ 	if (!ifindex) {

batctl/patches/0010-batctl-Free-nl_sock-when-if_nametoindex-failed.patch

@@ -0,0 +1,37 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 23 Nov 2017 15:04:42 +0100
+Subject: batctl: Free nl_sock when if_nametoindex failed
+
+The if_nametoindex can return an error. The code must then free the
+previously allocated nl_sock and stop the function with an error code.
+
+Fixes: d8dd1ff1a0fe ("batctl: Use netlink to replace some of debugfs")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/4361841bf76ecd27dcfca6edc30c63b05854d415
+
+diff --git a/netlink.c b/netlink.c
+index ee58ce8bf16e224374940dddaff61f7b3c5aa4bb..88a5c95c67989a812231aec7352eecfc4e38c70d 100644
+--- a/netlink.c
++++ b/netlink.c
+@@ -1137,7 +1137,8 @@ static int netlink_print_common(char *mesh_iface, char *orig_iface,
+ 	ifindex = if_nametoindex(mesh_iface);
+ 	if (!ifindex) {
+ 		fprintf(stderr, "Interface %s is unknown\n", mesh_iface);
+-		return -ENODEV;
++		last_err = -ENODEV;
++		goto err_free_sock;
+ 	}
+ 
+ 	if (orig_iface) {
+@@ -1145,7 +1146,8 @@ static int netlink_print_common(char *mesh_iface, char *orig_iface,
+ 		if (!hardifindex) {
+ 			fprintf(stderr, "Interface %s is unknown\n",
+ 				orig_iface);
+-			return -ENODEV;
++			last_err = -ENODEV;
++			goto err_free_sock;
+ 		}
+ 	}
+ 

batctl/patches/0011-batctl-tcpdump-Fix-types-for-for-TT-v1.patch

@@ -0,0 +1,27 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 23 Nov 2017 15:04:43 +0100
+Subject: batctl: tcpdump: Fix types for for TT v1
+
+The num_entry and num_vlan variables are accessed (printed) as u16
+variables and not like integers. They should therefore also be stored like
+that.
+
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/15a1335cadacc7c3bb4723a30617d123a961a311
+
+diff --git a/tcpdump.c b/tcpdump.c
+index db9c46afecf3de94dbd4d9292df1fe0812fb8bfc..da5541ea9f5f9f9b6fd0838d2242daa22d41a28d 100644
+--- a/tcpdump.c
++++ b/tcpdump.c
+@@ -157,7 +157,8 @@ static void batctl_tvlv_parse_tt_v1(void *buff, ssize_t buff_len)
+ {
+ 	struct batadv_tvlv_tt_data *tvlv = buff;
+ 	struct batadv_tvlv_tt_vlan_data *vlan;
+-	int i, num_vlan, num_entry;
++	int i;
++	unsigned short num_vlan, num_entry;
+ 	const char *type;
+ 	size_t vlan_len;
+ 

batctl/patches/0012-batctl-Simplify-concatenation-of-pathnames.patch

@@ -0,0 +1,54 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 23 Nov 2017 15:04:44 +0100
+Subject: batctl: Simplify concatenation of pathnames
+
+The combination of strncpy and strncat is hard to read and it is rather
+easy to introduce some kind of problems when using that. The usage of
+snprintf simplifies it slightly.
+
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/cfaec23c5f6f2cf649f3e0673b2e0c61bc01969f
+
+diff --git a/bat-hosts.c b/bat-hosts.c
+index a4add34bbaf8c34f8357ba8d1583218fdaf4df93..66e8f05bd2277e5560be77a26b97245223fa72aa 100644
+--- a/bat-hosts.c
++++ b/bat-hosts.c
+@@ -194,9 +194,7 @@ void bat_hosts_init(int read_opt)
+ 			if (!homedir)
+ 				continue;
+ 
+-			strncpy(confdir, homedir, CONF_DIR_LEN);
+-			confdir[CONF_DIR_LEN - 1] = '\0';
+-			strncat(confdir, &bat_hosts_path[i][1], CONF_DIR_LEN - strlen(confdir) - 1);
++			snprintf(confdir, CONF_DIR_LEN, "%s%s", homedir, &bat_hosts_path[i][1]);
+ 		} else {
+ 			strncpy(confdir, bat_hosts_path[i], CONF_DIR_LEN);
+ 			confdir[CONF_DIR_LEN - 1] = '\0';
+diff --git a/functions.c b/functions.c
+index 676012bb56f9f8aa757b4805e27d904181ee2d27..1c96e6241d01b83a136ff135bee8dd780629f7aa 100644
+--- a/functions.c
++++ b/functions.c
+@@ -208,9 +208,7 @@ int read_file(const char *dir, const char *fname, int read_opt,
+ 	if (read_opt & USE_BAT_HOSTS)
+ 		bat_hosts_init(read_opt);
+ 
+-	strncpy(full_path, dir, sizeof(full_path));
+-	full_path[sizeof(full_path) - 1] = '\0';
+-	strncat(full_path, fname, sizeof(full_path) - strlen(full_path) - 1);
++	snprintf(full_path, sizeof(full_path), "%s%s", dir, fname);
+ 
+ open:
+ 	line = 0;
+@@ -349,9 +347,7 @@ int write_file(const char *dir, const char *fname, const char *arg1,
+ 	char full_path[500];
+ 	ssize_t write_len;
+ 
+-	strncpy(full_path, dir, sizeof(full_path));
+-	full_path[sizeof(full_path) - 1] = '\0';
+-	strncat(full_path, fname, sizeof(full_path) - strlen(full_path) - 1);
++	snprintf(full_path, sizeof(full_path), "%s%s", dir, fname);
+ 
+ 	fd = open(full_path, O_WRONLY);
+ 

batctl/patches/0013-batctl-Handle-allocation-error-in-vlan_get_link_pars.patch

@@ -0,0 +1,28 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 2 Dec 2017 08:45:59 +0100
+Subject: batctl: Handle allocation error in vlan_get_link_parse
+
+The malloc could fail and return NULL. In this case, the processing of the
+current interface index has to be stopped to avoid writing to NULL (which
+would cause a segfault).
+
+Fixes: d29288fe0583 ("batctl: implement vlan-to-link helper functions")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batctl.git/commit/2ea390ce9bdda39d3c15bd9470009f56f42d5ed9
+
+diff --git a/functions.c b/functions.c
+index 1c96e6241d01b83a136ff135bee8dd780629f7aa..f91f26f4045766474d5dc109d76e20afd91a7791 100644
+--- a/functions.c
++++ b/functions.c
+@@ -812,6 +812,9 @@ static int vlan_get_link_parse(struct nl_msg *msg, void *arg)
+ 	idx = *(int *)nla_data(tb[IFLA_LINK]);
+ 	free(nl_arg->iface);
+ 	nl_arg->iface = malloc(IFNAMSIZ + 1);
++	if (!nl_arg->iface)
++		goto err;
++
+ 	if (!if_indextoname(idx, nl_arg->iface))
+ 		goto err;
+ 

batman-adv/Config.in

@@ -32,4 +32,4 @@ config KMOD_BATMAN_ADV_NC
 config KMOD_BATMAN_ADV_BATMAN_V
 	bool "enable batman v routing algorithm"
 	depends on PACKAGE_kmod-batman-adv
-	default n
+	default y

batman-adv/Makefile

@@ -11,17 +11,16 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=batman-adv
 
 PKG_VERSION:=2016.5
-PKG_RELEASE:=0
+PKG_RELEASE:=16
 PKG_MD5SUM:=6717a933a08dd2a01b00df30cb9f16a8
+PKG_HASH:=d0a0fc90c4f410b57d043215e253bb0b855efa5edbe165d87c17bfdcfafd0db7
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.open-mesh.org/batman/releases/batman-adv-$(PKG_VERSION)
 PKG_LICENSE:=GPL-2.0
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)/$(PKG_NAME)-$(PKG_VERSION)
-
-include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/kernel.mk
+include $(INCLUDE_DIR)/package.mk
 
 define KernelPackage/batman-adv
   URL:=https://www.open-mesh.org/

batman-adv/files/compat-hacks.h

@@ -192,6 +192,35 @@ static inline int batadv_nla_put_u64_64bit(struct sk_buff *skb, int attrtype,
 
 #endif /* < KERNEL_VERSION(4, 7, 0) */
 
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0)
+
+static inline void *batadv_skb_put(struct sk_buff *skb, unsigned int len)
+{
+	return (void *)skb_put(skb, len);
+}
+#define skb_put batadv_skb_put
+
+static inline void *skb_put_zero(struct sk_buff *skb, unsigned int len)
+{
+	void *tmp = skb_put(skb, len);
+
+	memset(tmp, 0, len);
+
+	return tmp;
+}
+
+static inline void *skb_put_data(struct sk_buff *skb, const void *data,
+				 unsigned int len)
+{
+	void *tmp = skb_put(skb, len);
+
+	memcpy(tmp, data, len);
+
+	return tmp;
+}
+
+#endif /* < KERNEL_VERSION(4, 13, 0) */
+
 
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
 
@@ -204,3 +233,22 @@ static inline int batadv_nla_put_u64_64bit(struct sk_buff *skb, int attrtype,
 #define __ro_after_init
 
 #endif /* < KERNEL_VERSION(4, 10, 0) */
+
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 18, 0)
+
+#include <net/cfg80211.h>
+
+/* cfg80211 fix: https://patchwork.kernel.org/patch/10449857/ */
+static inline int batadv_cfg80211_get_station(struct net_device *dev,
+					      const u8 *mac_addr,
+					      struct station_info *sinfo)
+{
+	memset(sinfo, 0, sizeof(*sinfo));
+	return cfg80211_get_station(dev, mac_addr, sinfo);
+}
+
+#define cfg80211_get_station(dev, mac_addr, sinfo) \
+	batadv_cfg80211_get_station(dev, mac_addr, sinfo)
+
+#endif /* < KERNEL_VERSION(4, 18, 0) */

batman-adv/files/etc/config/batman-adv

@@ -9,7 +9,6 @@ config 'mesh' 'bat0'
 	option 'gw_sel_class'
 	option 'log_level'
 	option 'orig_interval'
-	option 'vis_mode'
 	option 'bridge_loop_avoidance'
 	option 'distributed_arp_table'
 	option 'multicast_mode'

batman-adv/files/lib/batman-adv/config.sh

@@ -13,7 +13,7 @@ bat_config()
 	local mesh="$1"
 	local aggregated_ogms ap_isolation bonding bridge_loop_avoidance distributed_arp_table fragmentation
 	local gw_bandwidth gw_mode gw_sel_class isolation_mark hop_penalty multicast_mode network_coding log_level
-	local orig_interval vis_mode
+	local orig_interval
 
 	config_get aggregated_ogms "$mesh" aggregated_ogms
 	config_get ap_isolation "$mesh" ap_isolation
@@ -30,11 +30,10 @@ bat_config()
 	config_get network_coding "$mesh" network_coding
 	config_get log_level "$mesh" log_level
 	config_get orig_interval "$mesh" orig_interval
-	config_get vis_mode "$mesh" vis_mode
 
 	[ ! -f "/sys/class/net/$mesh/mesh/orig_interval" ] && echo "batman-adv mesh $mesh does not exist - check your interface configuration" && return 1
 
-	[ -n "$aggregate_ogms" ] && echo $aggregate_ogms > /sys/class/net/$mesh/mesh/aggregate_ogms
+	[ -n "$aggregated_ogms" ] && echo $aggregated_ogms > /sys/class/net/$mesh/mesh/aggregated_ogms
 	[ -n "$ap_isolation" ] && echo $ap_isolation > /sys/class/net/$mesh/mesh/ap_isolation
 	[ -n "$bonding" ] && echo $bonding > /sys/class/net/$mesh/mesh/bonding
 	[ -n "$bridge_loop_avoidance" ] && echo $bridge_loop_avoidance > /sys/class/net/$mesh/mesh/bridge_loop_avoidance 2>&-
@@ -49,5 +48,4 @@ bat_config()
 	[ -n "$network_coding" ] && echo $network_coding > /sys/class/net/$mesh/mesh/network_coding 2>&-
 	[ -n "$log_level" ] && echo $log_level > /sys/class/net/$mesh/mesh/log_level 2>&-
 	[ -n "$orig_interval" ] && echo $orig_interval > /sys/class/net/$mesh/mesh/orig_interval
-	[ -n "$vis_mode" ] && echo $vis_mode > /sys/class/net/$mesh/mesh/vis_mode
 }

batman-adv/patches/0001-Add-compat-fallback-for-batadv_getlink_net.patch

@@ -1,12 +1,11 @@
 From: Sven Eckelmann <sven@narfation.org>
 Date: Fri, 23 Sep 2016 14:55:38 +0200
-Subject: [PATCH] Add compat fallback for batadv_getlink_net
+Subject: Add compat fallback for batadv_getlink_net
----
+
- net/batman-adv/hard-interface.c | 4 ++++
+Forwarded: not-needed
- 1 file changed, 4 insertions(+)
 
 diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
-index 61a431a9..6969f580 100644
+index 61a431a9772ba96418644b399c9e787cbfd0e743..6969f580d0bfd0428f1c6985eaec8bbbf5a0d38b 100644
 --- a/net/batman-adv/hard-interface.c
 +++ b/net/batman-adv/hard-interface.c
 @@ -95,6 +95,9 @@ out:

batman-adv/patches/0002-batman-adv-Decrease-hardif-refcnt-on-fragmentation-s.patch

@@ -0,0 +1,62 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Tue, 27 Dec 2016 08:51:17 +0100
+Subject: batman-adv: Decrease hardif refcnt on fragmentation send error
+
+An error before the hardif is found has to free the skb. But every error
+after that has to free the skb + put the hard interface.
+
+Fixes: 8b4132b1447a ("batman-adv: Consume skb in batadv_frag_send_packet")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/205dc8385dc863467f4f6ccec2e63254e6baf831
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index 9c561e683f4b8b68642b626b51a0dcda30260e97..0854ebd8613e9bf9044b04099b11341325d6e194 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -474,7 +474,7 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 	primary_if = batadv_primary_if_get_selected(bat_priv);
+ 	if (!primary_if) {
+ 		ret = -EINVAL;
+-		goto put_primary_if;
++		goto free_skb;
+ 	}
+ 
+ 	/* Create one header to be copied to all fragments */
+@@ -502,7 +502,7 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 		skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
+ 		if (!skb_fragment) {
+ 			ret = -ENOMEM;
+-			goto free_skb;
++			goto put_primary_if;
+ 		}
+ 
+ 		batadv_inc_counter(bat_priv, BATADV_CNT_FRAG_TX);
+@@ -511,7 +511,7 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 		ret = batadv_send_unicast_skb(skb_fragment, neigh_node);
+ 		if (ret != NET_XMIT_SUCCESS) {
+ 			ret = NET_XMIT_DROP;
+-			goto free_skb;
++			goto put_primary_if;
+ 		}
+ 
+ 		frag_header.no++;
+@@ -519,7 +519,7 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 		/* The initial check in this function should cover this case */
+ 		if (frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1) {
+ 			ret = -EINVAL;
+-			goto free_skb;
++			goto put_primary_if;
+ 		}
+ 	}
+ 
+@@ -527,7 +527,7 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 	if (batadv_skb_head_push(skb, header_size) < 0 ||
+ 	    pskb_expand_head(skb, header_size + ETH_HLEN, 0, GFP_ATOMIC) < 0) {
+ 		ret = -ENOMEM;
+-		goto free_skb;
++		goto put_primary_if;
+ 	}
+ 
+ 	memcpy(skb->data, &frag_header, header_size);

batman-adv/patches/0003-batman-adv-Fix-double-free-during-fragment-merge-err.patch

@@ -0,0 +1,58 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Feb 2017 11:26:33 +0100
+Subject: batman-adv: Fix double free during fragment merge error
+
+The function batadv_frag_skb_buffer was supposed not to consume the skbuff
+on errors. This was followed in the helper function
+batadv_frag_insert_packet when the skb would potentially be inserted in the
+fragment queue. But it could happen that the next helper function
+batadv_frag_merge_packets would try to merge the fragments and fail. This
+results in a kfree_skb of all the enqueued fragments (including the just
+inserted one). batadv_recv_frag_packet would detect the error in
+batadv_frag_skb_buffer and try to free the skb again.
+
+The behavior of batadv_frag_skb_buffer (and its helper
+batadv_frag_insert_packet) must therefore be changed to always consume the
+skbuff to have a common behavior and avoid the double kfree_skb.
+
+Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/e3bab02816097f860545d9ce9ae0808c69d7c92f
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index 0854ebd8613e9bf9044b04099b11341325d6e194..31e97e9aee0d543b68be091936888e1f6c9dd7eb 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -239,8 +239,10 @@ err_unlock:
+ 	spin_unlock_bh(&chain->lock);
+ 
+ err:
+-	if (!ret)
++	if (!ret) {
+ 		kfree(frag_entry_new);
++		kfree_skb(skb);
++	}
+ 
+ 	return ret;
+ }
+@@ -313,7 +315,7 @@ free:
+  *
+  * There are three possible outcomes: 1) Packet is merged: Return true and
+  * set *skb to merged packet; 2) Packet is buffered: Return true and set *skb
+- * to NULL; 3) Error: Return false and leave skb as is.
++ * to NULL; 3) Error: Return false and free skb.
+  *
+  * Return: true when packet is merged or buffered, false when skb is not not
+  * used.
+@@ -338,9 +340,9 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
+ 		goto out_err;
+ 
+ out:
+-	*skb = skb_out;
+ 	ret = true;
+ out_err:
++	*skb = skb_out;
+ 	return ret;
+ }
+ 

batman-adv/patches/0004-batman-adv-Fix-transmission-of-final-16th-fragment.patch

@@ -0,0 +1,51 @@
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Mon, 13 Feb 2017 20:44:31 +0100
+Subject: batman-adv: Fix transmission of final, 16th fragment
+
+Trying to split and transmit a unicast packet in 16 parts will fail for
+the final fragment: After having sent the 15th one with a frag_packet.no
+index of 14, we will increase the the index to 15 - and return with an
+error code immediately, even though one more fragment is due for
+transmission and allowed.
+
+Fixing this issue by moving the check before incrementing the index.
+
+While at it, adding an unlikely(), because the check is actually more of
+an assertion.
+
+Fixes: db56e4ecf5c2 ("batman-adv: Fragment and send skbs larger than mtu")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/464eff3b1768ff190466a453a57ac140ea5cb756
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index 31e97e9aee0d543b68be091936888e1f6c9dd7eb..11149e5be4e0ef9dfe2872e1d8d1f6dbb4ccdb14 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -501,6 +501,12 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 
+ 	/* Eat and send fragments from the tail of skb */
+ 	while (skb->len > max_fragment_size) {
++		/* The initial check in this function should cover this case */
++		if (unlikely(frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1)) {
++			ret = -EINVAL;
++			goto put_primary_if;
++		}
++
+ 		skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
+ 		if (!skb_fragment) {
+ 			ret = -ENOMEM;
+@@ -517,12 +523,6 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 		}
+ 
+ 		frag_header.no++;
+-
+-		/* The initial check in this function should cover this case */
+-		if (frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1) {
+-			ret = -EINVAL;
+-			goto put_primary_if;
+-		}
+ 	}
+ 
+ 	/* Make room for the fragment header. */

batman-adv/patches/0005-batman-adv-Treat-NET_XMIT_CN-as-transmit-successfull.patch

@@ -0,0 +1,116 @@
+From: Gao Feng <gfree.wind@gmail.com>
+Date: Mon, 21 Nov 2016 23:00:32 +0800
+Subject: batman-adv: Treat NET_XMIT_CN as transmit successfully
+
+The tc could return NET_XMIT_CN as one congestion notification, but
+it does not mean the packet is lost. Other modules like ipvlan,
+macvlan, and others treat NET_XMIT_CN as success too.
+
+So batman-adv should add the NET_XMIT_CN check.
+
+Signed-off-by: Gao Feng <gfree.wind@gmail.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/1120b81c74187f489c08fc9438305071def089cc
+
+diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
+index 49576c5a3fe306a42c28c3901d2b2c6cce7d0b8e..3641765d55df049a5dbac35d322ebc537a0f0322 100644
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -659,7 +659,8 @@ static bool batadv_dat_send_data(struct batadv_priv *bat_priv,
+ 		}
+ 
+ 		send_status = batadv_send_unicast_skb(tmp_skb, neigh_node);
+-		if (send_status == NET_XMIT_SUCCESS) {
++		if (send_status == NET_XMIT_SUCCESS ||
++		    send_status == NET_XMIT_CN) {
+ 			/* count the sent packet */
+ 			switch (packet_subtype) {
+ 			case BATADV_P_DAT_DHT_GET:
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index 11149e5be4e0ef9dfe2872e1d8d1f6dbb4ccdb14..d33f16b9b8ac13ba630bf9ac8c5f4f0ca79fc878 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -517,7 +517,7 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 		batadv_add_counter(bat_priv, BATADV_CNT_FRAG_TX_BYTES,
+ 				   skb_fragment->len + ETH_HLEN);
+ 		ret = batadv_send_unicast_skb(skb_fragment, neigh_node);
+-		if (ret != NET_XMIT_SUCCESS) {
++		if (ret != NET_XMIT_SUCCESS && ret != NET_XMIT_CN) {
+ 			ret = NET_XMIT_DROP;
+ 			goto put_primary_if;
+ 		}
+diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
+index 6713bdf414cdacdaf36ecd6ac516f99e079fb51e..6b08b26da4d94be9c8c5e9dc708ddc18d8282428 100644
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -262,7 +262,7 @@ static int batadv_recv_my_icmp_packet(struct batadv_priv *bat_priv,
+ 		icmph->ttl = BATADV_TTL;
+ 
+ 		res = batadv_send_skb_to_orig(skb, orig_node, NULL);
+-		if (res == NET_XMIT_SUCCESS)
++		if (res == NET_XMIT_SUCCESS || res == NET_XMIT_CN)
+ 			ret = NET_RX_SUCCESS;
+ 
+ 		/* skb was consumed */
+@@ -330,7 +330,7 @@ static int batadv_recv_icmp_ttl_exceeded(struct batadv_priv *bat_priv,
+ 	icmp_packet->ttl = BATADV_TTL;
+ 
+ 	res = batadv_send_skb_to_orig(skb, orig_node, NULL);
+-	if (res == NET_RX_SUCCESS)
++	if (res == NET_RX_SUCCESS || res == NET_XMIT_CN)
+ 		ret = NET_XMIT_SUCCESS;
+ 
+ 	/* skb was consumed */
+@@ -424,7 +424,7 @@ int batadv_recv_icmp_packet(struct sk_buff *skb,
+ 
+ 	/* route it */
+ 	res = batadv_send_skb_to_orig(skb, orig_node, recv_if);
+-	if (res == NET_XMIT_SUCCESS)
++	if (res == NET_XMIT_SUCCESS || res == NET_XMIT_CN)
+ 		ret = NET_RX_SUCCESS;
+ 
+ 	/* skb was consumed */
+@@ -719,14 +719,14 @@ static int batadv_route_unicast_packet(struct sk_buff *skb,
+ 
+ 	len = skb->len;
+ 	res = batadv_send_skb_to_orig(skb, orig_node, recv_if);
+-	if (res == NET_XMIT_SUCCESS)
++	if (res == NET_XMIT_SUCCESS || res == NET_XMIT_CN)
+ 		ret = NET_RX_SUCCESS;
+ 
+ 	/* skb was consumed */
+ 	skb = NULL;
+ 
+ 	/* translate transmit result into receive result */
+-	if (res == NET_XMIT_SUCCESS) {
++	if (res == NET_XMIT_SUCCESS || res == NET_XMIT_CN) {
+ 		/* skb was transmitted and consumed */
+ 		batadv_inc_counter(bat_priv, BATADV_CNT_FORWARD);
+ 		batadv_add_counter(bat_priv, BATADV_CNT_FORWARD_BYTES,
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index 7b3494ae6ad93fd0d32391e5c88f5d636f43acd5..60516bbb7e8391f3063ba1e48c81288ffc7bef49 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -386,7 +386,7 @@ send:
+ 			ret = batadv_send_skb_via_tt(bat_priv, skb, dst_hint,
+ 						     vid);
+ 		}
+-		if (ret != NET_XMIT_SUCCESS)
++		if (ret != NET_XMIT_SUCCESS && ret != NET_XMIT_CN)
+ 			goto dropped_freed;
+ 	}
+ 
+diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
+index 981e8c5b07e9398c68df711d1d7b54e6e9333ead..c367c8316a822c70ee397bbe1266cd38f24a279b 100644
+--- a/net/batman-adv/tp_meter.c
++++ b/net/batman-adv/tp_meter.c
+@@ -615,7 +615,7 @@ static int batadv_tp_send_msg(struct batadv_tp_vars *tp_vars, const u8 *src,
+ 	batadv_tp_fill_prerandom(tp_vars, data, data_len);
+ 
+ 	r = batadv_send_skb_to_orig(skb, orig_node, NULL);
+-	if (r == NET_XMIT_SUCCESS)
++	if (r == NET_XMIT_SUCCESS || r == NET_XMIT_CN)
+ 		return 0;
+ 
+ 	return BATADV_TP_REASON_CANT_SEND;

batman-adv/patches/0006-batman-adv-don-t-add-loop-detect-macs-to-TT.patch

@@ -0,0 +1,63 @@
+From: Simon Wunderlich <simon.wunderlich@open-mesh.com>
+Date: Thu, 24 Nov 2016 16:11:01 +0100
+Subject: batman-adv: don't add loop detect macs to TT
+
+The bridge loop avoidance (BLA) feature of batman-adv sends packets to
+probe for Mesh/LAN packet loops. Those packets are not sent by real
+clients and should therefore not be added to the translation table (TT).
+
+Signed-off-by: Simon Wunderlich <simon.wunderlich@open-mesh.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/447df986b83630a92ca9d33903023b7e1b2917f3
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.h b/net/batman-adv/bridge_loop_avoidance.h
+index 1ae93e46fb98498c00082728ca91216d78e13298..2827cd3c13d2a35a3b296340a0aa123dbd032926 100644
+--- a/net/batman-adv/bridge_loop_avoidance.h
++++ b/net/batman-adv/bridge_loop_avoidance.h
+@@ -20,6 +20,8 @@
+ 
+ #include "main.h"
+ 
++#include <linux/compiler.h>
++#include <linux/stddef.h>
+ #include <linux/types.h>
+ 
+ struct net_device;
+@@ -27,6 +29,22 @@ struct netlink_callback;
+ struct seq_file;
+ struct sk_buff;
+ 
++/**
++ * batadv_bla_is_loopdetect_mac - check if the mac address is from a loop detect
++ *  frame sent by bridge loop avoidance
++ * @mac: mac address to check
++ *
++ * Return: true if the it looks like a loop detect frame
++ * (mac starts with BA:BE), false otherwise
++ */
++static inline bool batadv_bla_is_loopdetect_mac(const uint8_t *mac)
++{
++	if (mac[0] == 0xba && mac[1] == 0xbe)
++		return true;
++
++	return false;
++}
++
+ #ifdef CONFIG_BATMAN_ADV_BLA
+ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ 		   unsigned short vid, bool is_bcast);
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index 60516bbb7e8391f3063ba1e48c81288ffc7bef49..4e447bf17332c191dda694b9b3e49e06073814fc 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -258,7 +258,8 @@ static int batadv_interface_tx(struct sk_buff *skb,
+ 	ethhdr = eth_hdr(skb);
+ 
+ 	/* Register the client MAC in the transtable */
+-	if (!is_multicast_ether_addr(ethhdr->h_source)) {
++	if (!is_multicast_ether_addr(ethhdr->h_source) &&
++	    !batadv_bla_is_loopdetect_mac(ethhdr->h_source)) {
+ 		client_added = batadv_tt_local_add(soft_iface, ethhdr->h_source,
+ 						   vid, skb->skb_iif,
+ 						   skb->mark);

batman-adv/patches/0007-batman-adv-decrease-maximum-fragment-size.patch

@@ -0,0 +1,49 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Wed, 22 Feb 2017 17:25:41 +0100
+Subject: batman-adv: decrease maximum fragment size
+
+With this patch the maximum fragment size is reduced from 1400 to 1280
+bytes.
+
+Fragmentation v2 correctly uses the smaller of 1400 and the interface
+MTU, thus generally supporting interfaces with an MTU < 1400 bytes, too.
+
+However, currently "Fragmentation v2" does not support re-fragmentation.
+Which means that once a packet is split into two packets of 1400 + x
+bytes for instance and the next hop provides an interface with an even
+smaller MTU of 1280 bytes, then the larger fragment is lost.
+
+A maximum fragment size of 1280 bytes is a safer option as this is the
+minimum MTU required by IPv6, making interfaces with an MTU < 1280
+rather exotic.
+
+Regarding performance, this should have no negative impact on unicast
+traffic: Having some more bytes in the smaller and some less in the
+larger does not change the sum of both fragments.
+
+Concerning TT, choosing 1280 bytes fragments might result in more TT
+messages than necessary when a large network is bridged into batman-adv.
+However, the TT overhead in general is marginal due to its reactive
+nature, therefore such a performance impact on TT should not be
+noticeable for a user.
+
+Cc: Matthias Schiffer <mschiffer@universe-factory.net>
+[linus.luessing@c0d3.blue: Added commit message]
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/eb60b63140af5ec01ea0916837c2816cad10d6c1
+
+diff --git a/net/batman-adv/main.h b/net/batman-adv/main.h
+index a6cc8040a21dd24fb507683230fd66a9edb62458..5b7855560e8ad121c7b48da97807b6895be158fc 100644
+--- a/net/batman-adv/main.h
++++ b/net/batman-adv/main.h
+@@ -168,7 +168,7 @@ enum batadv_uev_type {
+ /* Maximum number of fragments for one packet */
+ #define BATADV_FRAG_MAX_FRAGMENTS 16
+ /* Maxumim size of each fragment */
+-#define BATADV_FRAG_MAX_FRAG_SIZE 1400
++#define BATADV_FRAG_MAX_FRAG_SIZE 1280
+ /* Time to keep fragments while waiting for rest of the fragments */
+ #define BATADV_FRAG_TIMEOUT 10000
+ 

