From nobody Sun Jun 14 04:20:58 2026 Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5F063AE6FA; Sun, 3 May 2026 12:23:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.160.73.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777810997; cv=none; b=ssEGBTIvDOJ706mUSJq2gXK6GCaxUmgHTxgpZ+uS55Gqce9xIOExprNoXlSXmBW7jCjgGbKsGAUZEJeeiCla3e6cRfpglkepHswHSOjjD14KWTED+W7ClG+UUaJ1h5cPu0fZ835U0Ni9+j1EVD7iTV5J7rVfXP1INJjKXIx/Lok= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777810997; c=relaxed/simple; bh=y3CLfUvdtFr/SVbGgj6OpkFHV0+uLxKRC+dYOR1+iy8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fUYTqfP56mFwYtGbJc43voZYkN/bMGKcCHa5f3VlpCIsJbT/D/jj9qiNNsdTd6xiNDMkDll/h/p4za1OmhuPCbhTWCQTSbC2TIbr/ybcNTK+5NEmYoIGoIB4xtkU9w5SZGTiF8BZmiA2RUR9XYujwYirfhozbj0tRTNyG7vfSsY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org; spf=pass smtp.mailfrom=narfation.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b=DXqGjAM8; arc=none smtp.client-ip=213.160.73.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=narfation.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b="DXqGjAM8" Received: by dvalin.narfation.org (Postfix) id CC9761FF1D; Sun, 03 May 2026 12:23:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1777810993; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=y82pMc95b72vf7aTpAvphzIev+8YN2RLW8o9k4UIYKs=; b=DXqGjAM8z0h1bwQnGQNcCLZ33/eaku8CFDYL5nKpyxxqbYiOhJMtLb8/jV1cVMXfTteORj aCezlvA8//kf5td9UG1bUzNzLop+4eGv97twkIt4XYGIF85yXowQe5wPpxBSc54GOAE3JY H7hl2D70DYyMXlRJuIRKxTTYqVSjdgI= From: Sven Eckelmann Date: Sun, 03 May 2026 14:22:34 +0200 Subject: [PATCH batadv 1/8] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260503-fixes-followup-v1-1-4313278918d3@narfation.org> References: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> In-Reply-To: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Ao Zhou , Haoze Xie , Jiexun Wang , Juefei Pu , Luxing Yin , Ren Wei , Ruide Cao , Xin Liu , Yifan Wu , Yuan Tan , Sven Eckelmann , stable@kernel.org X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1709; i=sven@narfation.org; h=from:subject:message-id; bh=y3CLfUvdtFr/SVbGgj6OpkFHV0+uLxKRC+dYOR1+iy8=; b=owGbwMvMwCXmy1+ufVnk62nG02pJDJnf7WTW/rpkaPqv78Teg5Feqkn5LVoTC4xLlc2/3lRN5 0tQadXqKGVhEONikBVTZNlzJf/8Zva38p+nfTwKM4eVCWQIAxenAEwk5zsjQ/eeRYJz5zack/Xs dfm4X/RPtPQvI7anXAEHJq9v6llSKcrI8KPzZMPGCN6TpnVazT4y+VECTGECp3f79+eJfBO83/i CFwA= X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF When batadv_tp_start() or batadv_tp_init_recv() fail to allocate a new tp_vars object, the previously incremented bat_priv->tp_num counter is never decremented. This causes tp_num to drift upward on each allocation failure. Since only BATADV_TP_MAX_NUM sessions can be started and the count is never reduced for these failed allocations, it causes to an exhaustion of throughput meter sessions. In worst case, no new throughput meter session can be started until the mesh interface is removed. The error handling must decrement tp_num releasing the lock and aborting the creation of an throughput meter session Cc: stable@kernel.org Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") Signed-off-by: Sven Eckelmann --- net/batman-adv/tp_meter.