From e22362cc82508588ba310634b6334fb2cbace22e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 May 2020 13:54:01 +0200 Subject: [PATCH] 4.4-stable patches added patches: batman-adv-fix-batadv_nc_random_weight_tq.patch --- ...n-adv-fix-batadv_nc_random_weight_tq.patch | 66 +++++++++++++++++++ queue-4.4/series | 1 + 2 files changed, 67 insertions(+) create mode 100644 queue-4.4/batman-adv-fix-batadv_nc_random_weight_tq.patch diff --git a/queue-4.4/batman-adv-fix-batadv_nc_random_weight_tq.patch b/queue-4.4/batman-adv-fix-batadv_nc_random_weight_tq.patch new file mode 100644 index 00000000000..2f9f7d905a6 --- /dev/null +++ b/queue-4.4/batman-adv-fix-batadv_nc_random_weight_tq.patch @@ -0,0 +1,66 @@ +From fd0c42c4dea54335967c5a86f15fc064235a2797 Mon Sep 17 00:00:00 2001 +From: George Spelvin +Date: Sun, 8 Mar 2020 09:44:59 -0400 +Subject: batman-adv: fix batadv_nc_random_weight_tq + +From: George Spelvin + +commit fd0c42c4dea54335967c5a86f15fc064235a2797 upstream. + +and change to pseudorandom numbers, as this is a traffic dithering +operation that doesn't need crypto-grade. + +The previous code operated in 4 steps: + +1. Generate a random byte 0 <= rand_tq <= 255 +2. Multiply it by BATADV_TQ_MAX_VALUE - tq +3. Divide by 255 (= BATADV_TQ_MAX_VALUE) +4. Return BATADV_TQ_MAX_VALUE - rand_tq + +This would apperar to scale (BATADV_TQ_MAX_VALUE - tq) by a random +value between 0/255 and 255/255. + +But! The intermediate value between steps 3 and 4 is stored in a u8 +variable. So it's truncated, and most of the time, is less than 255, after +which the division produces 0. Specifically, if tq is odd, the product is +always even, and can never be 255. If tq is even, there's exactly one +random byte value that will produce a product byte of 255. + +Thus, the return value is 255 (511/512 of the time) or 254 (1/512 +of the time). + +If we assume that the truncation is a bug, and the code is meant to scale +the input, a simpler way of looking at it is that it's returning a random +value between tq and BATADV_TQ_MAX_VALUE, inclusive. + +Well, we have an optimized function for doing just that. + +Fixes: 3c12de9a5c75 ("batman-adv: network coding - code and transmit packets if possible") +Signed-off-by: George Spelvin +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/network-coding.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -991,15 +991,8 @@ static struct batadv_nc_path *batadv_nc_ + */ + static u8 batadv_nc_random_weight_tq(u8 tq) + { +- u8 rand_val, rand_tq; +- +- get_random_bytes(&rand_val, sizeof(rand_val)); +- + /* randomize the estimated packet loss (max TQ - estimated TQ) */ +- rand_tq = rand_val * (BATADV_TQ_MAX_VALUE - tq); +- +- /* normalize the randomized packet loss */ +- rand_tq /= BATADV_TQ_MAX_VALUE; ++ u8 rand_tq = prandom_u32_max(BATADV_TQ_MAX_VALUE + 1 - tq); + + /* convert to (randomized) estimated tq again */ + return BATADV_TQ_MAX_VALUE - rand_tq; diff --git a/queue-4.4/series b/queue-4.4/series index 0ea26bebea8..3f2e5dece22 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -12,3 +12,4 @@ x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch revert-ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch usb-uas-add-quirk-for-lacie-2big-quadra.patch usb-serial-garmin_gps-add-sanity-checking-for-data-length.patch +batman-adv-fix-batadv_nc_random_weight_tq.patch -- 2.47.3