batman-adv/patches/0008-batman-adv-Keep-fragments-equally-sized.patch

@@ -0,0 +1,87 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 22 Feb 2017 17:25:42 +0100
+Subject: batman-adv: Keep fragments equally sized
+
+The batman-adv fragmentation packets have the design problem that they
+cannot be refragmented. This often leads to problems when networks are
+incorrectly configured and don't use a common MTU.
+
+The sender could for example fragment a 1500 byte packet to fit in a 1280
+bytes large MTU. This would create a 1280 large packet and a 284 bytes
+large packet. But the next hop is then not able to transport 1280 bytes to
+its next hop. The 1280 byte large packet will be dropped but the 284 bytes
+large packet will still be forwarded to its destination.
+
+This can partly being avoided by splitting packets more equally. In this
+example, the two 782 bytes large packets could both potentially reach its
+destination.
+
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Linus Lüssing <linus.luessing@c0d3.blue>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/3caa5d14206ce8d4bd48bc931f213dec47ea1566
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index d33f16b9b8ac13ba630bf9ac8c5f4f0ca79fc878..70e512111528b0345889cea4ffd0ad5d984a4e6a 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -404,7 +404,7 @@ out:
+  * batadv_frag_create - create a fragment from skb
+  * @skb: skb to create fragment from
+  * @frag_head: header to use in new fragment
+- * @mtu: size of new fragment
++ * @fragment_size: size of new fragment
+  *
+  * Split the passed skb into two fragments: A new one with size matching the
+  * passed mtu and the old one with the rest. The new skb contains data from the
+@@ -414,11 +414,11 @@ out:
+  */
+ static struct sk_buff *batadv_frag_create(struct sk_buff *skb,
+ 					  struct batadv_frag_packet *frag_head,
+-					  unsigned int mtu)
++					  unsigned int fragment_size)
+ {
+ 	struct sk_buff *skb_fragment;
+ 	unsigned int header_size = sizeof(*frag_head);
+-	unsigned int fragment_size = mtu - header_size;
++	unsigned int mtu = fragment_size + header_size;
+ 
+ 	skb_fragment = netdev_alloc_skb(NULL, mtu + ETH_HLEN);
+ 	if (!skb_fragment)
+@@ -456,7 +456,7 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 	struct sk_buff *skb_fragment;
+ 	unsigned int mtu = neigh_node->if_incoming->net_dev->mtu;
+ 	unsigned int header_size = sizeof(frag_header);
+-	unsigned int max_fragment_size, max_packet_size;
++	unsigned int max_fragment_size, num_fragments;
+ 	int ret;
+ 
+ 	/* To avoid merge and refragmentation at next-hops we never send
+@@ -464,10 +464,15 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 	 */
+ 	mtu = min_t(unsigned int, mtu, BATADV_FRAG_MAX_FRAG_SIZE);
+ 	max_fragment_size = mtu - header_size;
+-	max_packet_size = max_fragment_size * BATADV_FRAG_MAX_FRAGMENTS;
++
++	if (skb->len == 0 || max_fragment_size == 0)
++		return -EINVAL;
++
++	num_fragments = (skb->len - 1) / max_fragment_size + 1;
++	max_fragment_size = (skb->len - 1) / num_fragments + 1;
+ 
+ 	/* Don't even try to fragment, if we need more than 16 fragments */
+-	if (skb->len > max_packet_size) {
++	if (num_fragments > BATADV_FRAG_MAX_FRAGMENTS) {
+ 		ret = -EAGAIN;
+ 		goto free_skb;
+ 	}
+@@ -507,7 +512,8 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 			goto put_primary_if;
+ 		}
+ 
+-		skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
++		skb_fragment = batadv_frag_create(skb, &frag_header,
++						  max_fragment_size);
+ 		if (!skb_fragment) {
+ 			ret = -ENOMEM;
+ 			goto put_primary_if;

batman-adv/patches/0009-batman-adv-Initialize-gw-sel_class-via-batadv_algo.patch

@@ -0,0 +1,137 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 4 Mar 2017 16:33:31 +0100
+Subject: batman-adv: Initialize gw sel_class via batadv_algo
+
+The gateway selection class variable is shared between different algorithm
+versions. But the interpretation of the content is algorithm specific. The
+initialization is therefore also algorithm specific.
+
+But this was implemented incorrectly and the initialization for BATMAN_V
+always overwrote the value previously written for BATMAN_IV. This could
+only be avoided when BATMAN_V was disabled during compile time.
+
+Using a special batadv_algo hook for this initialization avoids this
+problem.
+
+Fixes: 80b2d47be2c7 ("batman-adv: B.A.T.M.A.N. V - implement GW selection logic")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/ef565a1434966750644affda86fd11b0b69edbfe
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index f00f666e2ccd4714bb7a5210c48e39edb40e0c17..7bfd0d7ef49df8e699f91e2b827b824aa3657c0d 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -2477,6 +2477,16 @@ static void batadv_iv_iface_activate(struct batadv_hard_iface *hard_iface)
+ 	batadv_iv_ogm_schedule(hard_iface);
+ }
+ 
++/**
++ * batadv_iv_init_sel_class - initialize GW selection class
++ * @bat_priv: the bat priv with all the soft interface information
++ */
++static void batadv_iv_init_sel_class(struct batadv_priv *bat_priv)
++{
++	/* set default TQ difference threshold to 20 */
++	atomic_set(&bat_priv->gw.sel_class, 20);
++}
++
+ static struct batadv_gw_node *
+ batadv_iv_gw_get_best_gw_node(struct batadv_priv *bat_priv)
+ {
+@@ -2823,6 +2833,7 @@ static struct batadv_algo_ops batadv_batman_iv __read_mostly = {
+ 		.del_if = batadv_iv_ogm_orig_del_if,
+ 	},
+ 	.gw = {
++		.init_sel_class = batadv_iv_init_sel_class,
+ 		.get_best_gw_node = batadv_iv_gw_get_best_gw_node,
+ 		.is_eligible = batadv_iv_gw_is_eligible,
+ #ifdef CONFIG_BATMAN_ADV_DEBUGFS
+diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c
+index 2ac612d7bab4d0b4035c9e476dab17536349dca3..2e2471ca84e392faac7fd6537bf137161e27542a 100644
+--- a/net/batman-adv/bat_v.c
++++ b/net/batman-adv/bat_v.c
+@@ -668,6 +668,16 @@ err_ifinfo1:
+ 	return ret;
+ }
+ 
++/**
++ * batadv_v_init_sel_class - initialize GW selection class
++ * @bat_priv: the bat priv with all the soft interface information
++ */
++static void batadv_v_init_sel_class(struct batadv_priv *bat_priv)
++{
++	/* set default throughput difference threshold to 5Mbps */
++	atomic_set(&bat_priv->gw.sel_class, 50);
++}
++
+ static ssize_t batadv_v_store_sel_class(struct batadv_priv *bat_priv,
+ 					char *buff, size_t count)
+ {
+@@ -1052,6 +1062,7 @@ static struct batadv_algo_ops batadv_batman_v __read_mostly = {
+ 		.dump = batadv_v_orig_dump,
+ 	},
+ 	.gw = {
++		.init_sel_class = batadv_v_init_sel_class,
+ 		.store_sel_class = batadv_v_store_sel_class,
+ 		.show_sel_class = batadv_v_show_sel_class,
+ 		.get_best_gw_node = batadv_v_gw_get_best_gw_node,
+@@ -1092,9 +1103,6 @@ int batadv_v_mesh_init(struct batadv_priv *bat_priv)
+ 	if (ret < 0)
+ 		return ret;
+ 
+-	/* set default throughput difference threshold to 5Mbps */
+-	atomic_set(&bat_priv->gw.sel_class, 50);
+-
+ 	return 0;
+ }
+ 
+diff --git a/net/batman-adv/gateway_common.c b/net/batman-adv/gateway_common.c
+index 21184810d89f69e372673aff221a74382945491d..3e3f91ab694fb8e61ecb4df356e72334b56e0fbe 100644
+--- a/net/batman-adv/gateway_common.c
++++ b/net/batman-adv/gateway_common.c
+@@ -253,6 +253,11 @@ static void batadv_gw_tvlv_ogm_handler_v1(struct batadv_priv *bat_priv,
+  */
+ void batadv_gw_init(struct batadv_priv *bat_priv)
+ {
++	if (bat_priv->algo_ops->gw.init_sel_class)
++		bat_priv->algo_ops->gw.init_sel_class(bat_priv);
++	else
++		atomic_set(&bat_priv->gw.sel_class, 1);
++
+ 	batadv_tvlv_handler_register(bat_priv, batadv_gw_tvlv_ogm_handler_v1,
+ 				     NULL, BATADV_TVLV_GW, 1,
+ 				     BATADV_TVLV_HANDLER_OGM_CIFNOTFND);
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index 4e447bf17332c191dda694b9b3e49e06073814fc..08432b14386a53c771c54b9eb38893d94c6f9b53 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -821,7 +821,6 @@ static int batadv_softif_init_late(struct net_device *dev)
+ 	atomic_set(&bat_priv->mcast.num_want_all_ipv6, 0);
+ #endif
+ 	atomic_set(&bat_priv->gw.mode, BATADV_GW_MODE_OFF);
+-	atomic_set(&bat_priv->gw.sel_class, 20);
+ 	atomic_set(&bat_priv->gw.bandwidth_down, 100);
+ 	atomic_set(&bat_priv->gw.bandwidth_up, 20);
+ 	atomic_set(&bat_priv->orig_interval, 1000);
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index e913aee28c98bf77cdd7fe92496fa4b188ff9604..5137d859694c28f60cad33325127617c047412ff 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -1489,6 +1489,7 @@ struct batadv_algo_orig_ops {
+ 
+ /**
+  * struct batadv_algo_gw_ops - mesh algorithm callbacks (GW specific)
++ * @init_sel_class: initialize GW selection class (optional)
+  * @store_sel_class: parse and stores a new GW selection class (optional)
+  * @show_sel_class: prints the current GW selection class (optional)
+  * @get_best_gw_node: select the best GW from the list of available nodes
+@@ -1499,6 +1500,7 @@ struct batadv_algo_orig_ops {
+  * @dump: dump gateways to a netlink socket (optional)
+  */
+ struct batadv_algo_gw_ops {
++	void (*init_sel_class)(struct batadv_priv *bat_priv);
+ 	ssize_t (*store_sel_class)(struct batadv_priv *bat_priv, char *buff,
+ 				   size_t count);
+ 	ssize_t (*show_sel_class)(struct batadv_priv *bat_priv, char *buff);

batman-adv/patches/0010-batman-adv-prevent-multiple-ARP-replies-sent-by-gate.patch

@@ -0,0 +1,137 @@
+From: Andreas Pape <APape@phoenixcontact.com>
+Date: Mon, 5 Sep 2016 13:20:25 +0200
+Subject: batman-adv: prevent multiple ARP replies sent by gateways if dat enabled
+
+If dat is enabled it must be made sure that only the backbone gw which has
+claimed the remote destination for the ARP request answers the ARP request
+directly if the MAC address is known due to the local dat table. This
+prevents multiple ARP replies in a common backbone if more than one
+gateway already knows the remote mac searched for in the ARP request.
+
+Signed-off-by: Andreas Pape <apape@phoenixcontact.com>
+Acked-by: Simon Wunderlich <sw@simonwunderlich.de>
+[sven@narfation.org: fix conflicts with current version]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/0c794961bc0d32386cffdc6d41c5ee21d9638e5b
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index e7f690b571ea9be8ace25843d6e187a907486b99..41ab4a67a07b264bccdc5bccf73920909ff35c40 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -2450,3 +2450,52 @@ out:
+ 
+ 	return ret;
+ }
++
++#ifdef CONFIG_BATMAN_ADV_DAT
++/**
++ * batadv_bla_check_claim - check if address is claimed
++ *
++ * @bat_priv: the bat priv with all the soft interface information
++ * @addr: mac address of which the claim status is checked
++ * @vid: the VLAN ID
++ *
++ * addr is checked if this address is claimed by the local device itself.
++ *
++ * Return: true if bla is disabled or the mac is claimed by the device,
++ * false if the device addr is already claimed by another gateway
++ */
++bool batadv_bla_check_claim(struct batadv_priv *bat_priv,
++			    u8 *addr, unsigned short vid)
++{
++	struct batadv_bla_claim search_claim;
++	struct batadv_bla_claim *claim = NULL;
++	struct batadv_hard_iface *primary_if = NULL;
++	bool ret = true;
++
++	if (!atomic_read(&bat_priv->bridge_loop_avoidance))
++		return ret;
++
++	primary_if = batadv_primary_if_get_selected(bat_priv);
++	if (!primary_if)
++		return ret;
++
++	/* First look if the mac address is claimed */
++	ether_addr_copy(search_claim.addr, addr);
++	search_claim.vid = vid;
++
++	claim = batadv_claim_hash_find(bat_priv, &search_claim);
++
++	/* If there is a claim and we are not owner of the claim,
++	 * return false.
++	 */
++	if (claim) {
++		if (!batadv_compare_eth(claim->backbone_gw->orig,
++					primary_if->net_dev->dev_addr))
++			ret = false;
++		batadv_claim_put(claim);
++	}
++
++	batadv_hardif_put(primary_if);
++	return ret;
++}
++#endif
+diff --git a/net/batman-adv/bridge_loop_avoidance.h b/net/batman-adv/bridge_loop_avoidance.h
+index 2827cd3c13d2a35a3b296340a0aa123dbd032926..133227c578e73fb998b540fdf361472a21e0c602 100644
+--- a/net/batman-adv/bridge_loop_avoidance.h
++++ b/net/batman-adv/bridge_loop_avoidance.h
+@@ -69,6 +69,10 @@ void batadv_bla_status_update(struct net_device *net_dev);
+ int batadv_bla_init(struct batadv_priv *bat_priv);
+ void batadv_bla_free(struct batadv_priv *bat_priv);
+ int batadv_bla_claim_dump(struct sk_buff *msg, struct netlink_callback *cb);
++#ifdef CONFIG_BATMAN_ADV_DAT
++bool batadv_bla_check_claim(struct batadv_priv *bat_priv, u8 *addr,
++			    unsigned short vid);
++#endif
+ #define BATADV_BLA_CRC_INIT	0
+ #else /* ifdef CONFIG_BATMAN_ADV_BLA */
+ 
+@@ -145,6 +149,13 @@ static inline int batadv_bla_backbone_dump(struct sk_buff *msg,
+ 	return -EOPNOTSUPP;
+ }
+ 
++static inline
++bool batadv_bla_check_claim(struct batadv_priv *bat_priv, u8 *addr,
++			    unsigned short vid)
++{
++	return true;
++}
++
+ #endif /* ifdef CONFIG_BATMAN_ADV_BLA */
+ 
+ #endif /* ifndef _NET_BATMAN_ADV_BLA_H_ */
+diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
+index 3641765d55df049a5dbac35d322ebc537a0f0322..4cfc9672507ba718d975a2f869bb89fc38e0d934 100644
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -43,6 +43,7 @@
+ #include <linux/workqueue.h>
+ #include <net/arp.h>
+ 
++#include "bridge_loop_avoidance.h"
+ #include "hard-interface.h"
+ #include "hash.h"
+ #include "log.h"
+@@ -1041,6 +1042,20 @@ bool batadv_dat_snoop_outgoing_arp_request(struct batadv_priv *bat_priv,
+ 			goto out;
+ 		}
+ 
++		/* If BLA is enabled, only send ARP replies if we have claimed
++		 * the destination for the ARP request or if no one else of
++		 * the backbone gws belonging to our backbone has claimed the
++		 * destination.
++		 */
++		if (!batadv_bla_check_claim(bat_priv,
++					    dat_entry->mac_addr, vid)) {
++			batadv_dbg(BATADV_DBG_DAT, bat_priv,
++				   "Device %pM claimed by another backbone gw. Don't send ARP reply!",
++				   dat_entry->mac_addr);
++			ret = true;
++			goto out;
++		}
++
+ 		skb_new = batadv_dat_arp_create_reply(bat_priv, ip_dst, ip_src,
+ 						      dat_entry->mac_addr,
+ 						      hw_src, vid);

batman-adv/patches/0011-batman-adv-prevent-duplication-of-ARP-replies-when-D.patch

@@ -0,0 +1,88 @@
+From: Andreas Pape <APape@phoenixcontact.com>
+Date: Mon, 5 Sep 2016 13:20:26 +0200
+Subject: batman-adv: prevent duplication of ARP replies when DAT is used
+
+If none of the backbone gateways in a bla setup has already knowledge of
+the mac address searched for in an incoming ARP request from the backbone
+an address resolution via the DHT of DAT is started. The gateway can send
+several ARP requests to different DHT nodes and therefore can get several
+replies. This patch assures that not all of the possible ARP replies are
+returned to the backbone by checking the local DAT cache of the gateway.
+If there is an entry in the local cache the gateway has already learned
+the requested address and there is no need to forward the additional reply
+to the backbone.
+Furthermore it is checked if this gateway has claimed the source of the ARP
+reply and only forwards it to the backbone if it has claimed the source or
+if there is no claim at all.
+
+Signed-off-by: Andreas Pape <apape@phoenixcontact.com>
+Acked-by: Simon Wunderlich <sw@simonwunderlich.de>
+[sven@narfation.org: fix conflicts with current version]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/81e422051cf0403e40615eb306d0ddaaddfee611
+
+diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
+index 4cfc9672507ba718d975a2f869bb89fc38e0d934..16216532c1d82c09337a9c5e7a4cd5b4ad3ded5d 100644
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -1205,6 +1205,7 @@ void batadv_dat_snoop_outgoing_arp_reply(struct batadv_priv *bat_priv,
+ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ 					 struct sk_buff *skb, int hdr_size)
+ {
++	struct batadv_dat_entry *dat_entry = NULL;
+ 	u16 type;
+ 	__be32 ip_src, ip_dst;
+ 	u8 *hw_src, *hw_dst;
+@@ -1227,12 +1228,41 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ 	hw_dst = batadv_arp_hw_dst(skb, hdr_size);
+ 	ip_dst = batadv_arp_ip_dst(skb, hdr_size);
+ 
++	/* If ip_dst is already in cache and has the right mac address,
++	 * drop this frame if this ARP reply is destined for us because it's
++	 * most probably an ARP reply generated by another node of the DHT.
++	 * We have most probably received already a reply earlier. Delivering
++	 * this frame would lead to doubled receive of an ARP reply.
++	 */
++	dat_entry = batadv_dat_entry_hash_find(bat_priv, ip_src, vid);
++	if (dat_entry && batadv_compare_eth(hw_src, dat_entry->mac_addr)) {
++		batadv_dbg(BATADV_DBG_DAT, bat_priv, "Doubled ARP reply removed: ARP MSG = [src: %pM-%pI4 dst: %pM-%pI4]; dat_entry: %pM-%pI4\n",
++			   hw_src, &ip_src, hw_dst, &ip_dst,
++			   dat_entry->mac_addr,	&dat_entry->ip);
++		dropped = true;
++		goto out;
++	}
++
+ 	/* Update our internal cache with both the IP addresses the node got
+ 	 * within the ARP reply
+ 	 */
+ 	batadv_dat_entry_add(bat_priv, ip_src, hw_src, vid);
+ 	batadv_dat_entry_add(bat_priv, ip_dst, hw_dst, vid);
+ 
++	/* If BLA is enabled, only forward ARP replies if we have claimed the
++	 * source of the ARP reply or if no one else of the same backbone has
++	 * already claimed that client. This prevents that different gateways
++	 * to the same backbone all forward the ARP reply leading to multiple
++	 * replies in the backbone.
++	 */
++	if (!batadv_bla_check_claim(bat_priv, hw_src, vid)) {
++		batadv_dbg(BATADV_DBG_DAT, bat_priv,
++			   "Device %pM claimed by another backbone gw. Drop ARP reply.\n",
++			   hw_src);
++		dropped = true;
++		goto out;
++	}
++
+ 	/* if this REPLY is directed to a client of mine, let's deliver the
+ 	 * packet to the interface
+ 	 */
+@@ -1245,6 +1275,8 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ out:
+ 	if (dropped)
+ 		kfree_skb(skb);
++	if (dat_entry)
++		batadv_dat_entry_put(dat_entry);
+ 	/* if dropped == false -> deliver to the interface */
+ 	return dropped;
+ }

batman-adv/patches/0012-batman-adv-drop-unicast-packets-from-other-backbone-.patch

@@ -0,0 +1,66 @@
+From: Andreas Pape <APape@phoenixcontact.com>
+Date: Mon, 5 Sep 2016 13:20:27 +0200
+Subject: batman-adv: drop unicast packets from other backbone gw
+
+Additional dropping of unicast packets received from another backbone gw if
+the same backbone network before being forwarded to the same backbone again
+is necessary. It was observed in a test setup that in rare cases these
+frames lead to looping unicast traffic backbone->mesh->backbone.
+
+Signed-off-by: Andreas Pape <apape@phoenixcontact.com>
+Acked-by: Simon Wunderlich <sw@simonwunderlich.de>
+[sven@narfation.org: fix conflicts with current version]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/bfe2a1971f43ef540ef0440d319542fa7d41d81f
+
+diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
+index 6b08b26da4d94be9c8c5e9dc708ddc18d8282428..5190683424b89d1fa7c86895000bc6656e6a65dd 100644
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -942,15 +942,17 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
+ 	struct batadv_priv *bat_priv = netdev_priv(recv_if->soft_iface);
+ 	struct batadv_unicast_packet *unicast_packet;
+ 	struct batadv_unicast_4addr_packet *unicast_4addr_packet;
+-	u8 *orig_addr;
+-	struct batadv_orig_node *orig_node = NULL;
++	u8 *orig_addr, *orig_addr_gw;
++	struct batadv_orig_node *orig_node = NULL, *orig_node_gw = NULL;
+ 	int check, hdr_size = sizeof(*unicast_packet);
+ 	enum batadv_subtype subtype;
+-	bool is4addr;
++	struct ethhdr *ethhdr;
+ 	int ret = NET_RX_DROP;
++	bool is4addr, is_gw;
+ 
+ 	unicast_packet = (struct batadv_unicast_packet *)skb->data;
+ 	unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
++	ethhdr = eth_hdr(skb);
+ 
+ 	is4addr = unicast_packet->packet_type == BATADV_UNICAST_4ADDR;
+ 	/* the caller function should have already pulled 2 bytes */
+@@ -973,6 +975,23 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
+ 
+ 	/* packet for me */
+ 	if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
++		/* If this is a unicast packet from another backgone gw,
++		 * drop it.
++		 */
++		orig_addr_gw = ethhdr->h_source;
++		orig_node_gw = batadv_orig_hash_find(bat_priv, orig_addr_gw);
++		if (orig_node_gw) {
++			is_gw = batadv_bla_is_backbone_gw(skb, orig_node_gw,
++							  hdr_size);
++			batadv_orig_node_put(orig_node_gw);
++			if (is_gw) {
++				batadv_dbg(BATADV_DBG_BLA, bat_priv,
++					   "Dropped unicast pkt received from another backbone gw %pM.\n",
++					   orig_addr_gw);
++				return NET_RX_DROP;
++			}
++		}
++
+ 		if (is4addr) {
+ 			subtype = unicast_4addr_packet->subtype;
+ 			batadv_dat_inc_counter(bat_priv, subtype);

batman-adv/patches/0013-batman-adv-fix-memory-leak-when-dropping-packet-from.patch

@@ -0,0 +1,30 @@
+From: Andreas Pape <apape@phoenixcontact.com>
+Date: Fri, 19 May 2017 10:01:42 +0200
+Subject: batman-adv: fix memory leak when dropping packet from other gateway
+
+The skb must be released in the receive handler since b91a2543b4c1
+("batman-adv: Consume skb in receive handlers"). Just returning NET_RX_DROP
+will no longer automatically free the memory. This results in memory leaks
+when unicast packets from other backbones must be dropped because they
+share a common backbone.
+
+Fixes: bfe2a1971f43 ("batman-adv: drop unicast packets from other backbone gw")
+Signed-off-by: Andreas Pape <apape@phoenixcontact.com>
+[sven@narfation.org: adjust commit message]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/a58feb79ed1447e3e83f3b0b1a23779886869f39
+
+diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
+index 5190683424b89d1fa7c86895000bc6656e6a65dd..213cc01ad00392f7cbd4efd9d4796f76691d2d9e 100644
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -988,7 +988,7 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
+ 				batadv_dbg(BATADV_DBG_BLA, bat_priv,
+ 					   "Dropped unicast pkt received from another backbone gw %pM.\n",
+ 					   orig_addr_gw);
+-				return NET_RX_DROP;
++				goto free_skb;
+ 			}
+ 		}
+ 

batman-adv/patches/0014-batman-adv-handle-race-condition-for-claims-between-.patch

@@ -0,0 +1,64 @@
+From: Andreas Pape <APape@phoenixcontact.com>
+Date: Mon, 5 Sep 2016 13:20:29 +0200
+Subject: batman-adv: handle race condition for claims between gateways
+
+Consider the following situation which has been found in a test setup:
+Gateway B has claimed client C and gateway A has the same backbone
+network as B. C sends a broad- or multicast to B and directly after
+this packet decides to send another packet to A due to a better TQ
+value. B will forward the broad-/multicast into the backbone as it is
+the responsible gw and after that A will claim C as it has been
+chosen by C as the best gateway. If it now happens that A claims C
+before it has received the broad-/multicast forwarded by B (due to
+backbone topology or due to some delay in B when forwarding the
+packet) we get a critical situation: in the current code A will
+immediately unclaim C when receiving the multicast due to the
+roaming client scenario although the position of C has not changed
+in the mesh. If this happens the multi-/broadcast forwarded by B
+will be sent back into the mesh by A and we have looping packets
+until one of the gateways claims C again.
+In order to prevent this, unclaiming of a client due to the roaming
+client scenario is only done after a certain time is expired after
+the last claim of the client. 100 ms are used here, which should be
+slow enough for big backbones and slow gateways but fast enough not
+to break the roaming client use case.
+
+Acked-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Andreas Pape <apape@phoenixcontact.com>
+[sven@narfation.org: fix conflicts with current version]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/cbb2ccc101e220b339989d5a51c0ca226ceda792
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index 41ab4a67a07b264bccdc5bccf73920909ff35c40..1e6e5d4468ad50c221ea5a0d436678d16c5e154f 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1964,10 +1964,22 @@ bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ 		/* if yes, the client has roamed and we have
+ 		 * to unclaim it.
+ 		 */
+-		batadv_handle_unclaim(bat_priv, primary_if,
+-				      primary_if->net_dev->dev_addr,
+-				      ethhdr->h_source, vid);
+-		goto allow;
++		if (batadv_has_timed_out(claim->lasttime, 100)) {
++			/* only unclaim if the last claim entry is
++			 * older than 100 ms to make sure we really
++			 * have a roaming client here.
++			 */
++			batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_tx(): Roaming client %pM detected. Unclaim it.\n",
++				   ethhdr->h_source);
++			batadv_handle_unclaim(bat_priv, primary_if,
++					      primary_if->net_dev->dev_addr,
++					      ethhdr->h_source, vid);
++			goto allow;
++		} else {
++			batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_tx(): Race for claim %pM detected. Drop packet.\n",
++				   ethhdr->h_source);
++			goto handled;
++		}
+ 	}
+ 
+ 	/* check if it is a multicast/broadcast frame */

batman-adv/patches/0015-batman-adv-Fix-rx-packet-bytes-stats-on-local-ARP-re.patch

@@ -0,0 +1,33 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 5 Apr 2017 16:26:17 +0200
+Subject: batman-adv: Fix rx packet/bytes stats on local ARP reply
+
+The stats are generated by batadv_interface_stats and must not be stored
+directly in the net_device stats member variable. The batadv_priv
+bat_counters information is assembled when ndo_get_stats is called. The
+stats previously stored in net_device::stats is then overwritten.
+
+The batman-adv counters must therefore be increased when an ARP packet is
+answered locally via the distributed arp table.
+
+Fixes: 75ca71d858f5 ("batman-adv: Distributed ARP Table - add snooping functions for ARP messages")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/426ddde4ffe0c7345d1a7409bf899f89ddea26d3
+
+diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
+index 16216532c1d82c09337a9c5e7a4cd5b4ad3ded5d..4d982e63a3ab269e3d3b1e7a9d5f205638051603 100644
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -1064,8 +1064,9 @@ bool batadv_dat_snoop_outgoing_arp_request(struct batadv_priv *bat_priv,
+ 
+ 		skb_new->protocol = eth_type_trans(skb_new,
+ 						   bat_priv->soft_iface);
+-		bat_priv->stats.rx_packets++;
+-		bat_priv->stats.rx_bytes += skb->len + ETH_HLEN + hdr_size;
++		batadv_inc_counter(bat_priv, BATADV_CNT_RX);
++		batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,
++				   skb->len + ETH_HLEN + hdr_size);
+ 		bat_priv->soft_iface->last_rx = jiffies;
+ 
+ 		netif_rx(skb_new);

batman-adv/patches/0016-batman-adv-do-not-add-loop-detection-mac-addresses-t.patch

@@ -0,0 +1,32 @@
+From: Simon Wunderlich <sw@simonwunderlich.de>
+Date: Thu, 1 Jun 2017 17:11:24 +0200
+Subject: batman-adv: do not add loop detection mac addresses to global tt
+
+This change has been made for local TT already, add another one for
+global TT - but only for temporary entries (aka speedy join), to prevent
+inconsistencies between local and global tables in case an older
+batman-adv version is still announcing those entries from its local
+table.
+
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/1f1b6c0d96129e6445652061d93a7fb1f0476fa3
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 30ecbfb40adfa6f9f1c777fc93e42df8c39e4581..199da2abe6ab92161ab66faa01fa3d06aeb68c89 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -4012,6 +4012,12 @@ bool batadv_tt_add_temporary_global_entry(struct batadv_priv *bat_priv,
+ {
+ 	bool ret = false;
+ 
++	/* ignore loop detect macs, they are not supposed to be in the tt local
++	 * data as well.
++	 */
++	if (batadv_bla_is_loopdetect_mac(addr))
++		return false;
++
+ 	if (!batadv_tt_global_add(bat_priv, orig_node, addr, vid,
+ 				  BATADV_TT_CLIENT_TEMP,
+ 				  atomic_read(&orig_node->last_ttvn)))

batman-adv/patches/0017-batman-adv-Use-default-throughput-value-on-cfg80211-.patch