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c index 58ca59a2799e..066c76113fc4 100644 --- a/net/batman-adv/tp_meter.c +++ b/net/batman-adv/tp_meter.c @@ -994,6 +994,7 @@ void batadv_tp_start(struct batadv_priv *bat_priv, cons= t u8 *dst, =20 tp_vars =3D kmalloc_obj(*tp_vars, GFP_ATOMIC); if (!tp_vars) { + atomic_dec(&bat_priv->tp_num); spin_unlock_bh(&bat_priv->tp_list_lock); batadv_dbg(BATADV_DBG_TP_METER, bat_priv, "Meter: %s cannot allocate list elements\n", @@ -1366,8 +1367,10 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv, } =20 tp_vars =3D kmalloc_obj(*tp_vars, GFP_ATOMIC); - if (!tp_vars) + if (!tp_vars) { + atomic_dec(&bat_priv->tp_num); goto out_unlock; + } =20 ether_addr_copy(tp_vars->other_end, icmp->orig); tp_vars->role =3D BATADV_TP_RECEIVER; --=20 2.47.3 From nobody Sun Jun 14 04:20:58 2026 Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 171413B19CC; Sun, 3 May 2026 12:23:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.160.73.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811002; cv=none; b=mCwqLRaUY5AL7VdPN2hSJTjPJYfAoyW7JZmYjuefMDlH24xfh/5wHiigUvWUev9k+LmjC/vt5CeJANQ0F/+D1tZuldYkJ6HM8FXRLsg9HUtVIxkJYkfQC0ynjie2NZ3bmI4zrPtwwlVenJZmfxu6dwQTElwL6sLwoXM5Ph6mLdw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811002; c=relaxed/simple; bh=hj/nqN5j0xZ710VI2jMwCjeM18garF0jjKOPz1zQWLQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=rU2mV2mG0hwWjSoAue1NOYhuFK8gtLYp4pEgM/doRIsWlQJ2vBzJdZHrZDbhkPjT0M0s9S8A12TUxzS0xG6EQF8DLPObHNLPhRkSu/z6niNvHqWMGkLOjrZ9Dac+Ts07bM81FGPKj/dTVb8ZsZh3TJNtoyJKJQBElarlhf1EV84= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org; spf=pass smtp.mailfrom=narfation.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b=ztr/6Xkz; arc=none smtp.client-ip=213.160.73.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=narfation.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b="ztr/6Xkz" Received: by dvalin.narfation.org (Postfix) id 2785A20D39; Sun, 03 May 2026 12:23:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1777810997; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=samGb3z6dCDDaDRS0M76gCcHmbiT9j+PlgK7fTp49Lc=; b=ztr/6XkzVLBVj5yBpWQQWjYaRI64iCxnXJoVRbjTkBnBkbotlbxp99tDmugyDY/u1dXqyK slCNrT7Q9ER1fAFxGwNij3gFxwDEZ4NEjXURUS5LYoEKZgQ0M6bWVAHh3DytYRgNhTQKZs 0bwqOHJREWdW5P8LVUFzcCWvZ5Em/14= From: Sven Eckelmann Date: Sun, 03 May 2026 14:22:35 +0200 Subject: [PATCH batadv 2/8] batman-adv: bla: prevent use-after-free when deleting claims Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260503-fixes-followup-v1-2-4313278918d3@narfation.org> References: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> In-Reply-To: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Ao Zhou , Haoze Xie , Jiexun Wang , Juefei Pu , Luxing Yin , Ren Wei , Ruide Cao , Xin Liu , Yifan Wu , Yuan Tan , Sven Eckelmann , stable@kernel.org X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1274; i=sven@narfation.org; h=from:subject:message-id; bh=hj/nqN5j0xZ710VI2jMwCjeM18garF0jjKOPz1zQWLQ=; b=owGbwMvMwCXmy1+ufVnk62nG02pJDJnf7WSLPHq/Tat9eD2/W3aaM+/0N6WuLBKFlwo64p4/v bzkUua1jlIWBjEuBlkxRZY9V/LPb2Z/K/952sejMHNYmUCGMHBxCsBELIUZ/tm9sOr5sXmq1r7b hpclrEtOTliwdHaMQu/7gif810qWOKszMqw2TPuzWb7woVrR4o1X11yU9D35MadDyWyf+J1OT02 tV/wA X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped. Cc: stable@kernel.org Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Signed-off-by: Sven Eckelmann --- net/batman-adv/bridge_loop_avoidance.