@@ -0,0 +1,32 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 9 Jun 2017 17:06:50 +0200
+Subject: batman-adv: Use default throughput value on cfg80211 error
+
+A wifi interface should never be handled like an ethernet devices. The
+parser of the cfg80211 output must therefore skip the ethtool code when
+cfg80211_get_station returned an error.
+
+Fixes: 01b1fe819ee0 ("batman-adv: refactor wifi interface detection")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Reviewed-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/76ef29071b0050f972a626747d034a494a7195d7
+
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index f2fb2f05b6bf280d2b5fae26ed10288f73345f16..7c54a9291c9eaed75dfdfdfbd200f84c51576cb3 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -109,8 +109,10 @@ static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh)
+ 			 */
+ 			return 0;
+ 		}
+-		if (!ret)
+-			return sinfo.expected_throughput / 100;
++		if (ret)
++			goto default_throughput;
++
++		return sinfo.expected_throughput / 100;
+ 	}
+ 
+ 	/* if not a wifi interface, check if this device provides data via

batman-adv/patches/0018-batman-adv-Accept-only-filled-wifi-station-info.patch

@@ -0,0 +1,91 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 9 Jun 2017 17:06:51 +0200
+Subject: batman-adv: Accept only filled wifi station info
+
+The wifi driver can decide to not provide parts of the station info. For
+example, the expected throughput of the station can be omitted when the
+used rate control doesn't provide this kind of information.
+
+The B.A.T.M.A.N. V implementation must therefore check the filled bitfield
+before it tries to access the expected_throughput of the returned
+station_info.
+
+Reported-by: Alvaro Antelo <alvaro.antelo@gmail.com>
+Fixes: 5c3245172c01 ("batman-adv: ELP - compute the metric based on the estimated throughput")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Reviewed-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/1e26904b364ceffe9ca7d6da7412e70fb2a04178
+
+diff --git a/compat-include/linux/nl80211.h b/compat-include/linux/nl80211.h
+new file mode 100644
+index 0000000000000000000000000000000000000000..e6654df8cd67caa52a16a1f709141d7415b9f523
+--- /dev/null
++++ b/compat-include/linux/nl80211.h
+@@ -0,0 +1,14 @@
++#ifndef _NET_BATMAN_ADV_COMPAT_LINUX_NL80211_H_
++#define _NET_BATMAN_ADV_COMPAT_LINUX_NL80211_H_
++
++#include <linux/version.h>
++#include_next <linux/nl80211.h>
++
++#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 16, 0)
++
++/* Linux 3.15 misses the uapi include.... */
++#include <uapi/linux/nl80211.h>
++
++#endif /* < KERNEL_VERSION(3, 16, 0) */
++
++#endif	/* _NET_BATMAN_ADV_COMPAT_LINUX_NL80211_H_ */
+diff --git a/compat-include/uapi/linux/nl80211.h b/compat-include/uapi/linux/nl80211.h
+new file mode 100644
+index 0000000000000000000000000000000000000000..06f5625af21360be5718a1a6f7e8949f6739c927
+--- /dev/null
++++ b/compat-include/uapi/linux/nl80211.h
+@@ -0,0 +1,16 @@
++#ifndef _NET_BATMAN_ADV_COMPAT_UAPI_LINUX_NL80211_H_
++#define _NET_BATMAN_ADV_COMPAT_UAPI_LINUX_NL80211_H_
++
++#include <linux/version.h>
++#include_next <uapi/linux/nl80211.h>
++
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
++
++/* for batadv_v_elp_get_throughput which would have used
++ * STATION_INFO_EXPECTED_THROUGHPUT in Linux 4.0.0
++ */
++#define NL80211_STA_INFO_EXPECTED_THROUGHPUT    28
++
++#endif /* < KERNEL_VERSION(4, 0, 0) */
++
++#endif	/* _NET_BATMAN_ADV_COMPAT_UAPI_LINUX_NL80211_H_ */
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index 7c54a9291c9eaed75dfdfdfbd200f84c51576cb3..06b2924f4cb7dde54bab97ad2d28aecd9b1a4ceb 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -19,6 +19,7 @@
+ #include "main.h"
+ 
+ #include <linux/atomic.h>
++#include <linux/bitops.h>
+ #include <linux/byteorder/generic.h>
+ #include <linux/errno.h>
+ #include <linux/etherdevice.h>
+@@ -29,6 +30,7 @@
+ #include <linux/kernel.h>
+ #include <linux/kref.h>
+ #include <linux/netdevice.h>
++#include <linux/nl80211.h>
+ #include <linux/random.h>
+ #include <linux/rculist.h>
+ #include <linux/rcupdate.h>
+@@ -111,6 +113,8 @@ static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh)
+ 		}
+ 		if (ret)
+ 			goto default_throughput;
++		if (!(sinfo.filled & BIT(NL80211_STA_INFO_EXPECTED_THROUGHPUT)))
++			goto default_throughput;
+ 
+ 		return sinfo.expected_throughput / 100;
+ 	}

batman-adv/patches/0019-batman-adv-fix-TT-sync-flag-inconsistencies.patch

@@ -0,0 +1,205 @@
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Thu, 6 Jul 2017 07:02:25 +0200
+Subject: batman-adv: fix TT sync flag inconsistencies
+
+This patch fixes an issue in the translation table code potentially
+leading to a TT Request + Response storm. The issue may occur for nodes
+involving BLA and an inconsistent configuration of the batman-adv AP
+isolation feature. However, since the new multicast optimizations, a
+single, malformed packet may lead to a mesh-wide, persistent
+Denial-of-Service, too.
+
+The issue occurs because nodes are currently OR-ing the TT sync flags of
+all originators announcing a specific MAC address via the
+translation table. When an intermediate node now receives a TT Request
+and wants to answer this on behalf of the destination node, then this
+intermediate node now responds with an altered flag field and broken
+CRC. The next OGM of the real destination will lead to a CRC mismatch
+and triggering a TT Request and Response again.
+
+Furthermore, the OR-ing is currently never undone as long as at least
+one originator announcing the according MAC address remains, leading to
+the potential persistency of this issue.
+
+This patch fixes this issue by storing the flags used in the CRC
+calculation on a a per TT orig entry basis to be able to respond with
+the correct, original flags in an intermediate TT Response for one
+thing. And to be able to correctly unset sync flags once all nodes
+announcing a sync flag vanish for another.
+
+Fixes: fa614fd04692 ("batman-adv: fix tt_global_entries flags update")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+[sw: typo in commit message]
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/382d020fe3fa528b1f65f8107df8fc023eb8cacb
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 199da2abe6ab92161ab66faa01fa3d06aeb68c89..a64003b824e0d0b05f0a9e44ccc32ba0cb3018fc 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1549,9 +1549,41 @@ batadv_tt_global_entry_has_orig(const struct batadv_tt_global_entry *entry,
+ 	return found;
+ }
+ 
++/**
++ * batadv_tt_global_sync_flags - update TT sync flags
++ * @tt_global: the TT global entry to update sync flags in
++ *
++ * Updates the sync flag bits in the tt_global flag attribute with a logical
++ * OR of all sync flags from any of its TT orig entries.
++ */
++static void
++batadv_tt_global_sync_flags(struct batadv_tt_global_entry *tt_global)
++{
++	struct batadv_tt_orig_list_entry *orig_entry;
++	const struct hlist_head *head;
++	u16 flags = BATADV_NO_FLAGS;
++
++	rcu_read_lock();
++	head = &tt_global->orig_list;
++	hlist_for_each_entry_rcu(orig_entry, head, list)
++		flags |= orig_entry->flags;
++	rcu_read_unlock();
++
++	flags |= tt_global->common.flags & (~BATADV_TT_SYNC_MASK);
++	tt_global->common.flags = flags;
++}
++
++/**
++ * batadv_tt_global_orig_entry_add - add or update a TT orig entry
++ * @tt_global: the TT global entry to add an orig entry in
++ * @orig_node: the originator to add an orig entry for
++ * @ttvn: translation table version number of this changeset
++ * @flags: TT sync flags
++ */
+ static void
+ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
+-				struct batadv_orig_node *orig_node, int ttvn)
++				struct batadv_orig_node *orig_node, int ttvn,
++				u8 flags)
+ {
+ 	struct batadv_tt_orig_list_entry *orig_entry;
+ 
+@@ -1561,7 +1593,8 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
+ 		 * was added during a "temporary client detection"
+ 		 */
+ 		orig_entry->ttvn = ttvn;
+-		goto out;
++		orig_entry->flags = flags;
++		goto sync_flags;
+ 	}
+ 
+ 	orig_entry = kmem_cache_zalloc(batadv_tt_orig_cache, GFP_ATOMIC);
+@@ -1573,6 +1606,7 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
+ 	batadv_tt_global_size_inc(orig_node, tt_global->common.vid);
+ 	orig_entry->orig_node = orig_node;
+ 	orig_entry->ttvn = ttvn;
++	orig_entry->flags = flags;
+ 	kref_init(&orig_entry->refcount);
+ 
+ 	spin_lock_bh(&tt_global->list_lock);
+@@ -1582,6 +1616,8 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
+ 	spin_unlock_bh(&tt_global->list_lock);
+ 	atomic_inc(&tt_global->orig_list_count);
+ 
++sync_flags:
++	batadv_tt_global_sync_flags(tt_global);
+ out:
+ 	if (orig_entry)
+ 		batadv_tt_orig_list_entry_put(orig_entry);
+@@ -1703,10 +1739,10 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
+ 		}
+ 
+ 		/* the change can carry possible "attribute" flags like the
+-		 * TT_CLIENT_WIFI, therefore they have to be copied in the
++		 * TT_CLIENT_TEMP, therefore they have to be copied in the
+ 		 * client entry
+ 		 */
+-		common->flags |= flags;
++		common->flags |= flags & (~BATADV_TT_SYNC_MASK);
+ 
+ 		/* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only
+ 		 * one originator left in the list and we previously received a
+@@ -1723,7 +1759,8 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
+ 	}
+ add_orig_entry:
+ 	/* add the new orig_entry (if needed) or update it */
+-	batadv_tt_global_orig_entry_add(tt_global_entry, orig_node, ttvn);
++	batadv_tt_global_orig_entry_add(tt_global_entry, orig_node, ttvn,
++					flags & BATADV_TT_SYNC_MASK);
+ 
+ 	batadv_dbg(BATADV_DBG_TT, bat_priv,
+ 		   "Creating new global tt entry: %pM (vid: %d, via %pM)\n",
+@@ -1946,6 +1983,7 @@ batadv_tt_global_dump_subentry(struct sk_buff *msg, u32 portid, u32 seq,
+ 			       struct batadv_tt_orig_list_entry *orig,
+ 			       bool best)
+ {
++	u16 flags = (common->flags & (~BATADV_TT_SYNC_MASK)) | orig->flags;
+ 	void *hdr;
+ 	struct batadv_orig_node_vlan *vlan;
+ 	u8 last_ttvn;
+@@ -1975,7 +2013,7 @@ batadv_tt_global_dump_subentry(struct sk_buff *msg, u32 portid, u32 seq,
+ 	    nla_put_u8(msg, BATADV_ATTR_TT_LAST_TTVN, last_ttvn) ||
+ 	    nla_put_u32(msg, BATADV_ATTR_TT_CRC32, crc) ||
+ 	    nla_put_u16(msg, BATADV_ATTR_TT_VID, common->vid) ||
+-	    nla_put_u32(msg, BATADV_ATTR_TT_FLAGS, common->flags))
++	    nla_put_u32(msg, BATADV_ATTR_TT_FLAGS, flags))
+ 		goto nla_put_failure;
+ 
+ 	if (best && nla_put_flag(msg, BATADV_ATTR_FLAG_BEST))
+@@ -2589,6 +2627,7 @@ static u32 batadv_tt_global_crc(struct batadv_priv *bat_priv,
+ 				unsigned short vid)
+ {
+ 	struct batadv_hashtable *hash = bat_priv->tt.global_hash;
++	struct batadv_tt_orig_list_entry *tt_orig;
+ 	struct batadv_tt_common_entry *tt_common;
+ 	struct batadv_tt_global_entry *tt_global;
+ 	struct hlist_head *head;
+@@ -2627,8 +2666,9 @@ static u32 batadv_tt_global_crc(struct batadv_priv *bat_priv,
+ 			/* find out if this global entry is announced by this
+ 			 * originator
+ 			 */
+-			if (!batadv_tt_global_entry_has_orig(tt_global,
+-							     orig_node))
++			tt_orig = batadv_tt_global_orig_entry_find(tt_global,
++								   orig_node);
++			if (!tt_orig)
+ 				continue;
+ 
+ 			/* use network order to read the VID: this ensures that
+@@ -2640,10 +2680,12 @@ static u32 batadv_tt_global_crc(struct batadv_priv *bat_priv,
+ 			/* compute the CRC on flags that have to be kept in sync
+ 			 * among nodes
+ 			 */
+-			flags = tt_common->flags & BATADV_TT_SYNC_MASK;
++			flags = tt_orig->flags;
+ 			crc_tmp = crc32c(crc_tmp, &flags, sizeof(flags));
+ 
+ 			crc ^= crc32c(crc_tmp, tt_common->addr, ETH_ALEN);
++
++			batadv_tt_orig_list_entry_put(tt_orig);
+ 		}
+ 		rcu_read_unlock();
+ 	}
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index 5137d859694c28f60cad33325127617c047412ff..7c928938b22dcae681294700252c0ae74378f999 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -1262,6 +1262,7 @@ struct batadv_tt_global_entry {
+  * struct batadv_tt_orig_list_entry - orig node announcing a non-mesh client
+  * @orig_node: pointer to orig node announcing this non-mesh client
+  * @ttvn: translation table version number which added the non-mesh client
++ * @flags: per orig entry TT sync flags
+  * @list: list node for batadv_tt_global_entry::orig_list
+  * @refcount: number of contexts the object is used
+  * @rcu: struct used for freeing in an RCU-safe manner
+@@ -1269,6 +1270,7 @@ struct batadv_tt_global_entry {
+ struct batadv_tt_orig_list_entry {
+ 	struct batadv_orig_node *orig_node;
+ 	u8 ttvn;
++	u8 flags;
+ 	struct hlist_node list;
+ 	struct kref refcount;
+ 	struct rcu_head rcu;

batman-adv/patches/0020-batman-adv-Avoid-spurious-warnings-from-bat_v-neigh_.patch

@@ -0,0 +1,53 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Mon, 16 Oct 2017 09:48:03 +0200
+Subject: batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation
+
+The neighbor compare API implementation for B.A.T.M.A.N. V checks whether
+the neigh_ifinfo for this neighbor on a specific interface exists. A
+warning is printed when it isn't found.
+
+But it is not called inside a lock which would prevent that this
+information is lost right before batadv_neigh_ifinfo_get. It must therefore
+be expected that batadv_v_neigh_(cmp|is_sob) might not be able to get the
+requested neigh_ifinfo.
+
+A WARN_ON for such a situation seems not to be appropriate because this
+will only flood the kernel logs. The warnings must therefore be removed.
+
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/0dee8aba4702f82197ed3428ede6b3884fdff5ca
+
+diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c
+index 2e2471ca84e392faac7fd6537bf137161e27542a..80679f17d40170237ce6ad2d800da96bbef79e37 100644
+--- a/net/batman-adv/bat_v.c
++++ b/net/batman-adv/bat_v.c
+@@ -623,11 +623,11 @@ static int batadv_v_neigh_cmp(struct batadv_neigh_node *neigh1,
+ 	int ret = 0;
+ 
+ 	ifinfo1 = batadv_neigh_ifinfo_get(neigh1, if_outgoing1);
+-	if (WARN_ON(!ifinfo1))
++	if (!ifinfo1)
+ 		goto err_ifinfo1;
+ 
+ 	ifinfo2 = batadv_neigh_ifinfo_get(neigh2, if_outgoing2);
+-	if (WARN_ON(!ifinfo2))
++	if (!ifinfo2)
+ 		goto err_ifinfo2;
+ 
+ 	ret = ifinfo1->bat_v.throughput - ifinfo2->bat_v.throughput;
+@@ -649,11 +649,11 @@ static bool batadv_v_neigh_is_sob(struct batadv_neigh_node *neigh1,
+ 	bool ret = false;
+ 
+ 	ifinfo1 = batadv_neigh_ifinfo_get(neigh1, if_outgoing1);
+-	if (WARN_ON(!ifinfo1))
++	if (!ifinfo1)
+ 		goto err_ifinfo1;
+ 
+ 	ifinfo2 = batadv_neigh_ifinfo_get(neigh2, if_outgoing2);
+-	if (WARN_ON(!ifinfo2))
++	if (!ifinfo2)
+ 		goto err_ifinfo2;
+ 
+ 	threshold = ifinfo1->bat_v.throughput / 4;

batman-adv/patches/0021-batman-adv-Always-initialize-fragment-header-priorit.patch

@@ -0,0 +1,27 @@
+From: Sven Eckelmann <sven.eckelmann@open-mesh.com>
+Date: Wed, 29 Nov 2017 10:25:02 +0100
+Subject: batman-adv: Always initialize fragment header priority
+
+The batman-adv unuicast fragment header contains 3 bits for the priority of
+the packet. These bits will be initialized when the skb->priority contains
+a value between 256 and 263. But otherwise, the uninitialized bits from the
+stack will be used.
+
+Fixes: 4f241fcea704 ("batman-adv: Include frame priority in fragment header")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/e45a75c82feae23a20d2744ccfde03780ccdafc7
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index 70e512111528b0345889cea4ffd0ad5d984a4e6a..28f54887c975905d03372ab8ba5274fd82117651 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -500,6 +500,8 @@ int batadv_frag_send_packet(struct sk_buff *skb,
+ 	 */
+ 	if (skb->priority >= 256 && skb->priority <= 263)
+ 		frag_header.priority = skb->priority - 256;
++	else
++		frag_header.priority = 0;
+ 
+ 	ether_addr_copy(frag_header.orig, primary_if->net_dev->dev_addr);
+ 	ether_addr_copy(frag_header.dest, orig_node->orig);

batman-adv/patches/0022-batman-adv-Fix-check-of-retrieved-orig_gw-in-batadv_.patch

@@ -0,0 +1,28 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Wed, 29 Nov 2017 10:50:42 +0100
+Subject: batman-adv: Fix check of retrieved orig_gw in batadv_v_gw_is_eligible
+
+The batadv_v_gw_is_eligible function already assumes that orig_node is not
+NULL. But batadv_gw_node_get may have failed to find the originator. It
+must therefore be checked whether the batadv_gw_node_get failed and not
+whether orig_node is NULL to detect this error.
+
+Fixes: 80b2d47be2c7 ("batman-adv: B.A.T.M.A.N. V - implement GW selection logic")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/c7380677d6167f3798d3ea7a4f1a93663f3c7915
+
+diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c
+index 80679f17d40170237ce6ad2d800da96bbef79e37..2f77e112d4cb4db7b1086715a597ef995054fdc1 100644
+--- a/net/batman-adv/bat_v.c
++++ b/net/batman-adv/bat_v.c
+@@ -815,7 +815,7 @@ static bool batadv_v_gw_is_eligible(struct batadv_priv *bat_priv,
+ 	}
+ 
+ 	orig_gw = batadv_gw_node_get(bat_priv, orig_node);
+-	if (!orig_node)
++	if (!orig_gw)
+ 		goto out;
+ 
+ 	if (batadv_v_gw_throughput_get(orig_gw, &orig_throughput) < 0)

batman-adv/patches/0023-batman-adv-Fix-lock-for-ogm-cnt-access-in-batadv_iv_.patch

@@ -0,0 +1,39 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 3 Dec 2017 11:26:45 +0100
+Subject: batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq
+
+The originator node object orig_neigh_node is used to when accessing the
+bcast_own(_sum) and real_packet_count information. The access to them has
+to be protected with the spinlock in orig_neigh_node.
+
+But the function uses the lock in orig_node instead. This is incorrect
+because they could be two different originator node objects.
+
+Fixes: f14416760b62 ("batman-adv: protect bit operations to count OGMs with spinlock")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/9a3b195410e5d2f285cdf0073fef721ff8d9474d
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index 7bfd0d7ef49df8e699f91e2b827b824aa3657c0d..56b4984d738e87098c24213d4aa277a2ef948fec 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -1214,7 +1214,7 @@ static bool batadv_iv_ogm_calc_tq(struct batadv_orig_node *orig_node,
+ 	orig_node->last_seen = jiffies;
+ 
+ 	/* find packet count of corresponding one hop neighbor */
+-	spin_lock_bh(&orig_node->bat_iv.ogm_cnt_lock);
++	spin_lock_bh(&orig_neigh_node->bat_iv.ogm_cnt_lock);
+ 	if_num = if_incoming->if_num;
+ 	orig_eq_count = orig_neigh_node->bat_iv.bcast_own_sum[if_num];
+ 	neigh_ifinfo = batadv_neigh_ifinfo_new(neigh_node, if_outgoing);
+@@ -1224,7 +1224,7 @@ static bool batadv_iv_ogm_calc_tq(struct batadv_orig_node *orig_node,
+ 	} else {
+ 		neigh_rq_count = 0;
+ 	}
+-	spin_unlock_bh(&orig_node->bat_iv.ogm_cnt_lock);
++	spin_unlock_bh(&orig_neigh_node->bat_iv.ogm_cnt_lock);
+ 
+ 	/* pay attention to not get a value bigger than 100 % */
+ 	if (orig_eq_count > neigh_rq_count)

batman-adv/patches/0024-batman-adv-fix-packet-checksum-in-receive-path.patch

@@ -0,0 +1,40 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 23 Jan 2018 10:59:49 +0100
+Subject: batman-adv: fix packet checksum in receive path
+
+eth_type_trans() internally calls skb_pull(), which does not adjust the
+skb checksum; skb_postpull_rcsum() is necessary to avoid log spam of the
+form "bat0: hw csum failure" when packets with CHECKSUM_COMPLETE are
+received.
+
+Note that in usual setups, packets don't reach batman-adv with
+CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see
+batadv's ethtype?), which is why the log messages do not occur on every
+system using batman-adv. I could reproduce this issue by stacking
+batman-adv on top of a VXLAN interface.
+
+Fixes: fe28a94c01e1 ("batman-adv: receive packets directly using skbs")
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/798174b15153afd88268f2f87811602f68b3f2c6
+
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index 08432b14386a53c771c54b9eb38893d94c6f9b53..5da1a1c0f1efb5d95f31bc852b899f61e462feb1 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -470,13 +470,7 @@ void batadv_interface_rx(struct net_device *soft_iface,
+ 
+ 	/* skb->dev & skb->pkt_type are set here */
+ 	skb->protocol = eth_type_trans(skb, soft_iface);
+-
+-	/* should not be necessary anymore as we use skb_pull_rcsum()
+-	 * TODO: please verify this and remove this TODO
+-	 * -- Dec 21st 2009, Simon Wunderlich
+-	 */
+-
+-	/* skb->ip_summed = CHECKSUM_UNNECESSARY; */
++	skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
+ 
+ 	batadv_inc_counter(bat_priv, BATADV_CNT_RX);
+ 	batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,

batman-adv/patches/0025-batman-adv-invalidate-checksum-on-fragment-reassembl.patch

@@ -0,0 +1,36 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 23 Jan 2018 10:59:50 +0100
+Subject: batman-adv: invalidate checksum on fragment reassembly
+
+A more sophisticated implementation could try to combine fragment checksums
+when all fragments have CHECKSUM_COMPLETE and are split at even offsets.
+For now, we just set ip_summed to CHECKSUM_NONE to avoid "hw csum failure"
+warnings in the kernel log when fragmented frames are received. In
+consequence, skb_pull_rcsum() can be replaced with skb_pull().
+
+Note that in usual setups, packets don't reach batman-adv with
+CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see
+batadv's ethtype?), which is why the log messages do not occur on every
+system using batman-adv. I could reproduce this issue by stacking
+batman-adv on top of a VXLAN interface.
+
+Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge")
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/2c1bce065baa688bc1eca4116f83ca3b790432a5
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index 28f54887c975905d03372ab8ba5274fd82117651..5969d3705ec08a96438ecce06577d35291600753 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -287,7 +287,8 @@ batadv_frag_merge_packets(struct hlist_head *chain)
+ 	/* Move the existing MAC header to just before the payload. (Override
+ 	 * the fragment header.)
+ 	 */
+-	skb_pull_rcsum(skb_out, hdr_size);
++	skb_pull(skb_out, hdr_size);
++	skb_out->ip_summed = CHECKSUM_NONE;
+ 	memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN);
+ 	skb_set_mac_header(skb_out, -ETH_HLEN);
+ 	skb_reset_network_header(skb_out);

batman-adv/patches/0026-batman-adv-Ignore-invalid-batadv_iv_gw-during-netlin.patch

@@ -0,0 +1,30 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Mon, 19 Feb 2018 14:08:52 +0100
+Subject: batman-adv: Ignore invalid batadv_iv_gw during netlink send
+
+The function batadv_iv_gw_dump stops the processing loop when
+batadv_iv_gw_dump_entry returns a non-0 return code. This should only
+happen when the buffer is full. Otherwise, an empty message may be
+returned by batadv_gw_dump. This empty message will then stop the netlink
+dumping of gateway entries. At worst, not a single entry is returned to
+userspace even when plenty of possible gateways exist.
+
+Fixes: fa3228924152 ("batman-adv: add B.A.T.M.A.N. IV bat_gw_dump implementations")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/c58f37c248bb4926cda82fd0463b6fecb3d3654f
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index 56b4984d738e87098c24213d4aa277a2ef948fec..1847898906d495980a71eb6a0e5a7b510e55d003 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -2719,7 +2719,7 @@ static int batadv_iv_gw_dump_entry(struct sk_buff *msg, u32 portid, u32 seq,
+ 	struct batadv_neigh_ifinfo *router_ifinfo = NULL;
+ 	struct batadv_neigh_node *router;
+ 	struct batadv_gw_node *curr_gw;
+-	int ret = -EINVAL;
++	int ret = 0;
+ 	void *hdr;
+ 
+ 	router = batadv_orig_router_get(gw_node->orig_node, BATADV_IF_DEFAULT);

batman-adv/patches/0027-batman-adv-Ignore-invalid-batadv_v_gw-during-netlink.patch

@@ -0,0 +1,30 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Mon, 19 Feb 2018 14:08:53 +0100
+Subject: batman-adv: Ignore invalid batadv_v_gw during netlink send
+
+The function batadv_v_gw_dump stops the processing loop when
+batadv_v_gw_dump_entry returns a non-0 return code. This should only
+happen when the buffer is full. Otherwise, an empty message may be
+returned by batadv_gw_dump. This empty message will then stop the netlink
+dumping of gateway entries. At worst, not a single entry is returned to
+userspace even when plenty of possible gateways exist.
+
+Fixes: 15315a94ad98 ("batman-adv: add B.A.T.M.A.N. V bat_gw_dump implementations")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/12f1d3a6bf4d157928fec509aab981e5243ee438
+
+diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c
+index 2f77e112d4cb4db7b1086715a597ef995054fdc1..0488063ff6ac5985e27c3a0df41ab3566b48abb8 100644
+--- a/net/batman-adv/bat_v.c
++++ b/net/batman-adv/bat_v.c
+@@ -930,7 +930,7 @@ static int batadv_v_gw_dump_entry(struct sk_buff *msg, u32 portid, u32 seq,
+ 	struct batadv_neigh_ifinfo *router_ifinfo = NULL;
+ 	struct batadv_neigh_node *router;
+ 	struct batadv_gw_node *curr_gw;
+-	int ret = -EINVAL;
++	int ret = 0;
+ 	void *hdr;
+ 
+ 	router = batadv_orig_router_get(gw_node->orig_node, BATADV_IF_DEFAULT);

batman-adv/patches/0028-batman-adv-Fix-netlink-dumping-of-BLA-claims.patch

@@ -0,0 +1,59 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 24 Feb 2018 12:03:36 +0100
+Subject: batman-adv: Fix netlink dumping of BLA claims
+
+The function batadv_bla_claim_dump_bucket must be able to handle
+non-complete dumps of a single bucket. It tries to do that by saving the
+latest dumped index in *idx_skip to inform the caller about the current
+state.
+
+But the caller only assumes that buckets were not completely dumped when
+the return code is non-zero. This function must therefore also return a
+non-zero index when the dumping of an entry failed. Otherwise the caller
+will just skip all remaining buckets.
+
+And the function must also reset *idx_skip back to zero when it finished a
+bucket. Otherwise it will skip the same number of entries in the next
+bucket as the previous one had.
+
+Fixes: 3b7a63606020 ("batman-adv: add B.A.T.M.A.N. Dump BLA claims via netlink")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/49197c00f82cfcfeef963ef9367841d38a6ff207
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index 1e6e5d4468ad50c221ea5a0d436678d16c5e154f..4784469cadd4364b6239ce9ff0d1c7cc254de439 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -2149,22 +2149,25 @@ batadv_bla_claim_dump_bucket(struct sk_buff *msg, u32 portid, u32 seq,
+ {
+ 	struct batadv_bla_claim *claim;
+ 	int idx = 0;
++	int ret = 0;
+ 
+ 	rcu_read_lock();
+ 	hlist_for_each_entry_rcu(claim, head, hash_entry) {
+ 		if (idx++ < *idx_skip)
+ 			continue;
+-		if (batadv_bla_claim_dump_entry(msg, portid, seq,
+-						primary_if, claim)) {
++
++		ret = batadv_bla_claim_dump_entry(msg, portid, seq,
++						  primary_if, claim);
++		if (ret) {
+ 			*idx_skip = idx - 1;
+ 			goto unlock;
+ 		}
+ 	}
+ 
+-	*idx_skip = idx;
++	*idx_skip = 0;
+ unlock:
+ 	rcu_read_unlock();
+-	return 0;
++	return ret;
+ }
+ 
+ /**

batman-adv/patches/0029-batman-adv-Fix-netlink-dumping-of-BLA-backbones.patch

@@ -0,0 +1,59 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 24 Feb 2018 12:03:37 +0100
+Subject: batman-adv: Fix netlink dumping of BLA backbones
+
+The function batadv_bla_backbone_dump_bucket must be able to handle
+non-complete dumps of a single bucket. It tries to do that by saving the
+latest dumped index in *idx_skip to inform the caller about the current
+state.
+
+But the caller only assumes that buckets were not completely dumped when
+the return code is non-zero. This function must therefore also return a
+non-zero index when the dumping of an entry failed. Otherwise the caller
+will just skip all remaining buckets.
+
+And the function must also reset *idx_skip back to zero when it finished a
+bucket. Otherwise it will skip the same number of entries in the next
+bucket as the previous one had.
+
+Fixes: 7f609cab5123 ("batman-adv: add backbone table netlink support")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/29e4759e49f06014b84791397ebe1b22546edd2d
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index 4784469cadd4364b6239ce9ff0d1c7cc254de439..aecf34503e95d9aa723449ddbf0bb3035336b878 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -2382,22 +2382,25 @@ batadv_bla_backbone_dump_bucket(struct sk_buff *msg, u32 portid, u32 seq,
+ {
+ 	struct batadv_bla_backbone_gw *backbone_gw;
+ 	int idx = 0;
++	int ret = 0;
+ 
+ 	rcu_read_lock();
+ 	hlist_for_each_entry_rcu(backbone_gw, head, hash_entry) {
+ 		if (idx++ < *idx_skip)
+ 			continue;
+-		if (batadv_bla_backbone_dump_entry(msg, portid, seq,
+-						   primary_if, backbone_gw)) {
++
++		ret = batadv_bla_backbone_dump_entry(msg, portid, seq,
++						     primary_if, backbone_gw);
++		if (ret) {
+ 			*idx_skip = idx - 1;
+ 			goto unlock;
+ 		}
+ 	}
+ 
+-	*idx_skip = idx;
++	*idx_skip = 0;
+ unlock:
+ 	rcu_read_unlock();
+-	return 0;
++	return ret;
+ }
+ 
+ /**

batman-adv/patches/0030-batman-adv-Fix-internal-interface-indices-types.patch

@@ -0,0 +1,234 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Tue, 26 Dec 2017 15:14:01 +0100
+Subject: batman-adv: Fix internal interface indices types
+
+batman-adv uses internal indices for each enabled and active interface.
+It is currently used by the B.A.T.M.A.N. IV algorithm to identifify the
+correct position in the ogm_cnt bitmaps.
+
+The type for the number of enabled interfaces (which defines the next
+interface index) was set to char. This type can be (depending on the
+architecture) either signed (limiting batman-adv to 127 active slave
+interfaces) or unsigned (limiting batman-adv to 255 active slave
+interfaces).
+
+This limit was not correctly checked when an interface was enabled and thus
+an overflow happened. This was only catched on systems with the signed char
+type when the B.A.T.M.A.N. IV code tried to resize its counter arrays with
+a negative size.
+
+The if_num interface index was only a s16 and therefore significantly
+smaller than the ifindex (int) used by the code net code.
+
+Both &batadv_hard_iface->if_num and &batadv_priv->num_ifaces must be
+(unsigned) int to support the same number of slave interfaces as the net
+core code. And the interface activation code must check the number of
+active slave interfaces to avoid integer overflows.
+
+Fixes: d1fbb61d0534 ("raw socket operations added: create / destroy / bind / send broadcast of own OGMs implemented orig interval configurable via /proc/net/batman-adv/orig_interval")
+Fixes: ea6f8d42a595 ("batman-adv: move /proc interface handling to /sys")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: backport, https://git.open-mesh.org/batman-adv.git/commit/d5db560de1352d3ec6933bca25b3aaad7ddd15e1
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index 1847898906d495980a71eb6a0e5a7b510e55d003..bf389adbb2694746d6397a0a38353cdcd8008899 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -149,7 +149,7 @@ static void batadv_iv_ogm_orig_free(struct batadv_orig_node *orig_node)
+  * Return: 0 on success, a negative error code otherwise.
+  */
+ static int batadv_iv_ogm_orig_add_if(struct batadv_orig_node *orig_node,
+-				     int max_if_num)
++				     unsigned int max_if_num)
+ {
+ 	void *data_ptr;
+ 	size_t old_size;
+@@ -193,7 +193,8 @@ unlock:
+  */
+ static void
+ batadv_iv_ogm_drop_bcast_own_entry(struct batadv_orig_node *orig_node,
+-				   int max_if_num, int del_if_num)
++				   unsigned int max_if_num,
++				   unsigned int del_if_num)
+ {
+ 	size_t chunk_size;
+ 	size_t if_offset;
+@@ -231,7 +232,8 @@ batadv_iv_ogm_drop_bcast_own_entry(struct batadv_orig_node *orig_node,
+  */
+ static void
+ batadv_iv_ogm_drop_bcast_own_sum_entry(struct batadv_orig_node *orig_node,
+-				       int max_if_num, int del_if_num)
++				       unsigned int max_if_num,
++				       unsigned int del_if_num)
+ {
+ 	size_t if_offset;
+ 	void *data_ptr;
+@@ -268,7 +270,8 @@ batadv_iv_ogm_drop_bcast_own_sum_entry(struct batadv_orig_node *orig_node,
+  * Return: 0 on success, a negative error code otherwise.
+  */
+ static int batadv_iv_ogm_orig_del_if(struct batadv_orig_node *orig_node,
+-				     int max_if_num, int del_if_num)
++				     unsigned int max_if_num,
++				     unsigned int del_if_num)
+ {
+ 	spin_lock_bh(&orig_node->bat_iv.ogm_cnt_lock);
+ 
+@@ -302,7 +305,8 @@ static struct batadv_orig_node *
+ batadv_iv_ogm_orig_get(struct batadv_priv *bat_priv, const u8 *addr)
+ {
+ 	struct batadv_orig_node *orig_node;
+-	int size, hash_added;
++	int hash_added;
++	size_t size;
+ 
+ 	orig_node = batadv_orig_hash_find(bat_priv, addr);
+ 	if (orig_node)
+@@ -885,7 +889,7 @@ batadv_iv_ogm_slide_own_bcast_window(struct batadv_hard_iface *hard_iface)
+ 	u32 i;
+ 	size_t word_index;
+ 	u8 *w;
+-	int if_num;
++	unsigned int if_num;
+ 
+ 	for (i = 0; i < hash->size; i++) {
+ 		head = &hash->table[i];
+@@ -1015,7 +1019,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
+ 	struct batadv_neigh_node *tmp_neigh_node = NULL;
+ 	struct batadv_neigh_node *router = NULL;
+ 	struct batadv_orig_node *orig_node_tmp;
+-	int if_num;
++	unsigned int if_num;
+ 	u8 sum_orig, sum_neigh;
+ 	u8 *neigh_addr;
+ 	u8 tq_avg;
+@@ -1173,7 +1177,7 @@ static bool batadv_iv_ogm_calc_tq(struct batadv_orig_node *orig_node,
+ 	u8 total_count;
+ 	u8 orig_eq_count, neigh_rq_count, neigh_rq_inv, tq_own;
+ 	unsigned int neigh_rq_inv_cube, neigh_rq_max_cube;
+-	int if_num;
++	unsigned int if_num;
+ 	unsigned int tq_asym_penalty, inv_asym_penalty;
+ 	unsigned int combined_tq;
+ 	unsigned int tq_iface_penalty;
+@@ -1692,9 +1696,9 @@ static void batadv_iv_ogm_process(const struct sk_buff *skb, int ogm_offset,
+ 
+ 	if (is_my_orig) {
+ 		unsigned long *word;
+-		int offset;
++		size_t offset;
+ 		s32 bit_pos;
+-		s16 if_num;
++		unsigned int if_num;
+ 		u8 *weight;
+ 
+ 		orig_neigh_node = batadv_iv_ogm_orig_get(bat_priv,
+diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
+index 6969f580d0bfd0428f1c6985eaec8bbbf5a0d38b..ebeea5816a06b33c4944b01e40cee157c88bdff7 100644
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -741,6 +741,11 @@ int batadv_hardif_enable_interface(struct batadv_hard_iface *hard_iface,
+ 	hard_iface->soft_iface = soft_iface;
+ 	bat_priv = netdev_priv(hard_iface->soft_iface);
+ 
++	if (bat_priv->num_ifaces >= UINT_MAX) {
++		ret = -ENOSPC;
++		goto err_dev;
++	}
++
+ 	ret = netdev_master_upper_dev_link(hard_iface->net_dev,
+ 					   soft_iface, NULL, NULL);
+ 	if (ret)
+@@ -848,7 +853,7 @@ void batadv_hardif_disable_interface(struct batadv_hard_iface *hard_iface,
+ 	batadv_hardif_recalc_extra_skbroom(hard_iface->soft_iface);
+ 
+ 	/* nobody uses this interface anymore */
+-	if (!bat_priv->num_ifaces) {
++	if (bat_priv->num_ifaces == 0) {
+ 		batadv_gw_check_client_stop(bat_priv);
+ 
+ 		if (autodel == BATADV_IF_CLEANUP_AUTO)
+@@ -884,7 +889,7 @@ batadv_hardif_add_interface(struct net_device *net_dev)
+ 	if (ret)
+ 		goto free_if;
+ 
+-	hard_iface->if_num = -1;
++	hard_iface->if_num = 0;
+ 	hard_iface->net_dev = net_dev;
+ 	hard_iface->soft_iface = NULL;
+ 	hard_iface->if_status = BATADV_IF_NOT_IN_USE;
+diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c
+index 8f3b2969cc4e3044e714086329166b9a3b7517a4..d9ee84340d93bd03f1de504f7223c7f894818906 100644
+--- a/net/batman-adv/originator.c
++++ b/net/batman-adv/originator.c
+@@ -1500,7 +1500,7 @@ int batadv_orig_dump(struct sk_buff *msg, struct netlink_callback *cb)
+ }
+ 
+ int batadv_orig_hash_add_if(struct batadv_hard_iface *hard_iface,
+-			    int max_if_num)
++			    unsigned int max_if_num)
+ {
+ 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+ 	struct batadv_algo_ops *bao = bat_priv->algo_ops;
+@@ -1535,7 +1535,7 @@ err:
+ }
+ 
+ int batadv_orig_hash_del_if(struct batadv_hard_iface *hard_iface,
+-			    int max_if_num)
++			    unsigned int max_if_num)
+ {
+ 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+ 	struct batadv_hashtable *hash = bat_priv->orig_hash;
+diff --git a/net/batman-adv/originator.h b/net/batman-adv/originator.h
+index ebc56183f3581835c899272425a212ff092033b6..fab0b2cc141d9affdbcf68f1d0ce7aad753c3857 100644
+--- a/net/batman-adv/originator.h
++++ b/net/batman-adv/originator.h
+@@ -78,9 +78,9 @@ int batadv_orig_seq_print_text(struct seq_file *seq, void *offset);
+ int batadv_orig_dump(struct sk_buff *msg, struct netlink_callback *cb);
+ int batadv_orig_hardif_seq_print_text(struct seq_file *seq, void *offset);
+ int batadv_orig_hash_add_if(struct batadv_hard_iface *hard_iface,
+-			    int max_if_num);
++			    unsigned int max_if_num);
+ int batadv_orig_hash_del_if(struct batadv_hard_iface *hard_iface,
+-			    int max_if_num);
++			    unsigned int max_if_num);
+ struct batadv_orig_node_vlan *
+ batadv_orig_node_vlan_new(struct batadv_orig_node *orig_node,
+ 			  unsigned short vid);
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index 7c928938b22dcae681294700252c0ae74378f999..bf1d3f0258ffb2fb8ee483337012798b20462cd6 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -155,7 +155,7 @@ enum batadv_hard_iface_wifi_flags {
+  */
+ struct batadv_hard_iface {
+ 	struct list_head list;
+-	s16 if_num;
++	unsigned int if_num;
+ 	char if_status;
+ 	u8 num_bcasts;
+ 	u32 wifi_flags;
+@@ -1081,7 +1081,7 @@ struct batadv_priv {
+ 	atomic_t bcast_seqno;
+ 	atomic_t bcast_queue_left;
+ 	atomic_t batman_queue_left;
+-	char num_ifaces;
++	unsigned int num_ifaces;
+ 	struct kobject *mesh_obj;
+ 	struct dentry *debug_dir;
+ 	struct hlist_head forw_bat_list;
+@@ -1477,9 +1477,10 @@ struct batadv_algo_neigh_ops {
+  */
+ struct batadv_algo_orig_ops {
+ 	void (*free)(struct batadv_orig_node *orig_node);
+-	int (*add_if)(struct batadv_orig_node *orig_node, int max_if_num);
+-	int (*del_if)(struct batadv_orig_node *orig_node, int max_if_num,
+-		      int del_if_num);
++	int (*add_if)(struct batadv_orig_node *orig_node,
++		      unsigned int max_if_num);
++	int (*del_if)(struct batadv_orig_node *orig_node,
++		      unsigned int max_if_num, unsigned int del_if_num);
+ #ifdef CONFIG_BATMAN_ADV_DEBUGFS
+ 	void (*print)(struct batadv_priv *priv, struct seq_file *seq,
+ 		      struct batadv_hard_iface *hard_iface);

batman-adv/patches/0031-batman-adv-Fix-multicast-packet-loss-with-a-single-W.patch

@@ -0,0 +1,35 @@
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Sun, 4 Mar 2018 13:08:17 +0100
+Subject: batman-adv: Fix multicast packet loss with a single WANT_ALL_IPV4/6 flag
+
+As the kernel doc describes too the code is supposed to skip adding
+multicast TT entries if both the WANT_ALL_IPV4 and WANT_ALL_IPV6 flags
+are present.
+
+Unfortunately, the current code even skips adding multicast TT entries
+if only either the WANT_ALL_IPV4 or WANT_ALL_IPV6 is present.
+
+This could lead to IPv6 multicast packet loss if only an IGMP but not an
+MLD querier is present for instance or vice versa.
+
+Fixes: 391b59cdb111 ("batman-adv: Add multicast optimization support for bridged setups")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/edba00d56efb1d55cdd40957e010fba80580b5e2
+
+diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
+index 090a69fc342eac8a0b6bf89556d2b32523817d09..1fb4f87be11e984f3a839c0b2dea939cd692b04d 100644
+--- a/net/batman-adv/multicast.c
++++ b/net/batman-adv/multicast.c
+@@ -541,8 +541,8 @@ update:
+ 		bat_priv->mcast.enabled = true;
+ 	}
+ 
+-	return !(mcast_data.flags &
+-		 (BATADV_MCAST_WANT_ALL_IPV4 | BATADV_MCAST_WANT_ALL_IPV6));
++	return !(mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV4 &&
++		 mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV6);
+ }
+ 
+ /**

batman-adv/patches/0032-batman-adv-update-data-pointers-after-skb_cow.patch

@@ -0,0 +1,58 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Fri, 16 Mar 2018 11:29:09 +0100
+Subject: batman-adv: update data pointers after skb_cow()
+
+batadv_check_unicast_ttvn() calls skb_cow(), so pointers into the SKB data
+must be (re)set after calling it. The ethhdr variable is dropped
+altogether.
+
+Fixes: 78fc6bbe0aca ("batman-adv: add UNICAST_4ADDR packet type")
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/64d22c76a207ed313b2496f0709b2567719452c4
+
+diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
+index 213cc01ad00392f7cbd4efd9d4796f76691d2d9e..8d927931017e53d285d9c64b4b850bb1d0388e11 100644
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -946,14 +946,10 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
+ 	struct batadv_orig_node *orig_node = NULL, *orig_node_gw = NULL;
+ 	int check, hdr_size = sizeof(*unicast_packet);
+ 	enum batadv_subtype subtype;
+-	struct ethhdr *ethhdr;
+ 	int ret = NET_RX_DROP;
+ 	bool is4addr, is_gw;
+ 
+ 	unicast_packet = (struct batadv_unicast_packet *)skb->data;
+-	unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
+-	ethhdr = eth_hdr(skb);
+-
+ 	is4addr = unicast_packet->packet_type == BATADV_UNICAST_4ADDR;
+ 	/* the caller function should have already pulled 2 bytes */
+ 	if (is4addr)
+@@ -973,12 +969,14 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
+ 	if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size))
+ 		goto free_skb;
+ 
++	unicast_packet = (struct batadv_unicast_packet *)skb->data;
++
+ 	/* packet for me */
+ 	if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
+ 		/* If this is a unicast packet from another backgone gw,
+ 		 * drop it.
+ 		 */
+-		orig_addr_gw = ethhdr->h_source;
++		orig_addr_gw = eth_hdr(skb)->h_source;
+ 		orig_node_gw = batadv_orig_hash_find(bat_priv, orig_addr_gw);
+ 		if (orig_node_gw) {
+ 			is_gw = batadv_bla_is_backbone_gw(skb, orig_node_gw,
+@@ -993,6 +991,8 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
+ 		}
+ 
+ 		if (is4addr) {
++			unicast_4addr_packet =
++				(struct batadv_unicast_4addr_packet *)skb->data;
+ 			subtype = unicast_4addr_packet->subtype;
+ 			batadv_dat_inc_counter(bat_priv, subtype);
+ 

batman-adv/patches/0033-batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch

@@ -0,0 +1,27 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Fri, 16 Mar 2018 11:29:10 +0100
+Subject: batman-adv: fix header size check in batadv_dbg_arp()
+
+Checking for 0 is insufficient: when an SKB without a batadv header, but
+with a VLAN header is received, hdr_size will be 4, making the following
+code interpret the Ethernet header as a batadv header.
+
+Fixes: 3e26722bc9f2 ("batman-adv: make the Distributed ARP Table vlan aware")
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/7dfe729b169b1217f47744edbd1616f473340fda
+
+diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
+index 4d982e63a3ab269e3d3b1e7a9d5f205638051603..fcd38e48a6ea74bd91b0bdd874cb5e88e661e729 100644
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -391,7 +391,7 @@ static void batadv_dbg_arp(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ 		   batadv_arp_hw_src(skb, hdr_size), &ip_src,
+ 		   batadv_arp_hw_dst(skb, hdr_size), &ip_dst);
+ 
+-	if (hdr_size == 0)
++	if (hdr_size < sizeof(struct batadv_unicast_packet))
+ 		return;
+ 
+ 	unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;

batman-adv/patches/0034-batman-adv-Fix-skbuff-rcsum-on-packet-reroute.patch

@@ -0,0 +1,83 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 18 Mar 2018 13:12:01 +0100
+Subject: batman-adv: Fix skbuff rcsum on packet reroute
+
+batadv_check_unicast_ttvn may redirect a packet to itself or another
+originator. This involves rewriting the ttvn and the destination address in
+the batadv unicast header. These field were not yet pulled (with skb rcsum
+update) and thus any change to them also requires a change in the receive
+checksum.
+
+Reported-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Fixes: cea194d90b11 ("batman-adv: improved client announcement mechanism")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: backport, https://git.open-mesh.org/batman-adv.git/commit/fb91b0ef84738102807e5dd7ec0b3565415aff56
+
+diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
+index 8d927931017e53d285d9c64b4b850bb1d0388e11..6a12612463127f501ad6a0df20632f14586075bd 100644
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -744,6 +744,7 @@ free_skb:
+ /**
+  * batadv_reroute_unicast_packet - update the unicast header for re-routing
+  * @bat_priv: the bat priv with all the soft interface information
++ * @skb: unicast packet to process
+  * @unicast_packet: the unicast header to be updated
+  * @dst_addr: the payload destination
+  * @vid: VLAN identifier
+@@ -755,7 +756,7 @@ free_skb:
+  * Return: true if the packet header has been updated, false otherwise
+  */
+ static bool
+-batadv_reroute_unicast_packet(struct batadv_priv *bat_priv,
++batadv_reroute_unicast_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ 			      struct batadv_unicast_packet *unicast_packet,
+ 			      u8 *dst_addr, unsigned short vid)
+ {
+@@ -784,8 +785,10 @@ batadv_reroute_unicast_packet(struct batadv_priv *bat_priv,
+ 	}
+ 
+ 	/* update the packet header */
++	skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
+ 	ether_addr_copy(unicast_packet->dest, orig_addr);
+ 	unicast_packet->ttvn = orig_ttvn;
++	skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
+ 
+ 	ret = true;
+ out:
+@@ -826,7 +829,7 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
+ 	 * the packet to
+ 	 */
+ 	if (batadv_tt_local_client_is_roaming(bat_priv, ethhdr->h_dest, vid)) {
+-		if (batadv_reroute_unicast_packet(bat_priv, unicast_packet,
++		if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet,
+ 						  ethhdr->h_dest, vid))
+ 			batadv_dbg_ratelimited(BATADV_DBG_TT,
+ 					       bat_priv,
+@@ -872,7 +875,7 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
+ 	 * destination can possibly be updated and forwarded towards the new
+ 	 * target host
+ 	 */
+-	if (batadv_reroute_unicast_packet(bat_priv, unicast_packet,
++	if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet,
+ 					  ethhdr->h_dest, vid)) {
+ 		batadv_dbg_ratelimited(BATADV_DBG_TT, bat_priv,
+ 				       "Rerouting unicast packet to %pM (dst=%pM): TTVN mismatch old_ttvn=%u new_ttvn=%u\n",
+@@ -895,12 +898,14 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
+ 	if (!primary_if)
+ 		return false;
+ 
++	/* update the packet header */
++	skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
+ 	ether_addr_copy(unicast_packet->dest, primary_if->net_dev->dev_addr);
++	unicast_packet->ttvn = curr_ttvn;
++	skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
+ 
+ 	batadv_hardif_put(primary_if);
+ 
+-	unicast_packet->ttvn = curr_ttvn;
+-
+ 	return true;
+ }
+ 

batman-adv/patches/0035-batman-adv-fix-multicast-via-unicast-transmission-wi.patch

@@ -0,0 +1,39 @@
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Tue, 20 Mar 2018 03:13:27 +0100
+Subject: batman-adv: fix multicast-via-unicast transmission with AP isolation
+
+For multicast frames AP isolation is only supposed to be checked on
+the receiving nodes and never on the originating one.
+
+Furthermore, the isolation or wifi flag bits should only be intepreted
+as such for unicast and never multicast TT entries.
+
+By injecting flags to the multicast TT entry claimed by a single
+target node it was verified in tests that this multicast address
+becomes unreachable, leading to packet loss.
+
+Omitting the "src" parameter to the batadv_transtable_search() call
+successfully skipped the AP isolation check and made the target
+reachable again.
+
+Fixes: 405cc1e5a81e ("batman-adv: Modified forwarding behaviour for multicast packets")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/67a50c93bceb534937d6a188eded79272ff6d55d
+
+diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
+index 1fb4f87be11e984f3a839c0b2dea939cd692b04d..20680e1dafc46cd60766a6dcd4f401f097ad4786 100644
+--- a/net/batman-adv/multicast.c
++++ b/net/batman-adv/multicast.c
+@@ -811,8 +811,8 @@ static struct batadv_orig_node *
+ batadv_mcast_forw_tt_node_get(struct batadv_priv *bat_priv,
+ 			      struct ethhdr *ethhdr)
+ {
+-	return batadv_transtable_search(bat_priv, ethhdr->h_source,
+-					ethhdr->h_dest, BATADV_NO_FLAGS);
++	return batadv_transtable_search(bat_priv, NULL, ethhdr->h_dest,
++					BATADV_NO_FLAGS);
+ }
+ 
+ /**

batman-adv/patches/0036-batman-adv-fix-packet-loss-for-broadcasted-DHCP-pack.patch

@@ -0,0 +1,79 @@
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Thu, 22 Mar 2018 00:21:32 +0100
+Subject: batman-adv: fix packet loss for broadcasted DHCP packets to a server
+
+DHCP connectivity issues can currently occur if the following conditions
+are met:
+
+1) A DHCP packet from a client to a server
+2) This packet has a multicast destination
+3) This destination has a matching entry in the translation table
+   (FF:FF:FF:FF:FF:FF for IPv4, 33:33:00:01:00:02/33:33:00:01:00:03
+    for IPv6)
+4) The orig-node determined by TT for the multicast destination
+   does not match the orig-node determined by best-gateway-selection
+
+In this case the DHCP packet will be dropped.
+
+The "gateway-out-of-range" check is supposed to only be applied to
+unicasted DHCP packets to a specific DHCP server.
+
+In that case dropping the the unicasted frame forces the client to
+retry via a broadcasted one, but now directed to the new best
+gateway.
+
+A DHCP packet with broadcast/multicast destination is already ensured to
+always be delivered to the best gateway. Dropping a multicasted
+DHCP packet here will only prevent completing DHCP as there is no
+other fallback.
+
+So far, it seems the unicast check was implicitly performed by
+expecting the batadv_transtable_search() to return NULL for multicast
+destinations. However, a multicast address could have always ended up in
+the translation table and in fact is now common.
+
+To fix this potential loss of a DHCP client-to-server packet to a
+multicast address this patch adds an explicit multicast destination
+check to reliably bail out of the gateway-out-of-range check for such
+destinations.
+
+The issue and fix were tested in the following three node setup:
+
+- Line topology, A-B-C
+- A: gateway client, DHCP client
+- B: gateway server, hop-penalty increased: 30->60, DHCP server
+- C: gateway server, code modifications to announce FF:FF:FF:FF:FF:FF
+
+Without this patch, A would never transmit its DHCP Discover packet
+due to an always "out-of-range" condition. With this patch,
+a full DHCP handshake between A and B was possible again.
+
+Fixes: afae4e42aae6 ("batman-adv: refactoring gateway handling code")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/49b2132f0fe2753a3b46103db9719898c5cd44aa
+
+diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
+index 52b8bd6ec43183519a63483950c2e886e47a6f9e..f1fdf4e7f5c3ce7f20339dcee3b6e43290ea3b4e 100644
+--- a/net/batman-adv/gateway_client.c
++++ b/net/batman-adv/gateway_client.c
+@@ -705,7 +705,7 @@ bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
+ {
+ 	struct batadv_neigh_node *neigh_curr = NULL;
+ 	struct batadv_neigh_node *neigh_old = NULL;
+-	struct batadv_orig_node *orig_dst_node;
++	struct batadv_orig_node *orig_dst_node = NULL;
+ 	struct batadv_gw_node *gw_node = NULL;
+ 	struct batadv_gw_node *curr_gw = NULL;
+ 	struct batadv_neigh_ifinfo *curr_ifinfo, *old_ifinfo;
+@@ -716,6 +716,9 @@ bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
+ 
+ 	vid = batadv_get_vid(skb, 0);
+ 
++	if (is_multicast_ether_addr(ethhdr->h_dest))
++		goto out;
++
+ 	orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source,
+ 						 ethhdr->h_dest, vid);
+ 	if (!orig_dst_node)

batman-adv/patches/0037-batman-adv-Avoid-race-in-TT-TVLV-allocator-helper.patch

@@ -0,0 +1,72 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 9 May 2018 21:07:40 +0200
+Subject: batman-adv: Avoid race in TT TVLV allocator helper
+
+The functions batadv_tt_prepare_tvlv_local_data and
+batadv_tt_prepare_tvlv_global_data are responsible for preparing a buffer
+which can be used to store the TVLV container for TT and add the VLAN
+information to it.
+
+This will be done in three phases:
+
+1. count the number of VLANs and their entries
+2. allocate the buffer using the counters from the previous step and limits
+   from the caller (parameter tt_len)
+3. insert the VLAN information to the buffer
+
+The step 1 and 3 operate on a list which contains the VLANs. The access to
+these lists must be protected with an appropriate lock or otherwise they
+might operate on on different entries. This could for example happen when
+another context is adding VLAN entries to this list.
+
+This could lead to a buffer overflow in these functions when enough entries
+were added between step 1 and 3 to the VLAN lists that the buffer room for
+the entries (*tt_change) is smaller then the now required extra buffer for
+new VLAN entries.
+
+Fixes: 21a57f6e7a3b ("batman-adv: make the TT CRC logic VLAN specific")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/286be89a33497ba9000aa5c2960f1f4114953522
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index a64003b824e0d0b05f0a9e44ccc32ba0cb3018fc..933ac64b5707846ddee9f828b538ade86b968986 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -860,7 +860,7 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
+ 	struct batadv_orig_node_vlan *vlan;
+ 	u8 *tt_change_ptr;
+ 
+-	rcu_read_lock();
++	spin_lock_bh(&orig_node->vlan_list_lock);
+ 	hlist_for_each_entry_rcu(vlan, &orig_node->vlan_list, list) {
+ 		num_vlan++;
+ 		num_entries += atomic_read(&vlan->tt.num_entries);
+@@ -898,7 +898,7 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
+ 	*tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
+ 
+ out:
+-	rcu_read_unlock();
++	spin_unlock_bh(&orig_node->vlan_list_lock);
+ 	return tvlv_len;
+ }
+ 
+@@ -934,7 +934,7 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
+ 	u8 *tt_change_ptr;
+ 	int change_offset;
+ 
+-	rcu_read_lock();
++	spin_lock_bh(&bat_priv->softif_vlan_list_lock);
+ 	hlist_for_each_entry_rcu(vlan, &bat_priv->softif_vlan_list, list) {
+ 		num_vlan++;
+ 		num_entries += atomic_read(&vlan->tt.num_entries);
+@@ -972,7 +972,7 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
+ 	*tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
+ 
+ out:
+-	rcu_read_unlock();
++	spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+ 	return tvlv_len;
+ }
+ 

batman-adv/patches/0038-batman-adv-Fix-TT-sync-flags-for-intermediate-TT-res.patch

@@ -0,0 +1,177 @@
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Thu, 10 May 2018 19:44:28 +0200
+Subject: batman-adv: Fix TT sync flags for intermediate TT responses
+
+The previous TT sync fix so far only fixed TT responses issued by the
+target node directly. So far, TT responses issued by intermediate nodes
+still lead to the wrong flags being added, leading to CRC mismatches.
+
+This behaviour was observed at Freifunk Hannover in a 800 nodes setup
+where a considerable amount of nodes were still infected with 'WI'
+TT flags even with (most) nodes having the previous TT sync fix applied.
+
+I was able to reproduce the issue with intermediate TT responses in a
+four node test setup and this patch fixes this issue by ensuring to
+use the per originator instead of the summarized, OR'd ones.
+
+Fixes: fa614fd04692 ("batman-adv: fix tt_global_entries flags update")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: backport, https://git.open-mesh.org/batman-adv.git/commit/d65daee8617b29c1ddcc949ce3a5ec24f7a1e1af
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 933ac64b5707846ddee9f828b538ade86b968986..94527e5e859dcdb443b2fc9c3fbbe06aae3b4a08 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1528,6 +1528,8 @@ batadv_tt_global_orig_entry_find(const struct batadv_tt_global_entry *entry,
+  *  by a given originator
+  * @entry: the TT global entry to check
+  * @orig_node: the originator to search in the list
++ * @flags: a pointer to store TT flags for the given @entry received
++ *  from @orig_node
+  *
+  * find out if an orig_node is already in the list of a tt_global_entry.
+  *
+@@ -1535,7 +1537,8 @@ batadv_tt_global_orig_entry_find(const struct batadv_tt_global_entry *entry,
+  */
+ static bool
+ batadv_tt_global_entry_has_orig(const struct batadv_tt_global_entry *entry,
+-				const struct batadv_orig_node *orig_node)
++				const struct batadv_orig_node *orig_node,
++				u8 *flags)
+ {
+ 	struct batadv_tt_orig_list_entry *orig_entry;
+ 	bool found = false;
+@@ -1543,6 +1546,10 @@ batadv_tt_global_entry_has_orig(const struct batadv_tt_global_entry *entry,
+ 	orig_entry = batadv_tt_global_orig_entry_find(entry, orig_node);
+ 	if (orig_entry) {
+ 		found = true;
++
++		if (flags)
++			*flags = orig_entry->flags;
++
+ 		batadv_tt_orig_list_entry_put(orig_entry);
+ 	}
+ 
+@@ -1721,7 +1728,7 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
+ 			if (!(common->flags & BATADV_TT_CLIENT_TEMP))
+ 				goto out;
+ 			if (batadv_tt_global_entry_has_orig(tt_global_entry,
+-							    orig_node))
++							    orig_node, NULL))
+ 				goto out_remove;
+ 			batadv_tt_global_del_orig_list(tt_global_entry);
+ 			goto add_orig_entry;
+@@ -2863,23 +2870,46 @@ unlock:
+ }
+ 
+ /**
+- * batadv_tt_local_valid - verify that given tt entry is a valid one
++ * batadv_tt_local_valid() - verify local tt entry and get flags
+  * @entry_ptr: to be checked local tt entry
+  * @data_ptr: not used but definition required to satisfy the callback prototype
++ * @flags: a pointer to store TT flags for this client to
++ *
++ * Checks the validity of the given local TT entry. If it is, then the provided
++ * flags pointer is updated.
+  *
+  * Return: true if the entry is a valid, false otherwise.
+  */
+-static bool batadv_tt_local_valid(const void *entry_ptr, const void *data_ptr)
++static bool batadv_tt_local_valid(const void *entry_ptr,
++				  const void *data_ptr,
++				  u8 *flags)
+ {
+ 	const struct batadv_tt_common_entry *tt_common_entry = entry_ptr;
+ 
+ 	if (tt_common_entry->flags & BATADV_TT_CLIENT_NEW)
+ 		return false;
++
++	if (flags)
++		*flags = tt_common_entry->flags;
++
+ 	return true;
+ }
+ 
++/**
++ * batadv_tt_global_valid() - verify global tt entry and get flags
++ * @entry_ptr: to be checked global tt entry
++ * @data_ptr: an orig_node object (may be NULL)
++ * @flags: a pointer to store TT flags for this client to
++ *
++ * Checks the validity of the given global TT entry. If it is, then the provided
++ * flags pointer is updated either with the common (summed) TT flags if data_ptr
++ * is NULL or the specific, per originator TT flags otherwise.
++ *
++ * Return: true if the entry is a valid, false otherwise.
++ */
+ static bool batadv_tt_global_valid(const void *entry_ptr,
+-				   const void *data_ptr)
++				   const void *data_ptr,
++				   u8 *flags)
+ {
+ 	const struct batadv_tt_common_entry *tt_common_entry = entry_ptr;
+ 	const struct batadv_tt_global_entry *tt_global_entry;
+@@ -2893,7 +2923,8 @@ static bool batadv_tt_global_valid(const void *entry_ptr,
+ 				       struct batadv_tt_global_entry,
+ 				       common);
+ 
+-	return batadv_tt_global_entry_has_orig(tt_global_entry, orig_node);
++	return batadv_tt_global_entry_has_orig(tt_global_entry, orig_node,
++					       flags);
+ }
+ 
+ /**
+@@ -2903,25 +2934,34 @@ static bool batadv_tt_global_valid(const void *entry_ptr,
+  * @hash: hash table containing the tt entries
+  * @tt_len: expected tvlv tt data buffer length in number of bytes
+  * @tvlv_buff: pointer to the buffer to fill with the TT data
+- * @valid_cb: function to filter tt change entries
++ * @valid_cb: function to filter tt change entries and to return TT flags
+  * @cb_data: data passed to the filter function as argument
++ *
++ * Fills the tvlv buff with the tt entries from the specified hash. If valid_cb
++ * is not provided then this becomes a no-op.
+  */
+ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
+ 				    struct batadv_hashtable *hash,
+ 				    void *tvlv_buff, u16 tt_len,
+ 				    bool (*valid_cb)(const void *,
+-						     const void *),
++						     const void *,
++						     u8 *flags),
+ 				    void *cb_data)
+ {
+ 	struct batadv_tt_common_entry *tt_common_entry;
+ 	struct batadv_tvlv_tt_change *tt_change;
+ 	struct hlist_head *head;
+ 	u16 tt_tot, tt_num_entries = 0;
++	u8 flags;
++	bool ret;
+ 	u32 i;
+ 
+ 	tt_tot = batadv_tt_entries(tt_len);
+ 	tt_change = (struct batadv_tvlv_tt_change *)tvlv_buff;
+ 
++	if (!valid_cb)
++		return;
++
+ 	rcu_read_lock();
+ 	for (i = 0; i < hash->size; i++) {
+ 		head = &hash->table[i];
+@@ -2931,11 +2971,12 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
+ 			if (tt_tot == tt_num_entries)
+ 				break;
+ 
+-			if ((valid_cb) && (!valid_cb(tt_common_entry, cb_data)))
++			ret = valid_cb(tt_common_entry, cb_data, &flags);
++			if (!ret)
+ 				continue;
+ 
+ 			ether_addr_copy(tt_change->addr, tt_common_entry->addr);
+-			tt_change->flags = tt_common_entry->flags;
++			tt_change->flags = flags;
+ 			tt_change->vid = htons(tt_common_entry->vid);
+ 			memset(tt_change->reserved, 0,
+ 			       sizeof(tt_change->reserved));

batman-adv/patches/0039-batman-adv-prevent-TT-request-storms-by-not-sending-.patch