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge= _loop_avoidance.c index 51fe028b9088..8b77dd2ecfa4 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbo= ne_gw *backbone_gw) if (claim->backbone_gw !=3D backbone_gw) continue; =20 - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } --=20 2.47.3 From nobody Sun Jun 14 04:20:58 2026 Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFAC83081D7; Sun, 3 May 2026 12:23:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.160.73.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811004; cv=none; b=pPHupyVt/lJmJ5T925XIX729myEW2X0+g5yLohw/FSWlyMC20TrnnFb2MRvm59Lm3/wHiYOv9McbArT/uFksqip4tZDdO+0IwpP3126so2DDoRU2WkxAlt6OtuYi//Dyx+rZreKqi+ipwY6fhwgq0xF+bY/Wj8RXUtjD/gRe3RM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811004; c=relaxed/simple; bh=SaBIHQebZmPSOsHqoC9WHlKONhBUR74hrhjtN1QSiSA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=QCs2btHQfXNAdWg4Hw4oc9+LFNUpOBzNoIVlAkcVTk+M4IZreU9wGrV6uhrV4rQeJQHce6mX2TlGmDpVp5xvQdS3njx8wFppWZVpA9fAXRkkaKANvPWDQ4AAIC+RbOUQJndizUfgM9e9UHKO7tSp3WpCRBpQEbes5GBz+CNPwI0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org; spf=pass smtp.mailfrom=narfation.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b=annmE/JN; arc=none smtp.client-ip=213.160.73.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=narfation.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b="annmE/JN" Received: by dvalin.narfation.org (Postfix) id DE3C5218AF; Sun, 03 May 2026 12:23:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1777811000; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AZMsjjixoBsE2+ugudq2Uz5c0QObLk7hKXWMZ1j7bG0=; b=annmE/JN1gSr0LcIWCVd72EKrO3mhWspBzsWeq8fEoAkUxKEUNYC6HbyKm3BTBNASbVvnp bUy/jDsDogRFZHFOmwd9aRW/YqKU2YXE1sSKOxafOKJQ3lDq+mkbG1dffytbE3b2fHaVMN fS4XNk4kIw00maLf5QX6CMg/oE0lAtA= From: Sven Eckelmann Date: Sun, 03 May 2026 14:22:36 +0200 Subject: [PATCH batadv 3/8] batman-adv: bla: only purge non-released claims Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260503-fixes-followup-v1-3-4313278918d3@narfation.org> References: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> In-Reply-To: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Ao Zhou , Haoze Xie , Jiexun Wang , Juefei Pu , Luxing Yin , Ren Wei , Ruide Cao , Xin Liu , Yifan Wu , Yuan Tan , Sven Eckelmann , stable@kernel.org X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1901; i=sven@narfation.org; h=from:subject:message-id; bh=SaBIHQebZmPSOsHqoC9WHlKONhBUR74hrhjtN1QSiSA=; b=owGbwMvMwCXmy1+ufVnk62nG02pJDJnf7WTvJMe73+q9vDu5eP2c/x/nr+D5tFPbZ8EeoTvqv 5pCS8PlO0pZGMS4GGTFFFn2XMk/v5n9rfznaR+PwsxhZQIZwsDFKQATObSV4b9L1FbJaWHCGxrz okSSd+8XnuR/8JK90XTmrrehOzVNTy9kZJhS/9JlnpXOpOrWTQ9Wn+5XuR+0evX8cGGetBkWT+Z NimIAAA== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence. To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of. Cc: stable@kernel.org Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Signed-off-by: Sven Eckelmann --- net/batman-adv/bridge_loop_avoidance.