@@ -0,0 +1,73 @@
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Sat, 12 May 2018 00:23:07 +0800
+Subject: batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs
+
+A translation table TVLV changset sent with an OGM consists
+of a number of headers (one per VLAN) plus the changeset
+itself (addition and/or deletion of entries).
+
+The per-VLAN headers are used by OGM recipients for consistency
+checks. Said consistency check might determine that a full
+translation table request is needed to restore consistency. If
+the TT sender adds per-VLAN headers of empty VLANs into the OGM,
+recipients are led to believe to have reached an inconsistent
+state and thus request a full table update. The full table does
+not contain empty VLANs (due to missing entries) the cycle
+restarts when the next OGM is issued.
+
+Consequently, when the translation table TVLV headers are
+composed, empty VLANs are to be excluded.
+
+Fixes: 21a57f6e7a3b ("batman-adv: make the TT CRC logic VLAN specific")
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/e4687b4be274da6180fc15b327419851fb681ec9
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 94527e5e859dcdb443b2fc9c3fbbe06aae3b4a08..743963bf39dca73f7554f9f85fffd57fd6a3c963 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -929,15 +929,20 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
+ 	struct batadv_tvlv_tt_vlan_data *tt_vlan;
+ 	struct batadv_softif_vlan *vlan;
+ 	u16 num_vlan = 0;
+-	u16 num_entries = 0;
++	u16 vlan_entries = 0;
++	u16 total_entries = 0;
+ 	u16 tvlv_len;
+ 	u8 *tt_change_ptr;
+ 	int change_offset;
+ 
+ 	spin_lock_bh(&bat_priv->softif_vlan_list_lock);
+ 	hlist_for_each_entry_rcu(vlan, &bat_priv->softif_vlan_list, list) {
++		vlan_entries = atomic_read(&vlan->tt.num_entries);
++		if (vlan_entries < 1)
++			continue;
++
+ 		num_vlan++;
+-		num_entries += atomic_read(&vlan->tt.num_entries);
++		total_entries += vlan_entries;
+ 	}
+ 
+ 	change_offset = sizeof(**tt_data);
+@@ -945,7 +950,7 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
+ 
+ 	/* if tt_len is negative, allocate the space needed by the full table */
+ 	if (*tt_len < 0)
+-		*tt_len = batadv_tt_len(num_entries);
++		*tt_len = batadv_tt_len(total_entries);
+ 
+ 	tvlv_len = *tt_len;
+ 	tvlv_len += change_offset;
+@@ -962,6 +967,10 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
+ 
+ 	tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(*tt_data + 1);
+ 	hlist_for_each_entry_rcu(vlan, &bat_priv->softif_vlan_list, list) {
++		vlan_entries = atomic_read(&vlan->tt.num_entries);
++		if (vlan_entries < 1)
++			continue;
++
+ 		tt_vlan->vid = htons(vlan->vid);
+ 		tt_vlan->crc = htonl(vlan->tt.crc);
+ 

batman-adv/patches/0040-batman-adv-Fix-bat_ogm_iv-best-gw-refcnt-after-netli.patch

@@ -0,0 +1,44 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 2 Jun 2018 17:26:34 +0200
+Subject: batman-adv: Fix bat_ogm_iv best gw refcnt after netlink dump
+
+A reference for the best gateway is taken when the list of gateways in the
+mesh is sent via netlink. This is necessary to check whether the currently
+dumped entry is the currently selected gateway or not. This information is
+then transferred as flag BATADV_ATTR_FLAG_BEST.
+
+After the comparison of the current entry is done,
+batadv_iv_gw_dump_entry() has to decrease the reference counter again.
+Otherwise the reference will be held and thus prevents a proper shutdown of
+the batman-adv interfaces (and some of the interfaces enslaved in it).
+
+Fixes: fa3228924152 ("batman-adv: add B.A.T.M.A.N. IV bat_gw_dump implementations")
+Reported-by: Andreas Ziegler <dev@andreas-ziegler.de>
+Tested-by: Andreas Ziegler <dev@andreas-ziegler.de>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/46360d203c627e71a27d1f8f551c819c7f2353fd
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index bf389adbb2694746d6397a0a38353cdcd8008899..f0174a17b30d14e5c127106b364b8fbc8ec384ee 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -2722,7 +2722,7 @@ static int batadv_iv_gw_dump_entry(struct sk_buff *msg, u32 portid, u32 seq,
+ {
+ 	struct batadv_neigh_ifinfo *router_ifinfo = NULL;
+ 	struct batadv_neigh_node *router;
+-	struct batadv_gw_node *curr_gw;
++	struct batadv_gw_node *curr_gw = NULL;
+ 	int ret = 0;
+ 	void *hdr;
+ 
+@@ -2770,6 +2770,8 @@ static int batadv_iv_gw_dump_entry(struct sk_buff *msg, u32 portid, u32 seq,
+ 	ret = 0;
+ 
+ out:
++	if (curr_gw)
++		batadv_gw_node_put(curr_gw);
+ 	if (router_ifinfo)
+ 		batadv_neigh_ifinfo_put(router_ifinfo);
+ 	if (router)

batman-adv/patches/0041-batman-adv-Fix-bat_v-best-gw-refcnt-after-netlink-du.patch

@@ -0,0 +1,42 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 2 Jun 2018 17:26:35 +0200
+Subject: batman-adv: Fix bat_v best gw refcnt after netlink dump
+
+A reference for the best gateway is taken when the list of gateways in the
+mesh is sent via netlink. This is necessary to check whether the currently
+dumped entry is the currently selected gateway or not. This information is
+then transferred as flag BATADV_ATTR_FLAG_BEST.
+
+After the comparison of the current entry is done,
+batadv_v_gw_dump_entry() has to decrease the reference counter again.
+Otherwise the reference will be held and thus prevents a proper shutdown of
+the batman-adv interfaces (and some of the interfaces enslaved in it).
+
+Fixes: 15315a94ad98 ("batman-adv: add B.A.T.M.A.N. V bat_gw_dump implementations")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/2b422b5808183d1084b450b89d9a085a13dd6d2c
+
+diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c
+index 0488063ff6ac5985e27c3a0df41ab3566b48abb8..87f06e92270b4c51376bc4e9717b0aed8c9f3441 100644
+--- a/net/batman-adv/bat_v.c
++++ b/net/batman-adv/bat_v.c
+@@ -929,7 +929,7 @@ static int batadv_v_gw_dump_entry(struct sk_buff *msg, u32 portid, u32 seq,
+ {
+ 	struct batadv_neigh_ifinfo *router_ifinfo = NULL;
+ 	struct batadv_neigh_node *router;
+-	struct batadv_gw_node *curr_gw;
++	struct batadv_gw_node *curr_gw = NULL;
+ 	int ret = 0;
+ 	void *hdr;
+ 
+@@ -997,6 +997,8 @@ static int batadv_v_gw_dump_entry(struct sk_buff *msg, u32 portid, u32 seq,
+ 	ret = 0;
+ 
+ out:
++	if (curr_gw)
++		batadv_gw_node_put(curr_gw);
+ 	if (router_ifinfo)
+ 		batadv_neigh_ifinfo_put(router_ifinfo);
+ 	if (router)

batman-adv/patches/0042-batman-adv-Fix-debugfs-path-for-renamed-hardif.patch

@@ -0,0 +1,106 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 1 Jun 2018 19:24:23 +0200
+Subject: batman-adv: Fix debugfs path for renamed hardif
+
+batman-adv is creating special debugfs directories in the init
+net_namespace for each valid hard-interface (net_device). But it is
+possible to rename a net_device to a completely different name then the
+original one.
+
+It can therefore happen that a user registers a new net_device which gets
+the name "wlan0" assigned by default. batman-adv is also adding a new
+directory under $debugfs/batman-adv/ with the name "wlan0".
+
+The user then decides to rename this device to "wl_pri" and registers a
+different device. The kernel may now decide to use the name "wlan0" again
+for this new device. batman-adv will detect it as a valid net_device and
+tries to create a directory with the name "wlan0" under
+$debugfs/batman-adv/. But there already exists one with this name under
+this path and thus this fails. batman-adv will detect a problem and
+rollback the registering of this device.
+
+batman-adv must therefore take care of renaming the debugfs directories
+for hard-interfaces whenever it detects such a net_device rename.
+
+Fixes: 3c926a01c8e8 ("batman-adv: add debugfs structure for information per interface")
+Reported-by: John Soros <sorosj@gmail.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: backport, https://git.open-mesh.org/batman-adv.git/commit/127086f503f6495518b95455efebee33d328f335
+
+diff --git a/net/batman-adv/debugfs.c b/net/batman-adv/debugfs.c
+index 77925504379dac7d64777393ddae326b5d6d9505..a229d2d9acfd1f3d6fea071aa0df3bf06a0e2ecf 100644
+--- a/net/batman-adv/debugfs.c
++++ b/net/batman-adv/debugfs.c
+@@ -18,6 +18,7 @@
+ #include "debugfs.h"
+ #include "main.h"
+ 
++#include <linux/dcache.h>
+ #include <linux/debugfs.h>
+ #include <linux/device.h>
+ #include <linux/errno.h>
+@@ -337,6 +338,25 @@ out:
+ 	return -ENOMEM;
+ }
+ 
++/**
++ * batadv_debugfs_rename_hardif() - Fix debugfs path for renamed hardif
++ * @hard_iface: hard interface which was renamed
++ */
++void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface)
++{
++	const char *name = hard_iface->net_dev->name;
++	struct dentry *dir;
++	struct dentry *d;
++
++	dir = hard_iface->debug_dir;
++	if (!dir)
++		return;
++
++	d = debugfs_rename(dir->d_parent, dir, dir->d_parent, name);
++	if (!d)
++		pr_err("Can't rename debugfs dir to %s\n", name);
++}
++
+ /**
+  * batadv_debugfs_del_hardif - delete the base directory for a hard interface
+  *  in debugfs.
+diff --git a/net/batman-adv/debugfs.h b/net/batman-adv/debugfs.h
+index e49121ee55f696547ddc9774ba6c425af2d49b57..3d9b684b862d0aa9d2380fbcb15fd4ef68a4511c 100644
+--- a/net/batman-adv/debugfs.h
++++ b/net/batman-adv/debugfs.h
+@@ -31,6 +31,7 @@ void batadv_debugfs_destroy(void);
+ int batadv_debugfs_add_meshif(struct net_device *dev);
+ void batadv_debugfs_del_meshif(struct net_device *dev);
+ int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface);
++void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface);
+ void batadv_debugfs_del_hardif(struct batadv_hard_iface *hard_iface);
+ 
+ #else
+@@ -58,6 +59,11 @@ int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface)
+ 	return 0;
+ }
+ 
++static inline
++void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface)
++{
++}
++
+ static inline
+ void batadv_debugfs_del_hardif(struct batadv_hard_iface *hard_iface)
+ {
+diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
+index ebeea5816a06b33c4944b01e40cee157c88bdff7..507eaff8582a8c58adc6d23abc42bb6c31d2816f 100644
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -1020,6 +1020,9 @@ static int batadv_hard_if_event(struct notifier_block *this,
+ 		if (batadv_is_wifi_hardif(hard_iface))
+ 			hard_iface->num_bcasts = BATADV_NUM_BCASTS_WIRELESS;
+ 		break;
++	case NETDEV_CHANGENAME:
++		batadv_debugfs_rename_hardif(hard_iface);
++		break;
+ 	default:
+ 		break;
+ 	}

batman-adv/patches/0043-batman-adv-Fix-debugfs-path-for-renamed-softif.patch

@@ -0,0 +1,134 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 1 Jun 2018 19:24:24 +0200
+Subject: batman-adv: Fix debugfs path for renamed softif
+
+batman-adv is creating special debugfs directories in the init
+net_namespace for each created soft-interface (batadv net_device). But it
+is possible to rename a net_device to a completely different name then the
+original one.
+
+It can therefore happen that a user registers a new batadv net_device with
+the name "bat0". batman-adv is then also adding a new directory under
+$debugfs/batman-adv/ with the name "wlan0".
+
+The user then decides to rename this device to "bat1" and registers a
+different batadv device with the name "bat0". batman-adv will then try to
+create a directory with the name "bat0" under $debugfs/batman-adv/ again.
+But there already exists one with this name under this path and thus this
+fails. batman-adv will detect a problem and rollback the registering of
+this device.
+
+batman-adv must therefore take care of renaming the debugfs directories for
+soft-interfaces whenever it detects such a net_device rename.
+
+Fixes: 230202d4b530 ("batman-adv: Move device for icmp injection to debugfs")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: backport, https://git.open-mesh.org/batman-adv.git/commit/3f2237bb191cd17654a4d5a5badfd6e7379c4b37
+
+diff --git a/net/batman-adv/debugfs.c b/net/batman-adv/debugfs.c
+index a229d2d9acfd1f3d6fea071aa0df3bf06a0e2ecf..fa396394edd02e74f49323216027f4ef9739dfa0 100644
+--- a/net/batman-adv/debugfs.c
++++ b/net/batman-adv/debugfs.c
+@@ -421,6 +421,26 @@ out:
+ 	return -ENOMEM;
+ }
+ 
++/**
++ * batadv_debugfs_rename_meshif() - Fix debugfs path for renamed softif
++ * @dev: net_device which was renamed
++ */
++void batadv_debugfs_rename_meshif(struct net_device *dev)
++{
++	struct batadv_priv *bat_priv = netdev_priv(dev);
++	const char *name = dev->name;
++	struct dentry *dir;
++	struct dentry *d;
++
++	dir = bat_priv->debug_dir;
++	if (!dir)
++		return;
++
++	d = debugfs_rename(dir->d_parent, dir, dir->d_parent, name);
++	if (!d)
++		pr_err("Can't rename debugfs dir to %s\n", name);
++}
++
+ void batadv_debugfs_del_meshif(struct net_device *dev)
+ {
+ 	struct batadv_priv *bat_priv = netdev_priv(dev);
+diff --git a/net/batman-adv/debugfs.h b/net/batman-adv/debugfs.h
+index 3d9b684b862d0aa9d2380fbcb15fd4ef68a4511c..59a0d6d70ecd4d0b49e15138306acc371da2d8b7 100644
+--- a/net/batman-adv/debugfs.h
++++ b/net/batman-adv/debugfs.h
+@@ -29,6 +29,7 @@ struct net_device;
+ void batadv_debugfs_init(void);
+ void batadv_debugfs_destroy(void);
+ int batadv_debugfs_add_meshif(struct net_device *dev);
++void batadv_debugfs_rename_meshif(struct net_device *dev);
+ void batadv_debugfs_del_meshif(struct net_device *dev);
+ int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface);
+ void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface);
+@@ -49,6 +50,10 @@ static inline int batadv_debugfs_add_meshif(struct net_device *dev)
+ 	return 0;
+ }
+ 
++static inline void batadv_debugfs_rename_meshif(struct net_device *dev)
++{
++}
++
+ static inline void batadv_debugfs_del_meshif(struct net_device *dev)
+ {
+ }
+diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
+index 507eaff8582a8c58adc6d23abc42bb6c31d2816f..23d3893264f989c9740e68d83f6db300dee20dc3 100644
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -958,6 +958,32 @@ void batadv_hardif_remove_interfaces(void)
+ 	rtnl_unlock();
+ }
+ 
++/**
++ * batadv_hard_if_event_softif() - Handle events for soft interfaces
++ * @event: NETDEV_* event to handle
++ * @net_dev: net_device which generated an event
++ *
++ * Return: NOTIFY_* result
++ */
++static int batadv_hard_if_event_softif(unsigned long event,
++				       struct net_device *net_dev)
++{
++	struct batadv_priv *bat_priv;
++
++	switch (event) {
++	case NETDEV_REGISTER:
++		batadv_sysfs_add_meshif(net_dev);
++		bat_priv = netdev_priv(net_dev);
++		batadv_softif_create_vlan(bat_priv, BATADV_NO_FLAGS);
++		break;
++	case NETDEV_CHANGENAME:
++		batadv_debugfs_rename_meshif(net_dev);
++		break;
++	}
++
++	return NOTIFY_DONE;
++}
++
+ static int batadv_hard_if_event(struct notifier_block *this,
+ 				unsigned long event, void *ptr)
+ {
+@@ -966,12 +992,8 @@ static int batadv_hard_if_event(struct notifier_block *this,
+ 	struct batadv_hard_iface *primary_if = NULL;
+ 	struct batadv_priv *bat_priv;
+ 
+-	if (batadv_softif_is_valid(net_dev) && event == NETDEV_REGISTER) {
+-		batadv_sysfs_add_meshif(net_dev);
+-		bat_priv = netdev_priv(net_dev);
+-		batadv_softif_create_vlan(bat_priv, BATADV_NO_FLAGS);
+-		return NOTIFY_DONE;
+-	}
++	if (batadv_softif_is_valid(net_dev))
++		return batadv_hard_if_event_softif(event, net_dev);
+ 
+ 	hard_iface = batadv_hardif_get_by_netdev(net_dev);
+ 	if (!hard_iface && (event == NETDEV_REGISTER ||

batman-adv/patches/0044-batman-adv-Avoid-storing-non-TT-sync-flags-on-singul.patch

@@ -0,0 +1,34 @@
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Thu, 7 Jun 2018 00:46:23 +0200
+Subject: batman-adv: Avoid storing non-TT-sync flags on singular entries too
+
+Since commit 382d020fe3fa ("batman-adv: fix TT sync flag inconsistencies")
+TT sync flags and TT non-sync'd flags are supposed to be stored
+separately.
+
+The previous patch missed to apply this separation on a TT entry with
+only a single TT orig entry.
+
+This is a minor fix because with only a single TT orig entry the DDoS
+issue the former patch solves does not apply.
+
+Fixes: 382d020fe3fa ("batman-adv: fix TT sync flag inconsistencies")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/beb6246b2339852b6a429ae9259a8eb30a685041
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 743963bf39dca73f7554f9f85fffd57fd6a3c963..a8b4d9bcb318656022a30f742ede4f38a646d0d1 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1695,7 +1695,8 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
+ 		ether_addr_copy(common->addr, tt_addr);
+ 		common->vid = vid;
+ 
+-		common->flags = flags;
++		common->flags = flags & (~BATADV_TT_SYNC_MASK);
++
+ 		tt_global_entry->roam_at = 0;
+ 		/* node must store current time in case of roaming. This is
+ 		 * needed to purge this entry out on timeout (if nobody claims

batman-adv/patches/0045-batman-adv-Fix-multicast-TT-issues-with-bogus-ROAM-f.patch

@@ -0,0 +1,43 @@
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Thu, 7 Jun 2018 00:46:24 +0200
+Subject: batman-adv: Fix multicast TT issues with bogus ROAM flags
+
+When a (broken) node wrongly sends multicast TT entries with a ROAM
+flag then this causes any receiving node to drop all entries for the
+same multicast MAC address announced by other nodes, leading to
+packet loss.
+
+Fix this DoS vector by only storing TT sync flags. For multicast TT
+non-sync'ing flag bits like ROAM are unused so far anyway.
+
+Fixes: 405cc1e5a81e ("batman-adv: Modified forwarding behaviour for multicast packets")
+Reported-by: Leonardo Mörlein <me@irrelefant.net>
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/c7054ffae0c3b08bb4bef3cffee1e0a543e14096
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index a8b4d9bcb318656022a30f742ede4f38a646d0d1..143a00f90d1d925aad7113f897d06f435f28dcd8 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1695,7 +1695,8 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
+ 		ether_addr_copy(common->addr, tt_addr);
+ 		common->vid = vid;
+ 
+-		common->flags = flags & (~BATADV_TT_SYNC_MASK);
++		if (!is_multicast_ether_addr(common->addr))
++			common->flags = flags & (~BATADV_TT_SYNC_MASK);
+ 
+ 		tt_global_entry->roam_at = 0;
+ 		/* node must store current time in case of roaming. This is
+@@ -1759,7 +1760,8 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
+ 		 * TT_CLIENT_TEMP, therefore they have to be copied in the
+ 		 * client entry
+ 		 */
+-		common->flags |= flags & (~BATADV_TT_SYNC_MASK);
++		if (!is_multicast_ether_addr(common->addr))
++			common->flags |= flags & (~BATADV_TT_SYNC_MASK);
+ 
+ 		/* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only
+ 		 * one originator left in the list and we previously received a

batman-adv/patches/0046-batman-adv-Avoid-probe-ELP-information-leak.patch

@@ -0,0 +1,32 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 15:08:44 +0200
+Subject: batman-adv: Avoid probe ELP information leak
+
+The probe ELPs for WiFi interfaces are expanded to contain at least
+BATADV_ELP_MIN_PROBE_SIZE bytes. This is usually a lot more than the
+number of bytes which the template ELP packet requires.
+
+These extra padding bytes were not initialized and thus could contain data
+which were previously stored at the same location. It is therefore required
+to set it to some predefined or random values to avoid leaking private
+information from the system transmitting these kind of packets.
+
+Fixes: bedcadfaa92b ("batman-adv: ELP - send unicast ELP packets for throughput sampling")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/6c876e572f592c31132a55b5fb8427e168e5fb3c
+
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index 06b2924f4cb7dde54bab97ad2d28aecd9b1a4ceb..e988a14f3eb01de1f52fe6dcaa91af898060140e 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -227,7 +227,7 @@ batadv_v_elp_wifi_neigh_probe(struct batadv_hardif_neigh_node *neigh)
+ 		 * the packet to be exactly of that size to make the link
+ 		 * throughput estimation effective.
+ 		 */
+-		skb_put(skb, probe_len - hard_iface->bat_v.elp_skb->len);
++		skb_put_zero(skb, probe_len - hard_iface->bat_v.elp_skb->len);
+ 
+ 		batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
+ 			   "Sending unicast (probe) ELP packet on interface %s to %pM\n",

batman-adv/patches/0047-batman-adv-Fix-segfault-when-writing-to-throughput_o.patch

@@ -0,0 +1,42 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 16:46:47 +0200
+Subject: batman-adv: Fix segfault when writing to throughput_override
+
+The per hardif sysfs file "batman_adv/throughput_override" prints the
+resulting change as info text when the users writes to this file. It uses
+the helper function batadv_info to add it at the same time to the kernel
+ring buffer and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG
+is enabled).
+
+The function batadv_info requires as first parameter the batman-adv softif
+net_device. This parameter is then used to find the private buffer which
+contains the debug log for this batman-adv interface. But
+batadv_store_throughput_override used as first argument the slave
+net_device. This slave device doesn't have the batadv_priv private data
+which is access by batadv_info.
+
+Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead
+to a segfault or to memory corruption.
+
+Fixes: c513176e4b7a ("batman-adv: add throughput override attribute to hard_ifaces")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/ddf99b78e255530cbadc0f67656a549e19520280
+
+diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c
+index 17c844196eb26c9faf9fd543b88cd86cc1c2c029..ae22db3d6637dde2fcc238826a624ef2d6dbd8f5 100644
+--- a/net/batman-adv/sysfs.c
++++ b/net/batman-adv/sysfs.c
+@@ -1078,8 +1078,9 @@ static ssize_t batadv_store_throughput_override(struct kobject *kobj,
+ 	if (old_tp_override == tp_override)
+ 		goto out;
+ 
+-	batadv_info(net_dev, "%s: Changing from: %u.%u MBit to: %u.%u MBit\n",
+-		    "throughput_override",
++	batadv_info(hard_iface->soft_iface,
++		    "%s: %s: Changing from: %u.%u MBit to: %u.%u MBit\n",
++		    "throughput_override", net_dev->name,
+ 		    old_tp_override / 10, old_tp_override % 10,
+ 		    tp_override / 10, tp_override % 10);
+ 

batman-adv/patches/0048-batman-adv-Fix-segfault-when-writing-to-sysfs-elp_in.patch

@@ -0,0 +1,105 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 16:56:29 +0200
+Subject: batman-adv: Fix segfault when writing to sysfs elp_interval
+
+The per hardif sysfs file "batman_adv/elp_interval" is using the generic
+functions to store/show uint values. The helper __batadv_store_uint_attr
+requires the softif net_device as parameter to print the resulting change
+as info text when the users writes to this file. It uses the helper
+function batadv_info to add it at the same time to the kernel ring buffer
+and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled).
+
+The function batadv_info requires as first parameter the batman-adv softif
+net_device. This parameter is then used to find the private buffer which
+contains the debug log for this batman-adv interface. But
+batadv_store_throughput_override used as first argument the slave
+net_device. This slave device doesn't have the batadv_priv private data
+which is access by batadv_info.
+
+Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead
+to a segfault or to memory corruption.
+
+Fixes: ec46535b8275 ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/848be9859b0109a6e428f92f21f2e660153b1c75
+
+diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c
+index ae22db3d6637dde2fcc238826a624ef2d6dbd8f5..a4e6f158de26dea0e8e3fefd5b9aeec3dcd64457 100644
+--- a/net/batman-adv/sysfs.c
++++ b/net/batman-adv/sysfs.c
+@@ -186,7 +186,8 @@ ssize_t batadv_store_##_name(struct kobject *kobj,			\
+ 									\
+ 	return __batadv_store_uint_attr(buff, count, _min, _max,	\
+ 					_post_func, attr,		\
+-					&bat_priv->_var, net_dev);	\
++					&bat_priv->_var, net_dev,	\
++					NULL);	\
+ }
+ 
+ #define BATADV_ATTR_SIF_SHOW_UINT(_name, _var)				\
+@@ -260,7 +261,9 @@ ssize_t batadv_store_##_name(struct kobject *kobj,			\
+ 									\
+ 	length = __batadv_store_uint_attr(buff, count, _min, _max,	\
+ 					  _post_func, attr,		\
+-					  &hard_iface->_var, net_dev);	\
++					  &hard_iface->_var,		\
++					  hard_iface->soft_iface,	\
++					  net_dev);			\
+ 									\
+ 	batadv_hardif_put(hard_iface);				\
+ 	return length;							\
+@@ -354,10 +357,12 @@ __batadv_store_bool_attr(char *buff, size_t count,
+ 
+ static int batadv_store_uint_attr(const char *buff, size_t count,
+ 				  struct net_device *net_dev,
++				  struct net_device *slave_dev,
+ 				  const char *attr_name,
+ 				  unsigned int min, unsigned int max,
+ 				  atomic_t *attr)
+ {
++	char ifname[IFNAMSIZ + 3] = "";
+ 	unsigned long uint_val;
+ 	int ret;
+ 
+@@ -383,8 +388,11 @@ static int batadv_store_uint_attr(const char *buff, size_t count,
+ 	if (atomic_read(attr) == uint_val)
+ 		return count;
+ 
+-	batadv_info(net_dev, "%s: Changing from: %i to: %lu\n",
+-		    attr_name, atomic_read(attr), uint_val);
++	if (slave_dev)
++		snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name);
++
++	batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n",
++		    attr_name, ifname, atomic_read(attr), uint_val);
+ 
+ 	atomic_set(attr, uint_val);
+ 	return count;
+@@ -395,12 +403,13 @@ static ssize_t __batadv_store_uint_attr(const char *buff, size_t count,
+ 					void (*post_func)(struct net_device *),
+ 					const struct attribute *attr,
+ 					atomic_t *attr_store,
+-					struct net_device *net_dev)
++					struct net_device *net_dev,
++					struct net_device *slave_dev)
+ {
+ 	int ret;
+ 
+-	ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max,
+-				     attr_store);
++	ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev,
++				     attr->name, min, max, attr_store);
+ 	if (post_func && ret)
+ 		post_func(net_dev);
+ 
+@@ -569,7 +578,7 @@ static ssize_t batadv_store_gw_sel_class(struct kobject *kobj,
+ 	return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE,
+ 					batadv_post_gw_reselect, attr,
+ 					&bat_priv->gw.sel_class,
+-					bat_priv->soft_iface);
++					bat_priv->soft_iface, NULL);
+ }
+ 
+ static ssize_t batadv_show_gw_bwidth(struct kobject *kobj,

batman-adv/patches/0049-batman-adv-fix-backbone_gw-refcount-on-queue_work-fa.patch

@@ -0,0 +1,42 @@
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Fri, 7 Sep 2018 05:45:54 +0800
+Subject: batman-adv: fix backbone_gw refcount on queue_work() failure
+
+The backbone_gw refcounter is to be decreased by the queued work and
+currently is never decreased if the queue_work() call fails.
+Fix by checking the queue_work() return value and decrease refcount
+if necessary.
+
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/24d83a50421c1c5d39cd9c015516a1a293ae8d0c
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index aecf34503e95d9aa723449ddbf0bb3035336b878..258a74fd1c237fbf1b81dfc1c48720d8359b0ecc 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1767,6 +1767,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ {
+ 	struct batadv_bla_backbone_gw *backbone_gw;
+ 	struct ethhdr *ethhdr;
++	bool ret;
+ 
+ 	ethhdr = eth_hdr(skb);
+ 
+@@ -1790,8 +1791,13 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ 	if (unlikely(!backbone_gw))
+ 		return true;
+ 
+-	queue_work(batadv_event_workqueue, &backbone_gw->report_work);
+-	/* backbone_gw is unreferenced in the report work function function */
++	ret = queue_work(batadv_event_workqueue, &backbone_gw->report_work);
++
++	/* backbone_gw is unreferenced in the report work function function
++	 * if queue_work() call was successful
++	 */
++	if (!ret)
++		batadv_backbone_gw_put(backbone_gw);
+ 
+ 	return true;
+ }

batman-adv/patches/0050-batman-adv-fix-hardif_neigh-refcount-on-queue_work-f.patch

@@ -0,0 +1,40 @@
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Fri, 7 Sep 2018 05:45:55 +0800
+Subject: batman-adv: fix hardif_neigh refcount on queue_work() failure
+
+The hardif_neigh refcounter is to be decreased by the queued work and
+currently is never decreased if the queue_work() call fails.
+Fix by checking the queue_work() return value and decrease refcount
+if necessary.
+
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/85100b602c127cecf1bcfd620d20eb867d685df2
+
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index e988a14f3eb01de1f52fe6dcaa91af898060140e..2ec0ecab0493ff88fdc01e55c8557de5b772e8bf 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -254,6 +254,7 @@ static void batadv_v_elp_periodic_work(struct work_struct *work)
+ 	struct batadv_priv *bat_priv;
+ 	struct sk_buff *skb;
+ 	u32 elp_interval;
++	bool ret;
+ 
+ 	bat_v = container_of(work, struct batadv_hard_iface_bat_v, elp_wq.work);
+ 	hard_iface = container_of(bat_v, struct batadv_hard_iface, bat_v);
+@@ -315,8 +316,11 @@ static void batadv_v_elp_periodic_work(struct work_struct *work)
+ 		 * may sleep and that is not allowed in an rcu protected
+ 		 * context. Therefore schedule a task for that.
+ 		 */
+-		queue_work(batadv_event_workqueue,
+-			   &hardif_neigh->bat_v.metric_work);
++		ret = queue_work(batadv_event_workqueue,
++				 &hardif_neigh->bat_v.metric_work);
++
++		if (!ret)
++			batadv_hardif_neigh_put(hardif_neigh);
+ 	}
+ 	rcu_read_unlock();
+ 

batman-adv/patches/0051-batman-adv-Prevent-duplicated-gateway_node-entry.patch

@@ -0,0 +1,78 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 6 Sep 2018 14:35:24 +0200
+Subject: batman-adv: Prevent duplicated gateway_node entry
+
+The function batadv_gw_node_add is responsible for adding new gw_node to
+the gateway_list. It is expecting that the caller already checked that
+there is not already an entry with the same key or not.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: bc3538cabac5 ("batman-adv: adding gateway functionality")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/69b3ca714eba608fe79a51ccd89ce7050ee0b770
+
+diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
+index f1fdf4e7f5c3ce7f20339dcee3b6e43290ea3b4e..a6f5a3969529745d6efa1d43a89440745e1926ad 100644
+--- a/net/batman-adv/gateway_client.c
++++ b/net/batman-adv/gateway_client.c
+@@ -31,6 +31,7 @@
+ #include <linux/kernel.h>
+ #include <linux/kref.h>
+ #include <linux/list.h>
++#include <linux/lockdep.h>
+ #include <linux/netdevice.h>
+ #include <linux/netlink.h>
+ #include <linux/rculist.h>
+@@ -325,6 +326,9 @@ out:
+  * @bat_priv: the bat priv with all the soft interface information
+  * @orig_node: originator announcing gateway capabilities
+  * @gateway: announced bandwidth information
++ *
++ * Has to be called with the appropriate locks being acquired
++ * (gw.list_lock).
+  */
+ static void batadv_gw_node_add(struct batadv_priv *bat_priv,
+ 			       struct batadv_orig_node *orig_node,
+@@ -332,6 +336,8 @@ static void batadv_gw_node_add(struct batadv_priv *bat_priv,
+ {
+ 	struct batadv_gw_node *gw_node;
+ 
++	lockdep_assert_held(&bat_priv->gw.list_lock);
++
+ 	if (gateway->bandwidth_down == 0)
+ 		return;
+ 
+@@ -346,10 +352,8 @@ static void batadv_gw_node_add(struct batadv_priv *bat_priv,
+ 	gw_node->bandwidth_down = ntohl(gateway->bandwidth_down);
+ 	gw_node->bandwidth_up = ntohl(gateway->bandwidth_up);
+ 
+-	spin_lock_bh(&bat_priv->gw.list_lock);
+ 	kref_get(&gw_node->refcount);
+ 	hlist_add_head_rcu(&gw_node->list, &bat_priv->gw.gateway_list);
+-	spin_unlock_bh(&bat_priv->gw.list_lock);
+ 
+ 	batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
+ 		   "Found new gateway %pM -> gw bandwidth: %u.%u/%u.%u MBit\n",
+@@ -405,11 +409,14 @@ void batadv_gw_node_update(struct batadv_priv *bat_priv,
+ {
+ 	struct batadv_gw_node *gw_node, *curr_gw = NULL;
+ 
++	spin_lock_bh(&bat_priv->gw.list_lock);
+ 	gw_node = batadv_gw_node_get(bat_priv, orig_node);
+ 	if (!gw_node) {
+ 		batadv_gw_node_add(bat_priv, orig_node, gateway);
++		spin_unlock_bh(&bat_priv->gw.list_lock);
+ 		goto out;
+ 	}
++	spin_unlock_bh(&bat_priv->gw.list_lock);
+ 
+ 	if ((gw_node->bandwidth_down == ntohl(gateway->bandwidth_down)) &&
+ 	    (gw_node->bandwidth_up == ntohl(gateway->bandwidth_up)))

batman-adv/patches/0052-batman-adv-Prevent-duplicated-nc_node-entry.patch

@@ -0,0 +1,87 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 6 Sep 2018 14:35:25 +0200
+Subject: batman-adv: Prevent duplicated nc_node entry
+
+The function batadv_nc_get_nc_node is responsible for adding new nc_nodes
+to the in_coding_list and out_coding_list. It first checks whether the
+entry already is in the list or not. If it is, then the creation of a new
+entry is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: 3ed7ada3f0bb ("batman-adv: network coding - detect coding nodes and remove these after timeout")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/bab8447ad1850b25188f9652c0c52f8e58acd656
+
+diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c
+index ab5a3bf0765f36f2fe14ff4a91d43d905e08a1f3..3279f7f3b97fd56535071b857cebebd68a5b3484 100644
+--- a/net/batman-adv/network-coding.c
++++ b/net/batman-adv/network-coding.c
+@@ -850,24 +850,6 @@ batadv_nc_get_nc_node(struct batadv_priv *bat_priv,
+ 	spinlock_t *lock; /* Used to lock list selected by "int in_coding" */
+ 	struct list_head *list;
+ 
+-	/* Check if nc_node is already added */
+-	nc_node = batadv_nc_find_nc_node(orig_node, orig_neigh_node, in_coding);
+-
+-	/* Node found */
+-	if (nc_node)
+-		return nc_node;
+-
+-	nc_node = kzalloc(sizeof(*nc_node), GFP_ATOMIC);
+-	if (!nc_node)
+-		return NULL;
+-
+-	/* Initialize nc_node */
+-	INIT_LIST_HEAD(&nc_node->list);
+-	kref_init(&nc_node->refcount);
+-	ether_addr_copy(nc_node->addr, orig_node->orig);
+-	kref_get(&orig_neigh_node->refcount);
+-	nc_node->orig_node = orig_neigh_node;
+-
+ 	/* Select ingoing or outgoing coding node */
+ 	if (in_coding) {
+ 		lock = &orig_neigh_node->in_coding_list_lock;
+@@ -877,13 +859,34 @@ batadv_nc_get_nc_node(struct batadv_priv *bat_priv,
+ 		list = &orig_neigh_node->out_coding_list;
+ 	}
+ 
++	spin_lock_bh(lock);
++
++	/* Check if nc_node is already added */
++	nc_node = batadv_nc_find_nc_node(orig_node, orig_neigh_node, in_coding);
++
++	/* Node found */
++	if (nc_node)
++		goto unlock;
++
++	nc_node = kzalloc(sizeof(*nc_node), GFP_ATOMIC);
++	if (!nc_node)
++		goto unlock;
++
++	/* Initialize nc_node */
++	INIT_LIST_HEAD(&nc_node->list);
++	kref_init(&nc_node->refcount);
++	ether_addr_copy(nc_node->addr, orig_node->orig);
++	kref_get(&orig_neigh_node->refcount);
++	nc_node->orig_node = orig_neigh_node;
++
+ 	batadv_dbg(BATADV_DBG_NC, bat_priv, "Adding nc_node %pM -> %pM\n",
+ 		   nc_node->addr, nc_node->orig_node->orig);
+ 
+ 	/* Add nc_node to orig_node */
+-	spin_lock_bh(lock);
+ 	kref_get(&nc_node->refcount);
+ 	list_add_tail_rcu(&nc_node->list, list);
++
++unlock:
+ 	spin_unlock_bh(lock);
+ 
+ 	return nc_node;

batman-adv/patches/0053-batman-adv-Prevent-duplicated-softif_vlan-entry.patch

@@ -0,0 +1,78 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 6 Sep 2018 14:35:26 +0200
+Subject: batman-adv: Prevent duplicated softif_vlan entry
+
+The function batadv_softif_vlan_get is responsible for adding new
+softif_vlan to the softif_vlan_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: 952cebb57518 ("batman-adv: add per VLAN interface attribute framework")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/023d3f64207e8b6a6e6d0718d98e239c5545ef0c
+
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index 5da1a1c0f1efb5d95f31bc852b899f61e462feb1..ff797f32fb3bb81dafe1e7d3e9c6307e6a5aaff1 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -587,15 +587,20 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
+ 	struct batadv_softif_vlan *vlan;
+ 	int err;
+ 
++	spin_lock_bh(&bat_priv->softif_vlan_list_lock);
++
+ 	vlan = batadv_softif_vlan_get(bat_priv, vid);
+ 	if (vlan) {
+ 		batadv_softif_vlan_put(vlan);
++		spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+ 		return -EEXIST;
+ 	}
+ 
+ 	vlan = kzalloc(sizeof(*vlan), GFP_ATOMIC);
+-	if (!vlan)
++	if (!vlan) {
++		spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+ 		return -ENOMEM;
++	}
+ 
+ 	vlan->bat_priv = bat_priv;
+ 	vlan->vid = vid;
+@@ -603,17 +608,23 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
+ 
+ 	atomic_set(&vlan->ap_isolation, 0);
+ 
+-	err = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan);
+-	if (err) {
+-		kfree(vlan);
+-		return err;
+-	}
+-
+-	spin_lock_bh(&bat_priv->softif_vlan_list_lock);
+ 	kref_get(&vlan->refcount);
+ 	hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
+ 	spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+ 
++	/* batadv_sysfs_add_vlan cannot be in the spinlock section due to the
++	 * sleeping behavior of the sysfs functions and the fs_reclaim lock
++	 */
++	err = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan);
++	if (err) {
++		/* ref for the function */
++		batadv_softif_vlan_put(vlan);
++
++		/* ref for the list */
++		batadv_softif_vlan_put(vlan);
++		return err;
++	}
++
+ 	/* add a new TT local entry. This one will be marked with the NOPURGE
+ 	 * flag
+ 	 */

batman-adv/patches/0054-batman-adv-Prevent-duplicated-global-TT-entry.patch

@@ -0,0 +1,56 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 6 Sep 2018 14:35:27 +0200
+Subject: batman-adv: Prevent duplicated global TT entry
+
+The function batadv_tt_global_orig_entry_add is responsible for adding new
+tt_orig_list_entry to the orig_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: c5eb5bb30321 ("batman-adv: add reference counting for type batadv_tt_orig_list_entry")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/79097255a1a3e1bd1949be309af941181fbc7b36
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 143a00f90d1d925aad7113f897d06f435f28dcd8..b32853cbab028f0a052492545bb803efdcdb0ff3 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1603,6 +1603,8 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
+ {
+ 	struct batadv_tt_orig_list_entry *orig_entry;
+ 
++	spin_lock_bh(&tt_global->list_lock);
++
+ 	orig_entry = batadv_tt_global_orig_entry_find(tt_global, orig_node);
+ 	if (orig_entry) {
+ 		/* refresh the ttvn: the current value could be a bogus one that
+@@ -1625,11 +1627,9 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
+ 	orig_entry->flags = flags;
+ 	kref_init(&orig_entry->refcount);
+ 
+-	spin_lock_bh(&tt_global->list_lock);
+ 	kref_get(&orig_entry->refcount);
+ 	hlist_add_head_rcu(&orig_entry->list,
+ 			   &tt_global->orig_list);
+-	spin_unlock_bh(&tt_global->list_lock);
+ 	atomic_inc(&tt_global->orig_list_count);
+ 
+ sync_flags:
+@@ -1637,6 +1637,8 @@ sync_flags:
+ out:
+ 	if (orig_entry)
+ 		batadv_tt_orig_list_entry_put(orig_entry);
++
++	spin_unlock_bh(&tt_global->list_lock);
+ }
+ 
+ /**

batman-adv/patches/0055-batman-adv-Prevent-duplicated-tvlv-handler.patch

@@ -0,0 +1,56 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 6 Sep 2018 14:35:28 +0200
+Subject: batman-adv: Prevent duplicated tvlv handler
+
+The function batadv_tvlv_handler_register is responsible for adding new
+tvlv_handler to the handler_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: 0b6aa0d43767 ("batman-adv: tvlv - basic infrastructure")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/acabad79e01740525cf4ff8ce6e9a210b683d420
+
+diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
+index a783420356ae0cd4a6273b3b7a04781242e37a82..1eccc49a793004db82346f9dc3be7fcc2386417b 100644
+--- a/net/batman-adv/tvlv.c
++++ b/net/batman-adv/tvlv.c
+@@ -528,15 +528,20 @@ void batadv_tvlv_handler_register(struct batadv_priv *bat_priv,
+ {
+ 	struct batadv_tvlv_handler *tvlv_handler;
+ 
++	spin_lock_bh(&bat_priv->tvlv.handler_list_lock);
++
+ 	tvlv_handler = batadv_tvlv_handler_get(bat_priv, type, version);
+ 	if (tvlv_handler) {
++		spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
+ 		batadv_tvlv_handler_put(tvlv_handler);
+ 		return;
+ 	}
+ 
+ 	tvlv_handler = kzalloc(sizeof(*tvlv_handler), GFP_ATOMIC);
+-	if (!tvlv_handler)
++	if (!tvlv_handler) {
++		spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
+ 		return;
++	}
+ 
+ 	tvlv_handler->ogm_handler = optr;
+ 	tvlv_handler->unicast_handler = uptr;
+@@ -546,7 +551,6 @@ void batadv_tvlv_handler_register(struct batadv_priv *bat_priv,
+ 	kref_init(&tvlv_handler->refcount);
+ 	INIT_HLIST_NODE(&tvlv_handler->list);
+ 
+-	spin_lock_bh(&bat_priv->tvlv.handler_list_lock);
+ 	kref_get(&tvlv_handler->refcount);
+ 	hlist_add_head_rcu(&tvlv_handler->list, &bat_priv->tvlv.handler_list);
+ 	spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);

batman-adv/patches/0056-batman-adv-Use-explicit-tvlv-padding-for-ELP-packets.patch

@@ -0,0 +1,55 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Tue, 30 Oct 2018 12:17:10 +0100
+Subject: batman-adv: Use explicit tvlv padding for ELP packets
+
+The announcement messages of batman-adv COMPAT_VERSION 15 have the
+possibility to announce additional information via a dynamic TVLV part.
+This part is optional for the ELP packets and currently not parsed by the
+Linux implementation. Still out-of-tree versions are using it to transport
+things like neighbor hashes to optimize the rebroadcast behavior.
+
+Since the ELP broadcast packets are smaller than the minimal ethernet
+packet, it often has to be padded. This is often done (as specified in
+RFC894) with octets of zero and thus work perfectly fine with the TVLV
+part (making it a zero length and thus empty). But not all ethernet
+compatible hardware seems to follow this advice. To avoid ambiguous
+situations when parsing the TVLV header, just force the 4 bytes (TVLV
+length + padding) after the required ELP header to zero.
+
+Fixes: a4b88af77e28 ("batman-adv: ELP - adding basic infrastructure")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: backport, https://git.open-mesh.org/batman-adv.git/commit/974337ee9773c4bd0a2d5c322306cf2bea445e11
+
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index 2ec0ecab0493ff88fdc01e55c8557de5b772e8bf..08c0809fca7de1fe51727652a2e870ddfa74dc13 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -338,21 +338,23 @@ out:
+  */
+ int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface)
+ {
++	static const size_t tvlv_padding = sizeof(__be32);
+ 	struct batadv_elp_packet *elp_packet;
+ 	unsigned char *elp_buff;
+ 	u32 random_seqno;
+ 	size_t size;
+ 	int res = -ENOMEM;
+ 
+-	size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN;
++	size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN + tvlv_padding;
+ 	hard_iface->bat_v.elp_skb = dev_alloc_skb(size);
+ 	if (!hard_iface->bat_v.elp_skb)
+ 		goto out;
+ 
+ 	skb_reserve(hard_iface->bat_v.elp_skb, ETH_HLEN + NET_IP_ALIGN);
+-	elp_buff = skb_put(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN);
++	elp_buff = skb_put(hard_iface->bat_v.elp_skb,
++			   BATADV_ELP_HLEN + tvlv_padding);
+ 	elp_packet = (struct batadv_elp_packet *)elp_buff;
+-	memset(elp_packet, 0, BATADV_ELP_HLEN);
++	memset(elp_packet, 0, BATADV_ELP_HLEN + tvlv_padding);
+ 
+ 	elp_packet->packet_type = BATADV_ELP;
+ 	elp_packet->version = BATADV_COMPAT_VERSION;

batman-adv/patches/0057-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch

@@ -0,0 +1,41 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 7 Nov 2018 23:09:12 +0100
+Subject: batman-adv: Expand merged fragment buffer for full packet
+
+The complete size ("total_size") of the fragmented packet is stored in the
+fragment header and in the size of the fragment chain. When the fragments
+are ready for merge, the skbuff's tail of the first fragment is expanded to
+have enough room after the data pointer for at least total_size. This means
+that it gets expanded by total_size - first_skb->len.
+
+But this is ignoring the fact that after expanding the buffer, the fragment
+header is pulled by from this buffer. Assuming that the tailroom of the
+buffer was already 0, the buffer after the data pointer of the skbuff is
+now only total_size - len(fragment_header) large. When the merge function
+is then processing the remaining fragments, the code to copy the data over
+to the merged skbuff will cause an skb_over_panic when it tries to actually
+put enough data to fill the total_size bytes of the packet.
+
+The size of the skb_pull must therefore also be taken into account when the
+buffer's tailroom is expanded.
+
+Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge")
+Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
+Co-authored-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: other, https://patchwork.open-mesh.org/patch/17616/
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index 5969d3705ec08a96438ecce06577d35291600753..f6a5196d0370517716dfc9e1f80fb878a068801d 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -274,7 +274,7 @@ batadv_frag_merge_packets(struct hlist_head *chain)
+ 	kfree(entry);
+ 
+ 	packet = (struct batadv_frag_packet *)skb_out->data;
+-	size = ntohs(packet->total_size);
++	size = ntohs(packet->total_size) + hdr_size;
+ 
+ 	/* Make room for the rest of the fragments. */
+ 	if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {

batman-adv/patches/0058-batman-adv-Avoid-WARN-on-net_device-without-parent-i.patch

@@ -0,0 +1,45 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 30 Dec 2018 12:46:01 +0100
+Subject: batman-adv: Avoid WARN on net_device without parent in netns
+
+It is not allowed to use WARN* helpers on potential incorrect input from
+the user or transient problems because systems configured as panic_on_warn
+will reboot due to such a problem.
+
+A NULL return value of __dev_get_by_index can be caused by various problems
+which can either be related to the system configuration or problems
+(incorrectly returned network namespaces) in other (virtual) net_device
+drivers. batman-adv should not cause a (harmful) WARN in this situation and
+instead only report it via a simple message.
+
+Fixes: 3d48811b27f5 ("batman-adv: prevent using any virtual device created on batman-adv as hard-interface")
+Reported-by: syzbot+c764de0fcfadca9a8595@syzkaller.appspotmail.com
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/59ad04405be86f648fd83d81d2fd0a78f215a43b
+
+diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
+index 23d3893264f989c9740e68d83f6db300dee20dc3..c9a3b7bc07bcc443281c4f12c750c4d925c3b2c3 100644
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -19,7 +19,6 @@
+ #include "main.h"
+ 
+ #include <linux/atomic.h>
+-#include <linux/bug.h>
+ #include <linux/byteorder/generic.h>
+ #include <linux/errno.h>
+ #include <linux/fs.h>
+@@ -176,8 +175,10 @@ static bool batadv_is_on_batman_iface(const struct net_device *net_dev)
+ 	parent_dev = __dev_get_by_index((struct net *)parent_net,
+ 					dev_get_iflink(net_dev));
+ 	/* if we got a NULL parent_dev there is something broken.. */
+-	if (WARN(!parent_dev, "Cannot find parent device"))
++	if (!parent_dev) {
++		pr_err("Cannot find parent device\n");
+ 		return false;
++	}
+ 
+ 	if (batadv_mutual_parents(net_dev, net, parent_dev, parent_net))
+ 		return false;

batman-adv/patches/0059-batman-adv-Force-mac-header-to-start-of-data-on-xmit.patch

@@ -0,0 +1,36 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Mon, 31 Dec 2018 22:46:09 +0100
+Subject: batman-adv: Force mac header to start of data on xmit
+
+The caller of ndo_start_xmit may not already have called
+skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr
+therefore can be in the wrong position and even outside the current skbuff.
+This for example happens when the user binds to the device using a
+PF_PACKET-SOCK_RAW with enabled qdisc-bypass:
+
+  int opt = 4;
+  setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt));
+
+Since eth_hdr is used all over the codebase, the batadv_interface_tx
+function must always take care of resetting it.
+
+Fixes: fe28a94c01e1 ("batman-adv: receive packets directly using skbs")
+Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com
+Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/74c4b0c50f19f986752ee18ed393732f4eed7a66
+
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index ff797f32fb3bb81dafe1e7d3e9c6307e6a5aaff1..f590c7b2c76816303fe1d3f5d2858e3a9b126539 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -232,6 +232,8 @@ static int batadv_interface_tx(struct sk_buff *skb,
+ 
+ 	netif_trans_update(soft_iface);
+ 	vid = batadv_get_vid(skb, 0);
++
++	skb_reset_mac_header(skb);
+ 	ethhdr = eth_hdr(skb);
+ 
+ 	switch (ntohs(ethhdr->h_proto)) {

batman-adv/patches/0060-batman-adv-fix-uninit-value-in-batadv_interface_tx.patch

@@ -0,0 +1,95 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 11 Feb 2019 14:41:22 -0800
+Subject: batman-adv: fix uninit-value in batadv_interface_tx()
+
+KMSAN reported batadv_interface_tx() was possibly using a
+garbage value [1]
+
+batadv_get_vid() does have a pskb_may_pull() call
+but batadv_interface_tx() does not actually make sure
+this did not fail.
+
+[1]
+BUG: KMSAN: uninit-value in batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231
+CPU: 0 PID: 10006 Comm: syz-executor469 Not tainted 4.20.0-rc7+ #5
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x173/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
+ __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
+ batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231
+ __netdev_start_xmit include/linux/netdevice.h:4356 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4365 [inline]
+ xmit_one net/core/dev.c:3257 [inline]
+ dev_hard_start_xmit+0x607/0xc40 net/core/dev.c:3273
+ __dev_queue_xmit+0x2e42/0x3bc0 net/core/dev.c:3843
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:3876
+ packet_snd net/packet/af_packet.c:2928 [inline]
+ packet_sendmsg+0x8306/0x8f30 net/packet/af_packet.c:2953
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg net/socket.c:631 [inline]
+ __sys_sendto+0x8c4/0xac0 net/socket.c:1788
+ __do_sys_sendto net/socket.c:1800 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:1796
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+RIP: 0033:0x441889
+Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffdda6fd468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000441889
+RDX: 000000000000000e RSI: 00000000200000c0 RDI: 0000000000000003
+RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000216 R12: 00007ffdda6fd4c0
+R13: 00007ffdda6fd4b0 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
+ kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
+ kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
+ kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
+ slab_post_alloc_hook mm/slab.h:446 [inline]
+ slab_alloc_node mm/slub.c:2759 [inline]
+ __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
+ __kmalloc_reserve net/core/skbuff.c:137 [inline]
+ __alloc_skb+0x309/0xa20 net/core/skbuff.c:205
+ alloc_skb include/linux/skbuff.h:998 [inline]
+ alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5220
+ sock_alloc_send_pskb+0xafd/0x10e0 net/core/sock.c:2083
+ packet_alloc_skb net/packet/af_packet.c:2781 [inline]
+ packet_snd net/packet/af_packet.c:2872 [inline]
+ packet_sendmsg+0x661a/0x8f30 net/packet/af_packet.c:2953
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg net/socket.c:631 [inline]
+ __sys_sendto+0x8c4/0xac0 net/socket.c:1788
+ __do_sys_sendto net/socket.c:1800 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:1796
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+
+Fixes: 48628bb9419f ("batman-adv: softif bridge loop avoidance")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc:	Marek Lindner <mareklindner@neomailbox.ch>
+Cc:	Simon Wunderlich <sw@simonwunderlich.de>
+Cc:	Antonio Quartulli <a@unstable.cc>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/35482922b38bb5f5b03b0e92bc58cec2b7c77cdf
+
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index f590c7b2c76816303fe1d3f5d2858e3a9b126539..2cb0eee29e95ef67d3a8157226904caf57da87ab 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -238,6 +238,8 @@ static int batadv_interface_tx(struct sk_buff *skb,
+ 
+ 	switch (ntohs(ethhdr->h_proto)) {
+ 	case ETH_P_8021Q:
++		if (!pskb_may_pull(skb, sizeof(*vhdr)))
++			goto dropped;
+ 		vhdr = vlan_eth_hdr(skb);
+ 
+ 		/* drop batman-in-batman packets to prevent loops */

batman-adv/patches/0061-batman-adv-Reduce-claim-hash-refcnt-only-for-removed.patch

@@ -0,0 +1,65 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 23 Feb 2019 15:09:04 +0100
+Subject: batman-adv: Reduce claim hash refcnt only for removed entry
+
+The batadv_hash_remove is a function which searches the hashtable for an
+entry using a needle, a hashtable bucket selection function and a compare
+function. It will lock the bucket list and delete an entry when the compare
+function matches it with the needle. It returns the pointer to the
+hlist_node which matches or NULL when no entry matches the needle.
+
+The batadv_bla_del_claim is not itself protected in anyway to avoid that
+any other function is modifying the hashtable between the search for the
+entry and the call to batadv_hash_remove. It can therefore happen that the
+entry either doesn't exist anymore or an entry was deleted which is not the
+same object as the needle. In such an situation, the reference counter (for
+the reference stored in the hashtable) must not be reduced for the needle.
+Instead the reference counter of the actually removed entry has to be
+reduced.
+
+Otherwise the reference counter will underflow and the object might be
+freed before all its references were dropped. The kref helpers reported
+this problem as:
+
+  refcount_t: underflow; use-after-free.
+
+Fixes: a9ce0dc43e2c ("batman-adv: add basic bridge loop avoidance code")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/3a7af70ae7c4209324dbb08b91e013c17108bdd6
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index 258a74fd1c237fbf1b81dfc1c48720d8359b0ecc..f79bb7751278a27d34131f1d4dba85cb10735093 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -802,6 +802,8 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
+ 				 const u8 *mac, const unsigned short vid)
+ {
+ 	struct batadv_bla_claim search_claim, *claim;
++	struct batadv_bla_claim *claim_removed_entry;
++	struct hlist_node *claim_removed_node;
+ 
+ 	ether_addr_copy(search_claim.addr, mac);
+ 	search_claim.vid = vid;
+@@ -812,10 +814,18 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
+ 	batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_del_claim(): %pM, vid %d\n",
+ 		   mac, BATADV_PRINT_VID(vid));
+ 
+-	batadv_hash_remove(bat_priv->bla.claim_hash, batadv_compare_claim,
+-			   batadv_choose_claim, claim);
+-	batadv_claim_put(claim); /* reference from the hash is gone */
++	claim_removed_node = batadv_hash_remove(bat_priv->bla.claim_hash,
++						batadv_compare_claim,
++						batadv_choose_claim, claim);
++	if (!claim_removed_node)
++		goto free_claim;
+ 
++	/* reference from the hash is gone */
++	claim_removed_entry = hlist_entry(claim_removed_node,
++					  struct batadv_bla_claim, hash_entry);
++	batadv_claim_put(claim_removed_entry);
++
++free_claim:
+ 	/* don't need the reference from hash_find() anymore */
+ 	batadv_claim_put(claim);
+ }

batman-adv/patches/0062-batman-adv-Reduce-tt_local-hash-refcnt-only-for-remo.patch

@@ -0,0 +1,69 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 23 Feb 2019 15:09:05 +0100
+Subject: batman-adv: Reduce tt_local hash refcnt only for removed entry
+
+The batadv_hash_remove is a function which searches the hashtable for an
+entry using a needle, a hashtable bucket selection function and a compare
+function. It will lock the bucket list and delete an entry when the compare
+function matches it with the needle. It returns the pointer to the
+hlist_node which matches or NULL when no entry matches the needle.
+
+The batadv_tt_local_remove is not itself protected in anyway to avoid that
+any other function is modifying the hashtable between the search for the
+entry and the call to batadv_hash_remove. It can therefore happen that the
+entry either doesn't exist anymore or an entry was deleted which is not the
+same object as the needle. In such an situation, the reference counter (for
+the reference stored in the hashtable) must not be reduced for the needle.
+Instead the reference counter of the actually removed entry has to be
+reduced.
+
+Otherwise the reference counter will underflow and the object might be
+freed before all its references were dropped. The kref helpers reported
+this problem as:
+
+  refcount_t: underflow; use-after-free.
+
+Fixes: af912d77181f ("batman-adv: protect tt_local_entry from concurrent delete events")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/0c86a0511e97de502276900c5d6f22b09e042d21
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index b32853cbab028f0a052492545bb803efdcdb0ff3..d30e86dc5ad64e5de9487224b802d6fbdcf5f440 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1322,9 +1322,10 @@ u16 batadv_tt_local_remove(struct batadv_priv *bat_priv, const u8 *addr,
+ 			   unsigned short vid, const char *message,
+ 			   bool roaming)
+ {
++	struct batadv_tt_local_entry *tt_removed_entry;
+ 	struct batadv_tt_local_entry *tt_local_entry;
+ 	u16 flags, curr_flags = BATADV_NO_FLAGS;
+-	void *tt_entry_exists;
++	struct hlist_node *tt_removed_node;
+ 
+ 	tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid);
+ 	if (!tt_local_entry)
+@@ -1353,15 +1354,18 @@ u16 batadv_tt_local_remove(struct batadv_priv *bat_priv, const u8 *addr,
+ 	 */
+ 	batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL);
+ 
+-	tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash,
++	tt_removed_node = batadv_hash_remove(bat_priv->tt.local_hash,
+ 					     batadv_compare_tt,
+ 					     batadv_choose_tt,
+ 					     &tt_local_entry->common);
+-	if (!tt_entry_exists)
++	if (!tt_removed_node)
+ 		goto out;
+ 
+-	/* extra call to free the local tt entry */
+-	batadv_tt_local_entry_put(tt_local_entry);
++	/* drop reference of remove hash entry */
++	tt_removed_entry = hlist_entry(tt_removed_node,
++				       struct batadv_tt_local_entry,
++				       common.hash_entry);
++	batadv_tt_local_entry_put(tt_removed_entry);
+ 
+ out:
+ 	if (tt_local_entry)

batman-adv/patches/0063-batman-adv-Reduce-tt_global-hash-refcnt-only-for-rem.patch