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge= _loop_avoidance.c index 8b77dd2ecfa4..9dbf945b4922 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -1288,6 +1288,13 @@ static void batadv_bla_purge_claims(struct batadv_pr= iv *bat_priv, =20 rcu_read_lock(); hlist_for_each_entry_rcu(claim, head, hash_entry) { + /* only purge claims not currently in the process of being released. + * Such claims could otherwise have a NULL-ptr* backbone_gw set because + * they already went through batadv_handle_unclaim() + */ + if (!kref_get_unless_zero(&claim->refcount)) + continue; + backbone_gw =3D batadv_bla_claim_get_backbone_gw(claim); if (now) goto purge_now; @@ -1313,6 +1320,7 @@ static void batadv_bla_purge_claims(struct batadv_pri= v *bat_priv, claim->addr, claim->vid); skip: batadv_backbone_gw_put(backbone_gw); + batadv_claim_put(claim); } rcu_read_unlock(); } --=20 2.47.3 From nobody Sun Jun 14 04:20:58 2026 Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C0D53B27CA; Sun, 3 May 2026 12:23:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.160.73.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811007; cv=none; b=W3xKUbotZSjZ2FtLxpYXDVEspQ15wnINuo588NjxVa8asPqriVZza+A/XDRrgi8QEy1VN9z1nc0IuN22Cn0ohGtGKiuQv+GkGnloNnaNQglt+p0jrh8/7U4RWqwI+NFTwm0k7URuUJQ+RmNNk+X6D9+Yh2TyAGOTiM8GcvrCz9Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811007; c=relaxed/simple; bh=y4nW4Zch5/hoZ2XdmEqtSl1jLFkK3EBjUlFTE85Qak8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ijcX3hRTosP2vOkSWT+3UkEjSc/DEcgXnc22B1MIbKAJRVxYi31cpg6Zomx5DidyGgFHn3jBYMJa7rIPOTZ85hFXnFp2Aot7xgyMZE0B4jsM63PqvwsVJSijBEXmfjaWu5AOhz2KuEWLNd35x+kP/uJRUHinHjbrSxC3e2J4b3o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org; spf=pass smtp.mailfrom=narfation.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b=TXnTugjs; arc=none smtp.client-ip=213.160.73.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=narfation.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b="TXnTugjs" Received: by dvalin.narfation.org (Postfix) id C87531FF1D; Sun, 03 May 2026 12:23:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1777811002; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uf3A8ZlDl5176O66f9kBFMAsj3J5yTzZmJ++kvL/4Xk=; b=TXnTugjsCtjqpgblZC72+BQV0r4JUoLe5zisPxAnqE70oZdfrgvwyUsDhDv5ou3CYZz/b6 ry4whvlcMFG3NxfqTT6HO0srATnN2mhAP35H8GAOaDLumF8fQjJIjbSslr08C2Ojq1Lb4w 5ySQMfiqZhpQnQgm1nDKoK/1cepspLg= From: Sven Eckelmann Date: Sun, 03 May 2026 14:22:37 +0200 Subject: [PATCH batadv 4/8] batman-adv: tt: fix negative tt_buff_len Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260503-fixes-followup-v1-4-4313278918d3@narfation.org> References: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> In-Reply-To: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Ao Zhou , Haoze Xie , Jiexun Wang , Juefei Pu , Luxing Yin , Ren Wei , Ruide Cao , Xin Liu , Yifan Wu , Yuan Tan , Sven Eckelmann , stable@kernel.org X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1380; i=sven@narfation.org; h=from:subject:message-id; bh=y4nW4Zch5/hoZ2XdmEqtSl1jLFkK3EBjUlFTE85Qak8=; b=owGbwMvMwCXmy1+ufVnk62nG02pJDJnf7WQPqr574xO82ODYZeWFrLv33s18r+byNsoj6wvP8 beLpO60dpSyMIhxMciKKbLsuZJ/fjP7W/nP0z4ehZnDygQyhIGLUwAmspWH4X8c66XqyCO7Y6w+ 5uqp6nsqKdSqH9S+nGZ82/2di/PRidIM/5Mj1qb8vxYwvUb0e9i0gk6739+rA5crRN+QtXjseNv gLg8A X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF batadv_orig_node::tt_buff_len was declared as s16, but the field is never intended to hold a negative value. When a value greater than 32767 is assigned, it wraps to a negative signed integer. In batadv_send_other_tt_response(), tt_buff_len is temporarily widened to s32. The incorrectly negative s16 value propagates into the s32, causing batadv_tt_prepare_tvlv_global_data() to allocate a full sized buffer but populates only a small portion of it with the collected