@@ -0,0 +1,66 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 23 Feb 2019 15:09:06 +0100
+Subject: batman-adv: Reduce tt_global hash refcnt only for removed entry
+
+The batadv_hash_remove is a function which searches the hashtable for an
+entry using a needle, a hashtable bucket selection function and a compare
+function. It will lock the bucket list and delete an entry when the compare
+function matches it with the needle. It returns the pointer to the
+hlist_node which matches or NULL when no entry matches the needle.
+
+The batadv_tt_global_free is not itself protected in anyway to avoid that
+any other function is modifying the hashtable between the search for the
+entry and the call to batadv_hash_remove. It can therefore happen that the
+entry either doesn't exist anymore or an entry was deleted which is not the
+same object as the needle. In such an situation, the reference counter (for
+the reference stored in the hashtable) must not be reduced for the needle.
+Instead the reference counter of the actually removed entry has to be
+reduced.
+
+Otherwise the reference counter will underflow and the object might be
+freed before all its references were dropped. The kref helpers reported
+this problem as:
+
+  refcount_t: underflow; use-after-free.
+
+Fixes: 7bad46397eff ("batman-adv: protect the local and the global trans-tables with rcu")
+Reported-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/bd6df24da0063fe50828c287d05bdc1876f4f6cc
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index d30e86dc5ad64e5de9487224b802d6fbdcf5f440..a1b83416be842810f4ca49212c3afb91c598a64b 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -614,14 +614,26 @@ static void batadv_tt_global_free(struct batadv_priv *bat_priv,
+ 				  struct batadv_tt_global_entry *tt_global,
+ 				  const char *message)
+ {
++	struct batadv_tt_global_entry *tt_removed_entry;
++	struct hlist_node *tt_removed_node;
++
+ 	batadv_dbg(BATADV_DBG_TT, bat_priv,
+ 		   "Deleting global tt entry %pM (vid: %d): %s\n",
+ 		   tt_global->common.addr,
+ 		   BATADV_PRINT_VID(tt_global->common.vid), message);
+ 
+-	batadv_hash_remove(bat_priv->tt.global_hash, batadv_compare_tt,
+-			   batadv_choose_tt, &tt_global->common);
+-	batadv_tt_global_entry_put(tt_global);
++	tt_removed_node = batadv_hash_remove(bat_priv->tt.global_hash,
++					     batadv_compare_tt,
++					     batadv_choose_tt,
++					     &tt_global->common);
++	if (!tt_removed_node)
++		return;
++
++	/* drop reference of remove hash entry */
++	tt_removed_entry = hlist_entry(tt_removed_node,
++				       struct batadv_tt_global_entry,
++				       common.hash_entry);
++	batadv_tt_global_entry_put(tt_removed_entry);
+ }
+ 
+ /**

batman-adv/patches/0064-batman-adv-mcast-fix-multicast-tt-tvlv-worker-lockin.patch

@@ -0,0 +1,104 @@
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Wed, 24 Apr 2019 03:19:14 +0200
+Subject: batman-adv: mcast: fix multicast tt/tvlv worker locking
+
+Syzbot has reported some issues with the locking assumptions made for
+the multicast tt/tvlv worker: It was able to trigger the WARN_ON() in
+batadv_mcast_mla_tt_retract() and batadv_mcast_mla_tt_add().
+While hard/not reproduceable for us so far it seems that the
+delayed_work_pending() we use might not be quite safe from reordering.
+
+Therefore this patch adds an explicit, new spinlock to protect the
+update of the mla_list and flags in bat_priv and then removes the
+WARN_ON(delayed_work_pending()).
+
+Reported-by: syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com
+Reported-by: syzbot+050927a651272b145a5d@syzkaller.appspotmail.com
+Reported-by: syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com
+Reported-by: syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com
+Fixes: 40b384052672 ("batman-adv: Use own timer for multicast TT and TVLV updates")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: backport, https://git.open-mesh.org/batman-adv.git/commit/b736cf8119cfbc9d95fef90c8832fdec6e8f29c7
+
+diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c
+index d46415edd3be98d9538def8d55674b5336eca6a1..aa22e941dcb3a9a77bac5ccaebfb2335c104924a 100644
+--- a/net/batman-adv/main.c
++++ b/net/batman-adv/main.c
+@@ -153,6 +153,7 @@ int batadv_mesh_init(struct net_device *soft_iface)
+ 	spin_lock_init(&bat_priv->tt.commit_lock);
+ 	spin_lock_init(&bat_priv->gw.list_lock);
+ #ifdef CONFIG_BATMAN_ADV_MCAST
++	spin_lock_init(&bat_priv->mcast.mla_lock);
+ 	spin_lock_init(&bat_priv->mcast.want_lists_lock);
+ #endif
+ 	spin_lock_init(&bat_priv->tvlv.container_list_lock);
+diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
+index 20680e1dafc46cd60766a6dcd4f401f097ad4786..3d8508cbbb344abdc029d83763e2ac76bb3a1b4c 100644
+--- a/net/batman-adv/multicast.c
++++ b/net/batman-adv/multicast.c
+@@ -269,8 +269,6 @@ static void batadv_mcast_mla_list_free(struct hlist_head *mcast_list)
+  * translation table except the ones listed in the given mcast_list.
+  *
+  * If mcast_list is NULL then all are retracted.
+- *
+- * Do not call outside of the mcast worker! (or cancel mcast worker first)
+  */
+ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
+ 					struct hlist_head *mcast_list)
+@@ -278,8 +276,6 @@ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
+ 	struct batadv_hw_addr *mcast_entry;
+ 	struct hlist_node *tmp;
+ 
+-	WARN_ON(delayed_work_pending(&bat_priv->mcast.work));
+-
+ 	hlist_for_each_entry_safe(mcast_entry, tmp, &bat_priv->mcast.mla_list,
+ 				  list) {
+ 		if (mcast_list &&
+@@ -303,8 +299,6 @@ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
+  *
+  * Adds multicast listener announcements from the given mcast_list to the
+  * translation table if they have not been added yet.
+- *
+- * Do not call outside of the mcast worker! (or cancel mcast worker first)
+  */
+ static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv,
+ 				    struct hlist_head *mcast_list)
+@@ -312,8 +306,6 @@ static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv,
+ 	struct batadv_hw_addr *mcast_entry;
+ 	struct hlist_node *tmp;
+ 
+-	WARN_ON(delayed_work_pending(&bat_priv->mcast.work));
+-
+ 	if (!mcast_list)
+ 		return;
+ 
+@@ -601,7 +593,10 @@ static void batadv_mcast_mla_update(struct work_struct *work)
+ 	priv_mcast = container_of(delayed_work, struct batadv_priv_mcast, work);
+ 	bat_priv = container_of(priv_mcast, struct batadv_priv, mcast);
+ 
++	spin_lock(&bat_priv->mcast.mla_lock);
+ 	__batadv_mcast_mla_update(bat_priv);
++	spin_unlock(&bat_priv->mcast.mla_lock);
++
+ 	batadv_mcast_start_timer(bat_priv);
+ }
+ 
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index bf1d3f0258ffb2fb8ee483337012798b20462cd6..1d8ee2bdbe01067ae4dbb9441cebeaa20735cdf9 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -817,6 +817,12 @@ struct batadv_priv_mcast {
+ 	bool enabled;
+ 	bool bridged;
+ 	atomic_t num_disabled;
++
++	/**
++	 * @mla_lock: a lock protecting mla_list and mla_flags
++	 */
++	spinlock_t mla_lock;
++
+ 	atomic_t num_want_all_unsnoopables;
+ 	atomic_t num_want_all_ipv4;
+ 	atomic_t num_want_all_ipv6;

batman-adv/patches/0065-batman-adv-fix-for-leaked-TVLV-handler.patch

@@ -0,0 +1,28 @@
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Tue, 21 May 2019 20:58:57 +0100
+Subject: batman-adv: fix for leaked TVLV handler.
+
+A handler for BATADV_TVLV_ROAM was being registered when the
+translation-table was initialized, but not unregistered when the
+translation-table was freed.  Unregister it.
+
+Fixes: 3de4e64df0f1 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets")
+Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/87445d81c360a5f9833546114e98ffd2c1fd3a4d
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index a1b83416be842810f4ca49212c3afb91c598a64b..4aa2d24639ab5f69dc956990016aaabd5ceef4d9 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -3800,6 +3800,8 @@ static void batadv_tt_purge(struct work_struct *work)
+ 
+ void batadv_tt_free(struct batadv_priv *bat_priv)
+ {
++	batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_ROAM, 1);
++
+ 	batadv_tvlv_container_unregister(bat_priv, BATADV_TVLV_TT, 1);
+ 	batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_TT, 1);
+ 

batman-adv/patches/0066-batman-adv-Fix-duplicated-OGMs-on-NETDEV_UP.patch

@@ -0,0 +1,83 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 2 Jun 2019 10:57:31 +0200
+Subject: batman-adv: Fix duplicated OGMs on NETDEV_UP
+
+The state of slave interfaces are handled differently depending on whether
+the interface is up or not. All active interfaces (IFF_UP) will transmit
+OGMs. But for B.A.T.M.A.N. IV, also non-active interfaces are scheduling
+(low TTL) OGMs on active interfaces. The code which setups and schedules
+the OGMs must therefore already be called when the interfaces gets added as
+slave interface and the transmit function must then check whether it has to
+send out the OGM or not on the specific slave interface.
+
+But the commit 0d8468553c3c ("batman-adv: remove ogm_emit and ogm_schedule
+API calls") moved the setup code from the enable function to the activate
+function. The latter is called either when the added slave was already up
+when batadv_hardif_enable_interface processed the new interface or when a
+NETDEV_UP event was received for this slave interfac. As result, each
+NETDEV_UP would schedule a new OGM worker for the interface and thus OGMs
+would be send a lot more than expected.
+
+Fixes: 0d8468553c3c ("batman-adv: remove ogm_emit and ogm_schedule API calls")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: backport, https://git.open-mesh.org/batman-adv.git/commit/c92331e0df3c0c5645ee5a897eb018c5da5e4aa5
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index f0174a17b30d14e5c127106b364b8fbc8ec384ee..73ea771287fd8babc6c8858643e84c1d9cba3691 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -2475,7 +2475,7 @@ batadv_iv_ogm_neigh_is_sob(struct batadv_neigh_node *neigh1,
+ 	return ret;
+ }
+ 
+-static void batadv_iv_iface_activate(struct batadv_hard_iface *hard_iface)
++static void batadv_iv_iface_enabled(struct batadv_hard_iface *hard_iface)
+ {
+ 	/* begin scheduling originator messages on that interface */
+ 	batadv_iv_ogm_schedule(hard_iface);
+@@ -2815,8 +2815,8 @@ unlock:
+ static struct batadv_algo_ops batadv_batman_iv __read_mostly = {
+ 	.name = "BATMAN_IV",
+ 	.iface = {
+-		.activate = batadv_iv_iface_activate,
+ 		.enable = batadv_iv_ogm_iface_enable,
++		.enabled = batadv_iv_iface_enabled,
+ 		.disable = batadv_iv_ogm_iface_disable,
+ 		.update_mac = batadv_iv_ogm_iface_update_mac,
+ 		.primary_set = batadv_iv_ogm_primary_iface_set,
+diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
+index c9a3b7bc07bcc443281c4f12c750c4d925c3b2c3..6d96ecd14fb0881e3384850bc34063b999fe5c93 100644
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -799,6 +799,9 @@ int batadv_hardif_enable_interface(struct batadv_hard_iface *hard_iface,
+ 
+ 	batadv_hardif_recalc_extra_skbroom(soft_iface);
+ 
++	if (bat_priv->algo_ops->iface.enabled)
++		bat_priv->algo_ops->iface.enabled(hard_iface);
++
+ out:
+ 	return 0;
+ 
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index 1d8ee2bdbe01067ae4dbb9441cebeaa20735cdf9..5c5762f0f89c8b79b52288104d975dc3753bbf82 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -1428,6 +1428,7 @@ struct batadv_forw_packet {
+  * @activate: start routing mechanisms when hard-interface is brought up
+  *  (optional)
+  * @enable: init routing info when hard-interface is enabled
++ * @enabled: notification when hard-interface was enabled (optional)
+  * @disable: de-init routing info when hard-interface is disabled
+  * @update_mac: (re-)init mac addresses of the protocol information
+  *  belonging to this hard-interface
+@@ -1436,6 +1437,7 @@ struct batadv_forw_packet {
+ struct batadv_algo_iface_ops {
+ 	void (*activate)(struct batadv_hard_iface *hard_iface);
+ 	int (*enable)(struct batadv_hard_iface *hard_iface);
++	void (*enabled)(struct batadv_hard_iface *hard_iface);
+ 	void (*disable)(struct batadv_hard_iface *hard_iface);
+ 	void (*update_mac)(struct batadv_hard_iface *hard_iface);
+ 	void (*primary_set)(struct batadv_hard_iface *hard_iface);

batman-adv/patches/0067-batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch

@@ -0,0 +1,58 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 12 Aug 2019 04:57:27 -0700
+Subject: batman-adv: fix uninit-value in batadv_netlink_get_ifindex()
+
+batadv_netlink_get_ifindex() needs to make sure user passed
+a correct u32 attribute.
+
+syzbot reported :
+BUG: KMSAN: uninit-value in batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
+CPU: 1 PID: 11705 Comm: syz-executor888 Not tainted 5.1.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x191/0x1f0 lib/dump_stack.c:113
+ kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
+ __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
+ batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
+ genl_lock_dumpit+0xc6/0x130 net/netlink/genetlink.c:482
+ netlink_dump+0xa84/0x1ab0 net/netlink/af_netlink.c:2253
+ __netlink_dump_start+0xa3a/0xb30 net/netlink/af_netlink.c:2361
+ genl_family_rcv_msg net/netlink/genetlink.c:550 [inline]
+ genl_rcv_msg+0xfc1/0x1a40 net/netlink/genetlink.c:627
+ netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2486
+ genl_rcv+0x63/0x80 net/netlink/genetlink.c:638
+ netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
+ netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1337
+ netlink_sendmsg+0x127e/0x12f0 net/netlink/af_netlink.c:1926
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg net/socket.c:661 [inline]
+ ___sys_sendmsg+0xcc6/0x1200 net/socket.c:2260
+ __sys_sendmsg net/socket.c:2298 [inline]
+ __do_sys_sendmsg net/socket.c:2307 [inline]
+ __se_sys_sendmsg+0x305/0x460 net/socket.c:2305
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2305
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+RIP: 0033:0x440209
+
+Fixes: 55d368c3a57e ("batman-adv: netlink: hardif query")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/9b470b8a2b9ef4ce68d6e95febd3a0574be1ac14
+
+diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
+index 062738163bdce747b7f49c96d9180899bb15ea2f..e6852deebe1a07100ba2a6ac3631ab977797464c 100644
+--- a/net/batman-adv/netlink.c
++++ b/net/batman-adv/netlink.c
+@@ -110,7 +110,7 @@ batadv_netlink_get_ifindex(const struct nlmsghdr *nlh, int attrtype)
+ {
+ 	struct nlattr *attr = nlmsg_find_attr(nlh, GENL_HDRLEN, attrtype);
+ 
+-	return attr ? nla_get_u32(attr) : 0;
++	return (attr && nla_len(attr) == sizeof(u32)) ? nla_get_u32(attr) : 0;
+ }
+ 
+ /**

batman-adv/patches/0068-batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch

@@ -0,0 +1,74 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 23 Aug 2019 14:34:27 +0200
+Subject: batman-adv: Only read OGM tvlv_len after buffer len check
+
+Multiple batadv_ogm_packet can be stored in an skbuff. The functions
+batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use
+batadv_iv_ogm_aggr_packet() to check if there is another additional
+batadv_ogm_packet in the skb or not before they continue processing the
+packet.
+
+The length for such an OGM is BATADV_OGM_HLEN +
+batadv_ogm_packet->tvlv_len. The check must first check that at least
+BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is
+part of the header. Otherwise it might try read outside of the currently
+available skbuff to get the content of tvlv_len.
+
+Fixes: 0b6aa0d43767 ("batman-adv: tvlv - basic infrastructure")
+Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/07b6051ebcfaa7ea89b4f278eca2ff4070d29e56
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index 73ea771287fd8babc6c8858643e84c1d9cba3691..8967bc91423cd36b3a4dc240150ff2a694f5bed4 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -454,17 +454,23 @@ static u8 batadv_hop_penalty(u8 tq, const struct batadv_priv *bat_priv)
+  * batadv_iv_ogm_aggr_packet - checks if there is another OGM attached
+  * @buff_pos: current position in the skb
+  * @packet_len: total length of the skb
+- * @tvlv_len: tvlv length of the previously considered OGM
++ * @ogm_packet: potential OGM in buffer
+  *
+  * Return: true if there is enough space for another OGM, false otherwise.
+  */
+-static bool batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
+-				      __be16 tvlv_len)
++static bool
++batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
++			  const struct batadv_ogm_packet *ogm_packet)
+ {
+ 	int next_buff_pos = 0;
+ 
+-	next_buff_pos += buff_pos + BATADV_OGM_HLEN;
+-	next_buff_pos += ntohs(tvlv_len);
++	/* check if there is enough space for the header */
++	next_buff_pos += buff_pos + sizeof(*ogm_packet);
++	if (next_buff_pos > packet_len)
++		return false;
++
++	/* check if there is enough space for the optional TVLV */
++	next_buff_pos += ntohs(ogm_packet->tvlv_len);
+ 
+ 	return (next_buff_pos <= packet_len) &&
+ 	       (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
+@@ -492,7 +498,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
+ 
+ 	/* adjust all flags and log packets */
+ 	while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len,
+-					 batadv_ogm_packet->tvlv_len)) {
++					 batadv_ogm_packet)) {
+ 		/* we might have aggregated direct link packets with an
+ 		 * ordinary base packet
+ 		 */
+@@ -1842,7 +1848,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
+ 
+ 	/* unpack the aggregated packets and process them one by one */
+ 	while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
+-					 ogm_packet->tvlv_len)) {
++					 ogm_packet)) {
+ 		batadv_iv_ogm_process(skb, ogm_offset, if_incoming);
+ 
+ 		ogm_offset += BATADV_OGM_HLEN;

batman-adv/patches/0069-batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch

@@ -0,0 +1,62 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 23 Aug 2019 14:34:28 +0200
+Subject: batman-adv: Only read OGM2 tvlv_len after buffer len check
+
+Multiple batadv_ogm2_packet can be stored in an skbuff. The functions
+batadv_v_ogm_send_to_if() uses batadv_v_ogm_aggr_packet() to check if there
+is another additional batadv_ogm2_packet in the skb or not before they
+continue processing the packet.
+
+The length for such an OGM2 is BATADV_OGM2_HLEN +
+batadv_ogm2_packet->tvlv_len. The check must first check that at least
+BATADV_OGM2_HLEN bytes are available before it accesses tvlv_len (which is
+part of the header. Otherwise it might try read outside of the currently
+available skbuff to get the content of tvlv_len.
+
+Fixes: 667996ebeab4 ("batman-adv: OGMv2 - implement originators logic")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/18f77da3761c5550f42a2d131f0fe5cac62e022d
+
+diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
+index 38b9aab83fc0eaf63e3713d278482524253d5c1a..5f4fe1889053d4ea7624e4500dcefe2601371024 100644
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -644,17 +644,23 @@ batadv_v_ogm_process_per_outif(struct batadv_priv *bat_priv,
+  * batadv_v_ogm_aggr_packet - checks if there is another OGM aggregated
+  * @buff_pos: current position in the skb
+  * @packet_len: total length of the skb
+- * @tvlv_len: tvlv length of the previously considered OGM
++ * @ogm2_packet: potential OGM2 in buffer
+  *
+  * Return: true if there is enough space for another OGM, false otherwise.
+  */
+-static bool batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
+-				     __be16 tvlv_len)
++static bool
++batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
++			 const struct batadv_ogm2_packet *ogm2_packet)
+ {
+ 	int next_buff_pos = 0;
+ 
+-	next_buff_pos += buff_pos + BATADV_OGM2_HLEN;
+-	next_buff_pos += ntohs(tvlv_len);
++	/* check if there is enough space for the header */
++	next_buff_pos += buff_pos + sizeof(*ogm2_packet);
++	if (next_buff_pos > packet_len)
++		return false;
++
++	/* check if there is enough space for the optional TVLV */
++	next_buff_pos += ntohs(ogm2_packet->tvlv_len);
+ 
+ 	return (next_buff_pos <= packet_len) &&
+ 	       (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
+@@ -831,7 +837,7 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb,
+ 	ogm_packet = (struct batadv_ogm2_packet *)skb->data;
+ 
+ 	while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
+-					ogm_packet->tvlv_len)) {
++					ogm_packet)) {
+ 		batadv_v_ogm_process(skb, ogm_offset, if_incoming);
+ 
+ 		ogm_offset += BATADV_OGM2_HLEN;

batman-adv/patches/0070-batman-adv-Avoid-free-alloc-race-when-handling-OGM2-.patch

@@ -0,0 +1,117 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 3 Oct 2019 17:02:01 +0200
+Subject: batman-adv: Avoid free/alloc race when handling OGM2 buffer
+
+A B.A.T.M.A.N. V virtual interface has an OGM2 packet buffer which is
+initialized using data from the RTNL lock protected netdevice notifier and
+other rtnetlink related hooks. It is sent regularly via various slave
+interfaces of the batadv virtual interface and in this process also
+modified (realloced) to integrate additional state information via TVLV
+containers.
+
+It must be avoided that the worker item is executed without a common lock
+with the netdevice notifier/rtnetlink helpers. Otherwise it can either
+happen that half modified data is sent out or the functions modifying the
+OGM2 buffer try to access already freed memory regions.
+
+Fixes: 632835348e65 ("batman-adv: OGMv2 - add basic infrastructure")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/14ee24576213ff02272b7f8d975c7c61d5448aa2
+
+diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
+index 5f4fe1889053d4ea7624e4500dcefe2601371024..f5feaa8c4fd228228fea519771e2c9e123b10345 100644
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -32,6 +32,7 @@
+ #include <linux/random.h>
+ #include <linux/rculist.h>
+ #include <linux/rcupdate.h>
++#include <linux/rtnetlink.h>
+ #include <linux/skbuff.h>
+ #include <linux/slab.h>
+ #include <linux/stddef.h>
+@@ -127,14 +128,12 @@ static void batadv_v_ogm_send_to_if(struct sk_buff *skb,
+ }
+ 
+ /**
+- * batadv_v_ogm_send - periodic worker broadcasting the own OGM
+- * @work: work queue item
++ * batadv_v_ogm_send_softif() - periodic worker broadcasting the own OGM
++ *  @bat_priv: the bat priv with all the soft interface information
+  */
+-static void batadv_v_ogm_send(struct work_struct *work)
++static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
+ {
+ 	struct batadv_hard_iface *hard_iface;
+-	struct batadv_priv_bat_v *bat_v;
+-	struct batadv_priv *bat_priv;
+ 	struct batadv_ogm2_packet *ogm_packet;
+ 	struct sk_buff *skb, *skb_tmp;
+ 	unsigned char *ogm_buff, *pkt_buff;
+@@ -142,8 +141,7 @@ static void batadv_v_ogm_send(struct work_struct *work)
+ 	u16 tvlv_len = 0;
+ 	int ret;
+ 
+-	bat_v = container_of(work, struct batadv_priv_bat_v, ogm_wq.work);
+-	bat_priv = container_of(bat_v, struct batadv_priv, bat_v);
++	ASSERT_RTNL();
+ 
+ 	if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_DEACTIVATING)
+ 		goto out;
+@@ -235,6 +233,22 @@ out:
+ 	return;
+ }
+ 
++/**
++ * batadv_v_ogm_send() - periodic worker broadcasting the own OGM
++ * @work: work queue item
++ */
++static void batadv_v_ogm_send(struct work_struct *work)
++{
++	struct batadv_priv_bat_v *bat_v;
++	struct batadv_priv *bat_priv;
++
++	rtnl_lock();
++	bat_v = container_of(work, struct batadv_priv_bat_v, ogm_wq.work);
++	bat_priv = container_of(bat_v, struct batadv_priv, bat_v);
++	batadv_v_ogm_send_softif(bat_priv);
++	rtnl_unlock();
++}
++
+ /**
+  * batadv_v_ogm_iface_enable - prepare an interface for B.A.T.M.A.N. V
+  * @hard_iface: the interface to prepare
+@@ -261,6 +275,8 @@ void batadv_v_ogm_primary_iface_set(struct batadv_hard_iface *primary_iface)
+ 	struct batadv_priv *bat_priv = netdev_priv(primary_iface->soft_iface);
+ 	struct batadv_ogm2_packet *ogm_packet;
+ 
++	ASSERT_RTNL();
++
+ 	if (!bat_priv->bat_v.ogm_buff)
+ 		return;
+ 
+@@ -870,6 +886,8 @@ int batadv_v_ogm_init(struct batadv_priv *bat_priv)
+ 	unsigned char *ogm_buff;
+ 	u32 random_seqno;
+ 
++	ASSERT_RTNL();
++
+ 	bat_priv->bat_v.ogm_buff_len = BATADV_OGM2_HLEN;
+ 	ogm_buff = kzalloc(bat_priv->bat_v.ogm_buff_len, GFP_ATOMIC);
+ 	if (!ogm_buff)
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index 5c5762f0f89c8b79b52288104d975dc3753bbf82..11ced015ab639f0d82f12ae533a92f356734cafa 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -990,8 +990,8 @@ struct batadv_softif_vlan {
+ 
+ /**
+  * struct batadv_priv_bat_v - B.A.T.M.A.N. V per soft-interface private data
+- * @ogm_buff: buffer holding the OGM packet
+- * @ogm_buff_len: length of the OGM packet buffer
++ * @ogm_buff: buffer holding the OGM packet. rtnl protected
++ * @ogm_buff_len: length of the OGM packet buffer. rtnl protected
+  * @ogm_seqno: OGM sequence number - used to identify each OGM
+  * @ogm_wq: workqueue used to schedule OGM transmissions
+  */

batman-adv/patches/0071-batman-adv-Avoid-free-alloc-race-when-handling-OGM-b.patch

@@ -0,0 +1,134 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 3 Oct 2019 17:02:01 +0200
+Subject: batman-adv: Avoid free/alloc race when handling OGM buffer
+
+Each slave interface of an B.A.T.M.A.N. IV virtual interface has an OGM
+packet buffer which is initialized using data from the RTNL lock protected
+netdevice notifier and other rtnetlink related hooks. It is sent regularly
+via various slave interfaces of the batadv virtual interface and in this
+process also modified (realloced) to integrate additional state information
+via TVLV containers.
+
+It must be avoided that the worker item is executed without a common lock
+with the netdevice notifier/rtnetlink helpers. Otherwise it can either
+happen that half modified/freed data is sent out or functions modifying the
+OGM buffer try to access already freed memory regions.
+
+Reported-by: syzbot+0cc629f19ccb8534935b@syzkaller.appspotmail.com
+Fixes: ea6f8d42a595 ("batman-adv: move /proc interface handling to /sys")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/9b8ceef26c697d0c8319748428944c3339a498dc
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index 8967bc91423cd36b3a4dc240150ff2a694f5bed4..ccb60591a01886ceef22408e9387a8a3fda05a36 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -41,6 +41,7 @@
+ #include <linux/random.h>
+ #include <linux/rculist.h>
+ #include <linux/rcupdate.h>
++#include <linux/rtnetlink.h>
+ #include <linux/seq_file.h>
+ #include <linux/skbuff.h>
+ #include <linux/slab.h>
+@@ -370,6 +371,8 @@ static int batadv_iv_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
+ 	unsigned char *ogm_buff;
+ 	u32 random_seqno;
+ 
++	ASSERT_RTNL();
++
+ 	/* randomize initial seqno to avoid collision */
+ 	get_random_bytes(&random_seqno, sizeof(random_seqno));
+ 	atomic_set(&hard_iface->bat_iv.ogm_seqno, random_seqno);
+@@ -394,6 +397,8 @@ static int batadv_iv_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
+ 
+ static void batadv_iv_ogm_iface_disable(struct batadv_hard_iface *hard_iface)
+ {
++	ASSERT_RTNL();
++
+ 	kfree(hard_iface->bat_iv.ogm_buff);
+ 	hard_iface->bat_iv.ogm_buff = NULL;
+ }
+@@ -403,6 +408,8 @@ static void batadv_iv_ogm_iface_update_mac(struct batadv_hard_iface *hard_iface)
+ 	struct batadv_ogm_packet *batadv_ogm_packet;
+ 	unsigned char *ogm_buff = hard_iface->bat_iv.ogm_buff;
+ 
++	ASSERT_RTNL();
++
+ 	batadv_ogm_packet = (struct batadv_ogm_packet *)ogm_buff;
+ 	ether_addr_copy(batadv_ogm_packet->orig,
+ 			hard_iface->net_dev->dev_addr);
+@@ -416,6 +423,8 @@ batadv_iv_ogm_primary_iface_set(struct batadv_hard_iface *hard_iface)
+ 	struct batadv_ogm_packet *batadv_ogm_packet;
+ 	unsigned char *ogm_buff = hard_iface->bat_iv.ogm_buff;
+ 
++	ASSERT_RTNL();
++
+ 	batadv_ogm_packet = (struct batadv_ogm_packet *)ogm_buff;
+ 	batadv_ogm_packet->ttl = BATADV_TTL;
+ }
+@@ -927,6 +936,8 @@ static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
+ 	u16 tvlv_len = 0;
+ 	unsigned long send_time;
+ 
++	ASSERT_RTNL();
++
+ 	if ((hard_iface->if_status == BATADV_IF_NOT_IN_USE) ||
+ 	    (hard_iface->if_status == BATADV_IF_TO_BE_REMOVED))
+ 		return;
+@@ -1781,16 +1792,12 @@ static void batadv_iv_ogm_process(const struct sk_buff *skb, int ogm_offset,
+ 	batadv_orig_node_put(orig_node);
+ }
+ 
+-static void batadv_iv_send_outstanding_bat_ogm_packet(struct work_struct *work)
++static void
++batadv_iv_send_outstanding_forw_packet(struct batadv_forw_packet *forw_packet)
+ {
+-	struct delayed_work *delayed_work;
+-	struct batadv_forw_packet *forw_packet;
+ 	struct batadv_priv *bat_priv;
+ 	bool dropped = false;
+ 
+-	delayed_work = to_delayed_work(work);
+-	forw_packet = container_of(delayed_work, struct batadv_forw_packet,
+-				   delayed_work);
+ 	bat_priv = netdev_priv(forw_packet->if_incoming->soft_iface);
+ 
+ 	if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_DEACTIVATING) {
+@@ -1819,6 +1826,20 @@ out:
+ 		batadv_forw_packet_free(forw_packet, dropped);
+ }
+ 
++static void batadv_iv_send_outstanding_bat_ogm_packet(struct work_struct *work)
++{
++	struct delayed_work *delayed_work;
++	struct batadv_forw_packet *forw_packet;
++
++	delayed_work = to_delayed_work(work);
++	forw_packet = container_of(delayed_work, struct batadv_forw_packet,
++				   delayed_work);
++
++	rtnl_lock();
++	batadv_iv_send_outstanding_forw_packet(forw_packet);
++	rtnl_unlock();
++}
++
+ static int batadv_iv_ogm_receive(struct sk_buff *skb,
+ 				 struct batadv_hard_iface *if_incoming)
+ {
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index 11ced015ab639f0d82f12ae533a92f356734cafa..2489d5e403c1bcbcc9008f51303f7b1ea4753ea2 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -78,8 +78,8 @@ enum batadv_dhcp_recipient {
+ 
+ /**
+  * struct batadv_hard_iface_bat_iv - per hard-interface B.A.T.M.A.N. IV data
+- * @ogm_buff: buffer holding the OGM packet
+- * @ogm_buff_len: length of the OGM packet buffer
++ * @ogm_buff: buffer holding the OGM packet. rtnl protected
++ * @ogm_buff_len: length of the OGM packet buffer. rtnl protected
+  * @ogm_seqno: OGM sequence number - used to identify each OGM
+  */
+ struct batadv_hard_iface_bat_iv {

batman-adv/patches/0072-batman-adv-Introduce-own-OGM2-buffer-mutex.patch

@@ -0,0 +1,137 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 13 Oct 2019 21:03:06 +0200
+Subject: batman-adv: Introduce own OGM2 buffer mutex
+
+Only a single function is currently automatically locked by the rtnl_lock
+because (unlike B.A.T.M.A.N. IV) the OGM2 buffer is independent of the hard
+interfaces on which it will be transmitted. A private mutex can be used
+instead to avoid unnecessary delays which would have been introduced by the
+global lock.
+
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/8069c581f9097f1f9398f2d49047a1dab8093821
+
+diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
+index f5feaa8c4fd228228fea519771e2c9e123b10345..a9240a0bedad109aba58e30038fe91a421ab4126 100644
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -28,11 +28,12 @@
+ #include <linux/kernel.h>
+ #include <linux/kref.h>
+ #include <linux/list.h>
++#include <linux/lockdep.h>
++#include <linux/mutex.h>
+ #include <linux/netdevice.h>
+ #include <linux/random.h>
+ #include <linux/rculist.h>
+ #include <linux/rcupdate.h>
+-#include <linux/rtnetlink.h>
+ #include <linux/skbuff.h>
+ #include <linux/slab.h>
+ #include <linux/stddef.h>
+@@ -141,7 +142,7 @@ static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
+ 	u16 tvlv_len = 0;
+ 	int ret;
+ 
+-	ASSERT_RTNL();
++	lockdep_assert_held(&bat_priv->bat_v.ogm_buff_mutex);
+ 
+ 	if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_DEACTIVATING)
+ 		goto out;
+@@ -242,11 +243,12 @@ static void batadv_v_ogm_send(struct work_struct *work)
+ 	struct batadv_priv_bat_v *bat_v;
+ 	struct batadv_priv *bat_priv;
+ 
+-	rtnl_lock();
+ 	bat_v = container_of(work, struct batadv_priv_bat_v, ogm_wq.work);
+ 	bat_priv = container_of(bat_v, struct batadv_priv, bat_v);
++
++	mutex_lock(&bat_priv->bat_v.ogm_buff_mutex);
+ 	batadv_v_ogm_send_softif(bat_priv);
+-	rtnl_unlock();
++	mutex_unlock(&bat_priv->bat_v.ogm_buff_mutex);
+ }
+ 
+ /**
+@@ -275,13 +277,15 @@ void batadv_v_ogm_primary_iface_set(struct batadv_hard_iface *primary_iface)
+ 	struct batadv_priv *bat_priv = netdev_priv(primary_iface->soft_iface);
+ 	struct batadv_ogm2_packet *ogm_packet;
+ 
+-	ASSERT_RTNL();
+-
++	mutex_lock(&bat_priv->bat_v.ogm_buff_mutex);
+ 	if (!bat_priv->bat_v.ogm_buff)
+-		return;
++		goto unlock;
+ 
+ 	ogm_packet = (struct batadv_ogm2_packet *)bat_priv->bat_v.ogm_buff;
+ 	ether_addr_copy(ogm_packet->orig, primary_iface->net_dev->dev_addr);
++
++unlock:
++	mutex_unlock(&bat_priv->bat_v.ogm_buff_mutex);
+ }
+ 
+ /**
+@@ -886,8 +890,6 @@ int batadv_v_ogm_init(struct batadv_priv *bat_priv)
+ 	unsigned char *ogm_buff;
+ 	u32 random_seqno;
+ 
+-	ASSERT_RTNL();
+-
+ 	bat_priv->bat_v.ogm_buff_len = BATADV_OGM2_HLEN;
+ 	ogm_buff = kzalloc(bat_priv->bat_v.ogm_buff_len, GFP_ATOMIC);
+ 	if (!ogm_buff)
+@@ -906,6 +908,8 @@ int batadv_v_ogm_init(struct batadv_priv *bat_priv)
+ 	atomic_set(&bat_priv->bat_v.ogm_seqno, random_seqno);
+ 	INIT_DELAYED_WORK(&bat_priv->bat_v.ogm_wq, batadv_v_ogm_send);
+ 
++	mutex_init(&bat_priv->bat_v.ogm_buff_mutex);
++
+ 	return 0;
+ }
+ 
+@@ -917,7 +921,11 @@ void batadv_v_ogm_free(struct batadv_priv *bat_priv)
+ {
+ 	cancel_delayed_work_sync(&bat_priv->bat_v.ogm_wq);
+ 
++	mutex_lock(&bat_priv->bat_v.ogm_buff_mutex);
++
+ 	kfree(bat_priv->bat_v.ogm_buff);
+ 	bat_priv->bat_v.ogm_buff = NULL;
+ 	bat_priv->bat_v.ogm_buff_len = 0;
++
++	mutex_unlock(&bat_priv->bat_v.ogm_buff_mutex);
+ }
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index 2489d5e403c1bcbcc9008f51303f7b1ea4753ea2..3d9704ce31b4a162c01a74021ef18d53d992d506 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -27,6 +27,7 @@
+ #include <linux/compiler.h>
+ #include <linux/if_ether.h>
+ #include <linux/kref.h>
++#include <linux/mutex.h>
+ #include <linux/netdevice.h>
+ #include <linux/netlink.h>
+ #include <linux/sched.h> /* for linux/wait.h */
+@@ -990,15 +991,17 @@ struct batadv_softif_vlan {
+ 
+ /**
+  * struct batadv_priv_bat_v - B.A.T.M.A.N. V per soft-interface private data
+- * @ogm_buff: buffer holding the OGM packet. rtnl protected
+- * @ogm_buff_len: length of the OGM packet buffer. rtnl protected
++ * @ogm_buff: buffer holding the OGM packet
++ * @ogm_buff_len: length of the OGM packet buffer
+  * @ogm_seqno: OGM sequence number - used to identify each OGM
++ * @ogm_buff_mutex: lock protecting ogm_buff and ogm_buff_len
+  * @ogm_wq: workqueue used to schedule OGM transmissions
+  */
+ struct batadv_priv_bat_v {
+ 	unsigned char *ogm_buff;
+ 	int ogm_buff_len;
+ 	atomic_t ogm_seqno;
++	struct mutex ogm_buff_mutex;
+ 	struct delayed_work ogm_wq;
+ };
+ 

batman-adv/patches/0073-batman-adv-Avoid-OGM-workqueue-synchronous-cancel-de.patch

@@ -0,0 +1,261 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 13 Oct 2019 21:03:07 +0200
+Subject: batman-adv: Avoid OGM workqueue synchronous cancel deadlock
+
+batadv_forw_packet_list_free can be called when an interface is being
+disabled. Under this circumstance, the rntl_lock will be held and while it
+calls cancel_delayed_work_sync.
+
+cancel_delayed_work_sync will stop the execution of the current context
+when the work item is currently processed. It can now happen that the
+cancel_delayed_work_sync was called when rtnl_lock was already called in
+batadv_iv_send_outstanding_bat_ogm_packet or when it was in the process of
+calling it. In this case, batadv_iv_send_outstanding_bat_ogm_packet waits
+for the lock and cancel_delayed_work_sync (which holds the rtnl_lock) is
+waiting for batadv_iv_send_outstanding_bat_ogm_packet to finish.
+
+This can only be avoided by not using (conflicting) blocking locks while
+cancel_delayed_work_sync is called. It also has the benefit that the
+ogm scheduling functionality can avoid unnecessary delays which can be
+introduced by a global lock.
+
+Fixes: 9b8ceef26c69 ("batman-adv: Avoid free/alloc race when handling OGM buffer")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/d3be478f1aa27b47f61c4a62e18eb063d47c9168
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index ccb60591a01886ceef22408e9387a8a3fda05a36..80fc960e656eb2f11f58fc8211235e033331bfd5 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -34,6 +34,7 @@
+ #include <linux/kref.h>
+ #include <linux/list.h>
+ #include <linux/lockdep.h>
++#include <linux/mutex.h>
+ #include <linux/netdevice.h>
+ #include <linux/netlink.h>
+ #include <linux/pkt_sched.h>
+@@ -41,7 +42,6 @@
+ #include <linux/random.h>
+ #include <linux/rculist.h>
+ #include <linux/rcupdate.h>
+-#include <linux/rtnetlink.h>
+ #include <linux/seq_file.h>
+ #include <linux/skbuff.h>
+ #include <linux/slab.h>
+@@ -371,7 +371,7 @@ static int batadv_iv_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
+ 	unsigned char *ogm_buff;
+ 	u32 random_seqno;
+ 
+-	ASSERT_RTNL();
++	mutex_lock(&hard_iface->bat_iv.ogm_buff_mutex);
+ 
+ 	/* randomize initial seqno to avoid collision */
+ 	get_random_bytes(&random_seqno, sizeof(random_seqno));
+@@ -379,8 +379,10 @@ static int batadv_iv_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
+ 
+ 	hard_iface->bat_iv.ogm_buff_len = BATADV_OGM_HLEN;
+ 	ogm_buff = kmalloc(hard_iface->bat_iv.ogm_buff_len, GFP_ATOMIC);
+-	if (!ogm_buff)
++	if (!ogm_buff) {
++		mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
+ 		return -ENOMEM;
++	}
+ 
+ 	hard_iface->bat_iv.ogm_buff = ogm_buff;
+ 
+@@ -392,41 +394,59 @@ static int batadv_iv_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
+ 	batadv_ogm_packet->reserved = 0;
+ 	batadv_ogm_packet->tq = BATADV_TQ_MAX_VALUE;
+ 
++	mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
++
+ 	return 0;
+ }
+ 
+ static void batadv_iv_ogm_iface_disable(struct batadv_hard_iface *hard_iface)
+ {
+-	ASSERT_RTNL();
++	mutex_lock(&hard_iface->bat_iv.ogm_buff_mutex);
+ 
+ 	kfree(hard_iface->bat_iv.ogm_buff);
+ 	hard_iface->bat_iv.ogm_buff = NULL;
++
++	mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
+ }
+ 
+ static void batadv_iv_ogm_iface_update_mac(struct batadv_hard_iface *hard_iface)
+ {
+ 	struct batadv_ogm_packet *batadv_ogm_packet;
+-	unsigned char *ogm_buff = hard_iface->bat_iv.ogm_buff;
++	void *ogm_buff;
+ 
+-	ASSERT_RTNL();
++	mutex_lock(&hard_iface->bat_iv.ogm_buff_mutex);
+ 
+-	batadv_ogm_packet = (struct batadv_ogm_packet *)ogm_buff;
++	ogm_buff = hard_iface->bat_iv.ogm_buff;
++	if (!ogm_buff)
++		goto unlock;
++
++	batadv_ogm_packet = ogm_buff;
+ 	ether_addr_copy(batadv_ogm_packet->orig,
+ 			hard_iface->net_dev->dev_addr);
+ 	ether_addr_copy(batadv_ogm_packet->prev_sender,
+ 			hard_iface->net_dev->dev_addr);
++
++unlock:
++	mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
+ }
+ 
+ static void
+ batadv_iv_ogm_primary_iface_set(struct batadv_hard_iface *hard_iface)
+ {
+ 	struct batadv_ogm_packet *batadv_ogm_packet;
+-	unsigned char *ogm_buff = hard_iface->bat_iv.ogm_buff;
++	void *ogm_buff;
+ 
+-	ASSERT_RTNL();
++	mutex_lock(&hard_iface->bat_iv.ogm_buff_mutex);
+ 
+-	batadv_ogm_packet = (struct batadv_ogm_packet *)ogm_buff;
++	ogm_buff = hard_iface->bat_iv.ogm_buff;
++	if (!ogm_buff)
++		goto unlock;
++
++	batadv_ogm_packet = ogm_buff;
+ 	batadv_ogm_packet->ttl = BATADV_TTL;
++
++unlock:
++	mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
+ }
+ 
+ /* when do we schedule our own ogm to be sent */
+@@ -925,7 +945,11 @@ batadv_iv_ogm_slide_own_bcast_window(struct batadv_hard_iface *hard_iface)
+ 	}
+ }
+ 
+-static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
++/**
++ * batadv_iv_ogm_schedule_buff() - schedule submission of hardif ogm buffer
++ * @hard_iface: interface whose ogm buffer should be transmitted
++ */
++static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
+ {
+ 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+ 	unsigned char **ogm_buff = &hard_iface->bat_iv.ogm_buff;
+@@ -936,11 +960,7 @@ static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
+ 	u16 tvlv_len = 0;
+ 	unsigned long send_time;
+ 
+-	ASSERT_RTNL();
+-
+-	if ((hard_iface->if_status == BATADV_IF_NOT_IN_USE) ||
+-	    (hard_iface->if_status == BATADV_IF_TO_BE_REMOVED))
+-		return;
++	lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex);
+ 
+ 	/* the interface gets activated here to avoid race conditions between
+ 	 * the moment of activating the interface in
+@@ -1008,6 +1028,17 @@ out:
+ 		batadv_hardif_put(primary_if);
+ }
+ 
++static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
++{
++	if (hard_iface->if_status == BATADV_IF_NOT_IN_USE ||
++	    hard_iface->if_status == BATADV_IF_TO_BE_REMOVED)
++		return;
++
++	mutex_lock(&hard_iface->bat_iv.ogm_buff_mutex);
++	batadv_iv_ogm_schedule_buff(hard_iface);
++	mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
++}
++
+ /**
+  * batadv_iv_ogm_orig_update - use OGM to update corresponding data in an
+  *  originator
+@@ -1792,12 +1823,16 @@ static void batadv_iv_ogm_process(const struct sk_buff *skb, int ogm_offset,
+ 	batadv_orig_node_put(orig_node);
+ }
+ 
+-static void
+-batadv_iv_send_outstanding_forw_packet(struct batadv_forw_packet *forw_packet)
++static void batadv_iv_send_outstanding_bat_ogm_packet(struct work_struct *work)
+ {
++	struct delayed_work *delayed_work;
++	struct batadv_forw_packet *forw_packet;
+ 	struct batadv_priv *bat_priv;
+ 	bool dropped = false;
+ 
++	delayed_work = to_delayed_work(work);
++	forw_packet = container_of(delayed_work, struct batadv_forw_packet,
++				   delayed_work);
+ 	bat_priv = netdev_priv(forw_packet->if_incoming->soft_iface);
+ 
+ 	if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_DEACTIVATING) {
+@@ -1826,20 +1861,6 @@ out:
+ 		batadv_forw_packet_free(forw_packet, dropped);
+ }
+ 
+-static void batadv_iv_send_outstanding_bat_ogm_packet(struct work_struct *work)
+-{
+-	struct delayed_work *delayed_work;
+-	struct batadv_forw_packet *forw_packet;
+-
+-	delayed_work = to_delayed_work(work);
+-	forw_packet = container_of(delayed_work, struct batadv_forw_packet,
+-				   delayed_work);
+-
+-	rtnl_lock();
+-	batadv_iv_send_outstanding_forw_packet(forw_packet);
+-	rtnl_unlock();
+-}
+-
+ static int batadv_iv_ogm_receive(struct sk_buff *skb,
+ 				 struct batadv_hard_iface *if_incoming)
+ {
+diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
+index 6d96ecd14fb0881e3384850bc34063b999fe5c93..0060d3cf2cfcad24fb26c190e588689e768584d5 100644
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -28,6 +28,7 @@
+ #include <linux/kernel.h>
+ #include <linux/kref.h>
+ #include <linux/list.h>
++#include <linux/mutex.h>
+ #include <linux/netdevice.h>
+ #include <linux/printk.h>
+ #include <linux/rculist.h>
+@@ -905,6 +906,7 @@ batadv_hardif_add_interface(struct net_device *net_dev)
+ 	INIT_LIST_HEAD(&hard_iface->list);
+ 	INIT_HLIST_HEAD(&hard_iface->neigh_list);
+ 
++	mutex_init(&hard_iface->bat_iv.ogm_buff_mutex);
+ 	spin_lock_init(&hard_iface->neigh_list_lock);
+ 	kref_init(&hard_iface->refcount);
+ 
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index 3d9704ce31b4a162c01a74021ef18d53d992d506..6854cb2b107024ad3588ac7eedd71339e529e4f8 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -79,14 +79,16 @@ enum batadv_dhcp_recipient {
+ 
+ /**
+  * struct batadv_hard_iface_bat_iv - per hard-interface B.A.T.M.A.N. IV data
+- * @ogm_buff: buffer holding the OGM packet. rtnl protected
+- * @ogm_buff_len: length of the OGM packet buffer. rtnl protected
++ * @ogm_buff: buffer holding the OGM packet
++ * @ogm_buff_len: length of the OGM packet buffer
+  * @ogm_seqno: OGM sequence number - used to identify each OGM
++ * @ogm_buff_mutex: lock protecting ogm_buff and ogm_buff_len
+  */
+ struct batadv_hard_iface_bat_iv {
+ 	unsigned char *ogm_buff;
+ 	int ogm_buff_len;
+ 	atomic_t ogm_seqno;
++	struct mutex ogm_buff_mutex;
+ };
+ 
+ /**

batman-adv/patches/0074-batman-adv-Fix-DAT-candidate-selection-on-little-end.patch

@@ -0,0 +1,43 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 28 Nov 2019 12:43:49 +0100
+Subject: batman-adv: Fix DAT candidate selection on little endian systems
+
+The distributed arp table is using a DHT to store and retrieve MAC address
+information for an IP address. This is done using unicast messages to
+selected peers. The potential peers are looked up using the IP address and
+the VID.
+
+While the IP address is always stored in big endian byte order, it is not
+the case of the VID. It can (depending on the host system) either be big
+endian or little endian. The host must therefore always convert it to big
+endian to ensure that all devices calculate the same peers for the same
+lookup data.
+
+Fixes: 3e26722bc9f2 ("batman-adv: make the Distributed ARP Table vlan aware")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/728aea06f38e0e4d70f4f7d43698187f7f7055c5
+
+diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
+index fcd38e48a6ea74bd91b0bdd874cb5e88e661e729..91e5bc6c99d40ec17b583dcb857b3c5a3a73453e 100644
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -243,6 +243,7 @@ static u32 batadv_hash_dat(const void *data, u32 size)
+ 	u32 hash = 0;
+ 	const struct batadv_dat_entry *dat = data;
+ 	const unsigned char *key;
++	__be16 vid;
+ 	u32 i;
+ 
+ 	key = (const unsigned char *)&dat->ip;
+@@ -252,7 +253,8 @@ static u32 batadv_hash_dat(const void *data, u32 size)
+ 		hash ^= (hash >> 6);
+ 	}
+ 
+-	key = (const unsigned char *)&dat->vid;
++	vid = htons(dat->vid);
++	key = (__force const unsigned char *)&vid;
+ 	for (i = 0; i < sizeof(dat->vid); i++) {
+ 		hash += key[i];
+ 		hash += (hash << 10);

batman-adv/patches/0075-batman-adv-Don-t-schedule-OGM-for-disabled-interface.patch

@@ -0,0 +1,37 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 16 Feb 2020 13:02:06 +0100
+Subject: batman-adv: Don't schedule OGM for disabled interface
+
+A transmission scheduling for an interface which is currently dropped by
+batadv_iv_ogm_iface_disable could still be in progress. The B.A.T.M.A.N. V
+is simply cancelling the workqueue item in an synchronous way but this is
+not possible with B.A.T.M.A.N. IV because the OGM submissions are
+intertwined.
+
+Instead it has to stop submitting the OGM when it detect that the buffer
+pointer is set to NULL.
+
+Reported-by: syzbot+a98f2016f40b9cd3818a@syzkaller.appspotmail.com
+Reported-by: syzbot+ac36b6a33c28a491e929@syzkaller.appspotmail.com
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Cc: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/a089c55ca004b396d340baae58abe9a79f32cc0f
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index 80fc960e656eb2f11f58fc8211235e033331bfd5..d21c88cecf2a54fbb88cd3d74d460278f5b4396b 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -962,6 +962,10 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
+ 
+ 	lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex);
+ 
++	/* interface already disabled by batadv_iv_ogm_iface_disable */
++	if (!*ogm_buff)
++		return;
++
+ 	/* the interface gets activated here to avoid race conditions between
+ 	 * the moment of activating the interface in
+ 	 * hardif_activate_interface() where the originator mac is set and

batmand/Makefile

@@ -9,26 +9,29 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=batmand
-PKG_REV:=1439
-PKG_VERSION:=r$(PKG_REV)
-PKG_RELEASE:=2
-PKG_EXTRA_CFLAGS=-DDEBUG_MALLOC -DMEMORY_USAGE -DPROFILE_DATA -DREVISION_VERSION=\"\ rv$(PKG_REV)\"
 
-PKG_SOURCE_PROTO:=svn
+PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=$(PKG_REV)
+PKG_SOURCE_URL:=git://git.open-mesh.org/batmand.git
-PKG_SOURCE_SUBDIR:=$(if $(PKG_BRANCH),$(PKG_BRANCH),$(PKG_NAME))-$(PKG_VERSION)
+PKG_REV:=b67a7087b51d7a5e90d27ac39116d1f57257c86e
-PKG_SOURCE_URL:=http://downloads.open-mesh.org/svn/batman/trunk/
+PKG_VERSION:=1440
-PKG_SOURCE:=$(PKG_SOURCE_SUBDIR).tar.gz
+PKG_RELEASE:=0
-PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/$(PKG_SOURCE_SUBDIR)
 PKG_LICENSE:=GPL-2.0
 
-PKG_KMOD_BUILD_DIR:=$(PKG_BUILD_DIR)/batman/linux/modules
+PKG_SOURCE_VERSION:=$(PKG_REV)
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_SOURCE:=$(PKG_SOURCE_SUBDIR).tar.gz
+PKG_MIRROR_HASH:=ceb8e0e399f79b1b663594fcf9642e1efc40e696a7604daf709c77da9b6ec52f
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_SUBDIR)
+
+PKG_EXTRA_CFLAGS=-DDEBUG_MALLOC -DMEMORY_USAGE -DPROFILE_DATA -DREVISION_VERSION=\"\ rv$(PKG_REV)\" -D_GNU_SOURCE
+
+PKG_KMOD_BUILD_DIR:=$(PKG_BUILD_DIR)/linux/modules
 
 include $(INCLUDE_DIR)/package.mk
 
 define Package/batmand/Default
-  URL:=http://www.open-mesh.org/
+  URL:=https://www.open-mesh.org/
-  MAINTAINER:=Marek Lindner <lindner_marek@yahoo.de>
+  MAINTAINER:=Corinna "Elektra" Aichele <onelektra@gmx.net>
 endef
 
 define Package/batmand
@@ -44,19 +47,6 @@ define Package/batmand/description
 B.A.T.M.A.N. layer 3 routing daemon
 endef
 
-define Package/vis
-$(call Package/batmand/Default)
-  SECTION:=net
-  CATEGORY:=Network
-  SUBMENU:=Routing and Redirection
-  DEPENDS:=+libpthread
-  TITLE:=visualization server for B.A.T.M.A.N. layer 3
-endef
-        
-define Package/vis/description
-visualization server for B.A.T.M.A.N. layer 3
-endef
-
 define KernelPackage/batgat
 $(call Package/batmand/Default)
   SUBMENU:=Network Support
@@ -83,18 +73,6 @@ MAKE_BATMAND_ARGS += \
 	STRIP="/bin/true" \
 	batmand install
 
-MAKE_VIS_ARGS += \
-	EXTRA_CFLAGS='$(TARGET_CFLAGS) $(PKG_EXTRA_CFLAGS)' \
-	CCFLAGS="$(TARGET_CFLAGS)" \
-	OFLAGS="$(TARGET_CFLAGS)" \
-	REVISION="$(PKG_REV)" \
-	CC="$(TARGET_CC)" \
-	NODEBUG=1 \
-	UNAME="Linux" \
-	INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \
-	STRIP="/bin/true" \
-	vis install
-
 MAKE_BATGAT_ARGS += \
 	CROSS_COMPILE="$(TARGET_CROSS)" \
 	ARCH="$(LINUX_KARCH)" \
@@ -108,11 +86,7 @@ define Build/Configure
 endef
 
 ifneq ($(DEVELOPER)$(CONFIG_PACKAGE_batmand),)
-	BUILD_BATMAND := $(MAKE) -C $(PKG_BUILD_DIR)/batman $(MAKE_BATMAND_ARGS)
+	BUILD_BATMAND := $(MAKE) -C $(PKG_BUILD_DIR) $(MAKE_BATMAND_ARGS)
-endif
-
-ifneq ($(DEVELOPER)$(CONFIG_PACKAGE_vis),)
-	BUILD_VIS := $(MAKE) -C $(PKG_BUILD_DIR)/vis $(MAKE_VIS_ARGS)
 endif
 	
 ifneq ($(DEVELOPER)$(CONFIG_PACKAGE_kmod-batgat),)
@@ -121,7 +95,6 @@ endif
 	        
 define Build/Compile
 	$(BUILD_BATMAND)
-	$(BUILD_VIS)
 	cp $(PKG_KMOD_BUILD_DIR)/Makefile.kbuild $(PKG_KMOD_BUILD_DIR)/Makefile
 	$(BUILD_BATGAT)
 endef
@@ -137,17 +110,5 @@ define Package/batmand/conffiles
 /etc/config/batmand
 endef
 
-define Package/vis/install
-	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/config $(1)/etc/init.d
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/vis $(1)/usr/sbin/
-	$(INSTALL_BIN) ./files/etc/init.d/vis $(1)/etc/init.d
-	$(INSTALL_DATA) ./files/etc/config/vis $(1)/etc/config
-endef
-
-define Package/vis/conffiles
-/etc/config/vis
-endef
-
 $(eval $(call BuildPackage,batmand))
-$(eval $(call BuildPackage,vis))
 $(eval $(call KernelPackage,batgat))

batmand/patches/100-2.6.36.patch

@@ -2,8 +2,8 @@
  batman/linux/modules/gateway.c |   19 +++++++++++++++++++
  1 file changed, 19 insertions(+)
 
---- batmand-r1439.orig/batman/linux/modules/gateway.c
+--- batmand-r1439.orig/linux/modules/gateway.c
-+++ batmand-r1439/batman/linux/modules/gateway.c
++++ batmand-r1439/linux/modules/gateway.c
 @@ -29,6 +29,7 @@ static struct class *batman_class;
  static int batgat_open(struct inode *inode, struct file *filp);
  static int batgat_release(struct inode *inode, struct file *file);

bmx6/Makefile

@@ -28,12 +28,12 @@ PKG_NAME:=bmx6
 
 PKG_SOURCE_PROTO:=git
 
-#PKG_SOURCE_URL:=git://bmx6.net/bmx6.git
+PKG_SOURCE_URL:=git://github.com/bmx-routing/bmx6.git
-PKG_SOURCE_URL:=git://github.com/axn/bmx6.git
+#PKG_SOURCE_URL:=file:///usr/src/bmx-routing/bmx6.git
 
-PKG_REV:=2a87b770d3f9c254e3927dc159e2f425f2e0e83a
+PKG_REV:=4016a1980d900309771e432d1f7c741d6c48d477
-PKG_VERSION:=r2015080701
+PKG_VERSION:=r2018012901
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 PKG_LICENSE:=GPL-2.0
 
 PKG_SOURCE_VERSION:=$(PKG_REV)

bmx7/Makefile

@@ -27,12 +27,11 @@ PKG_NAME:=bmx7
 
 PKG_SOURCE_PROTO:=git
 
-#PKG_SOURCE_URL:=git://bmx6.net/bmx6.git
+PKG_SOURCE_URL:=git://github.com/bmx-routing/bmx7.git
-PKG_SOURCE_URL:=git://github.com/axn/bmx6.git
+#PKG_SOURCE_URL:=file:///usr/src/bmx-routing/bmx7.git
-#PKG_SOURCE_URL:=file:///usr/src/bmx6/bmx6.git
 
-PKG_REV:=589ee21b49d370056a24d8931d663626608f3c12
+PKG_REV:=0a82c7c10fef44b259b35e77ab33632aa132d219
-PKG_VERSION:=r2017011101
+PKG_VERSION:=r2018010601
 PKG_RELEASE:=4
 PKG_LICENSE:=GPL-2.0
 
@@ -45,7 +44,6 @@ include $(INCLUDE_DIR)/package.mk
 
 TARGET_CFLAGS += $(FPIC)
 
-#MAKE_ARGS += EXTRA_CFLAGS="$(TARGET_CFLAGS) -I. -I$(STAGING_DIR)/usr/include -DCRYPTLIB=POLARSSL_1_3_4 -DCORE_LIMIT=20000 -DTRAFFIC_DUMP -DNO_TRACE_FUNCTION_CALLS -DBMX7_LIB_IWINFO"
 MAKE_ARGS += EXTRA_CFLAGS="$(TARGET_CFLAGS) -I. -I$(STAGING_DIR)/usr/include -DCRYPTLIB=MBEDTLS_2_4_0 -DCORE_LIMIT=20000 -DTRAFFIC_DUMP -DNO_TRACE_FUNCTION_CALLS -DBMX7_LIB_IWINFO"
 
 MAKE_ARGS += \
@@ -60,9 +58,8 @@ define Package/bmx7/Default
   CATEGORY:=Network
   SUBMENU:=Routing and Redirection
   TITLE:=BMX7 layer 3 routing daemon
-  URL:=http://bmx6.net/
+  URL:=http://github.com/bmx-routing/bmx7
   MAINTAINER:=Axel Neumann <neumann@cgws.de>
-#  DEPENDS:=+zlib +libpolarssl +libiwinfo
   DEPENDS:=+zlib +libmbedtls +libiwinfo
 endef
 

bmx7/patches/001-json-c.patch

@@ -1,13 +0,0 @@
-Index: bmx7-r2014112401/lib/bmx7_json/json.c
-===================================================================
---- bmx7-r2014112401.orig/lib/bmx7_json/json.c
-+++ bmx7-r2014112401/lib/bmx7_json/json.c
-@@ -27,7 +27,7 @@
- #include <unistd.h>
- #include <fcntl.h>
- #include <stdint.h>
--#include <json/json.h>
-+#include <json-c/json.h>
- //#include <dirent.h>
- //#include <sys/inotify.h>
-