changeset. All remaining bits are kept uninitialized. Using an u16 avoids this type confusion and ensures that no (negative) sign extension is performed in batadv_send_other_tt_response(). Cc: stable@kernel.org Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism") Signed-off-by: Sven Eckelmann --- net/batman-adv/types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h index daa06f421154..0f3814b458cc 100644 --- a/net/batman-adv/types.h +++ b/net/batman-adv/types.h @@ -452,7 +452,7 @@ struct batadv_orig_node { * @tt_buff_len: length of the last tt changeset this node received * from the orig node */ - s16 tt_buff_len; + u16 tt_buff_len; =20 /** @tt_buff_lock: lock that protects tt_buff and tt_buff_len */ spinlock_t tt_buff_lock; --=20 2.47.3 From nobody Sun Jun 14 04:20:58 2026 Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 354803B19C0; Sun, 3 May 2026 12:23:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.160.73.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811012; cv=none; b=RfUPTmQVBYeqLlpxT9YHmypivjMF6yLDaCoGfC0rQOvhPrQe19BViG7wrML8PXGHY39t7wgM2ZvtM58S6jGXW6D9w+kMlNHWa6OctHQNPJzCPbD8R01RQO34xwzVfT8hzWoIul0Ez1HstMfNC3mu84zvvis2ZA5iJ8At4TW8+8c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811012; c=relaxed/simple; bh=l+L76yAQhUzV6/M374uvOPJNw5UvXliEJ0luu1nNMwU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=QYygbhUyiHDAvqX6BplJYtdxky3ZyiMIw+RByMUwTx28AABd8Jw8fW90UiGpvLYlc7FEACFGwa9anF9auzdjnaLdDVVOjr/k/5gJ8W6spzQo9H1EoXzkoQ64nw+9iZsozjUf69VHKO+Nd+nW9AdEoLfBsy7GLycnwQiS8onbC9o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org; spf=pass smtp.mailfrom=narfation.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b=xr/hJnZN; arc=none smtp.client-ip=213.160.73.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=narfation.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b="xr/hJnZN" Received: by dvalin.narfation.org (Postfix) id 406FE20D39; Sun, 03 May 2026 12:23:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1777811009; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hSyX5MT+xkx/hCaIOWcjkKX9ZFfOmihuKJssQ1j3tks=; b=xr/hJnZNQ2+6FAuEXL7UOsZ/deQGwk4U4YyaCSkuAJlHGL7c0GgnlSsOq+bOpTluzW7x+r qXQeKodZiHUjPae7uIUENdfVUcqatilXfKElSyDryUFuuO6+Ll2Ufhq0TioefrEw8ojJmI YQwaHNXVfw9aOA17KqWj2665uzLCQxA= From: Sven Eckelmann Date: Sun, 03 May 2026 14:22:38 +0200 Subject: [PATCH batadv 5/8] batman-adv: tt: reject oversized local TVLV buffers Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260503-fixes-followup-v1-5-4313278918d3@narfation.org> References: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> In-Reply-To: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Ao Zhou , Haoze Xie , Jiexun Wang , Juefei Pu , Luxing Yin , Ren Wei , Ruide Cao , Xin Liu , Yifan Wu , Yuan Tan , Sven Eckelmann , stable@kernel.org X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1820; i=sven@narfation.org; h=from:subject:message-id; bh=l+L76yAQhUzV6/M374uvOPJNw5UvXliEJ0luu1nNMwU=; b=owGbwMvMwCXmy1+ufVnk62nG02pJDJnf7WQzwh+sjpy778ST2Yvfx/+fPulkK0t0+5EYxSWnX okEvQu61FHKwiDGxSArpsiy50r++c3sb+U/T/t4FGYOKxPIEAYuTgGYiPR9hn+2vWvEuLavexey wFRu7uZr0tprzJad2iTzQvm5dS5n5lYPhv+ub0Ki6yzENn0KK/rVJ/9b17ooVLNCTPH6gRb9hkk JSmwA X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF The commit 3a359bf5c61d ("batman-adv: reject oversized global TT response buffers") added a check to ensure that a global return buffer size can be stored in an u16. The same buffer handling also exists for the local data buffer but was not touched. A similar check should be also be in place for the local TVLV buffer. It doesn't have the similar attack surface because it is only generated from locally discovered MAC addresses but the dynamic nature could still cause temporarily to large buffers. Cc: stable@kernel.org Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann --- net/batman-adv/translation-table.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translatio= n-table.c index 05cddcf994f6..06548dae1039 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -877,12 +877,12 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv = *bat_priv, { struct batadv_tvlv_tt_vlan_data *tt_vlan; struct batadv_meshif_vlan *vlan; + size_t change_offset; u16 num_vlan =3D 0; u16 vlan_entries =3D 0; u16 total_entries =3D 0; u16 tvlv_len; u8 *tt_change_ptr; - int change_offset; =20 spin_lock_bh(&bat_priv->meshif_vlan_list_lock); hlist_for_each_entry(vlan, &bat_priv->meshif_vlan_list, list) { @@ -900,8 +900,10 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *= bat_priv, if (*tt_len < 0) *tt_len =3D batadv_tt_len(total_entries); =20 - tvlv_len =3D *tt_len; - tvlv_len +=3D change_offset; + if (check_add_overflow(*tt_len, change_offset, &tvlv_len)) { + tvlv_len =3D 0; + goto out; + } =20 *tt_data =3D kmalloc(tvlv_len, GFP_ATOMIC); if (!*tt_data) { --=20 2.47.3 From nobody Sun Jun 14 04:20:58 2026 Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8692A3B2FFD; Sun, 3 May 2026 12:23:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.160.73.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811018; cv=none; b=qzlVJjOdnyMiOIpE3dKlJc1xujYkdjaYRtnA+ASb/r/qr8XVcO9oFzXGnVnl5WiaqS7rwKTrASLfUrtx7vDCFO2Sdmt1Wu/2QzreHaGlc9BrMwjhDgJsRoK/I7tAoih8ArbJyV5yBCfTotGnAI5PRgg3G8PmuLO1Mm7SbTx+LAY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811018; c=relaxed/simple; bh=cwFX/PPGnyeCdBiaqBfwgo9sdTVVEZNADft/KwhqTIE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=mIldYBHrx54Rmet7zlpGFX/QxRUo13uEEnDzp64Q/HhUkn+SVbE8r4xFodbxcoRnL4KiDWVoXIUIHEELwsIVY3+22w8kW+h16joOobXhw9deJSYmR/Fg5z9fAB7U4iLbmdYJflxF5HPhqkbz6QyTUod5p7iBwYPQLIBtaxEV4xs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org; spf=pass smtp.mailfrom=narfation.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b=Ll8eclgU; arc=none smtp.client-ip=213.160.73.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=narfation.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b="Ll8eclgU" Received: by dvalin.narfation.org (Postfix) id 1552A1FF1D; Sun, 03 May 2026 12:23:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1777811012; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=leiNFW6XTKrSM1bp9zJTh3eJmtmz1aBR3UBB7VXxcUA=; b=Ll8eclgUavAbeDh2XJ2zsw7AiOeVZ69ieZ2Q/JT7yZgfbvSDJ/iB8SX9DDvrktf3tAtiY4 IUdiMT3LzfQ8K4G0VLLx1MiSB9tvLe6PrOiHLN7qjTlDYG1IIHkeRN6vOYLKo56HzXAQWp cJL3Yr6+Y/T7x3O9ezPu2gJ+rBtmRUA= From: Sven Eckelmann Date: Sun, 03 May 2026 14:22:39 +0200 Subject: [PATCH batadv 6/8] batman-adv: tt: fix TOCTOU race for reported vlans Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260503-fixes-followup-v1-6-4313278918d3@narfation.org> References: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> In-Reply-To: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Ao Zhou , Haoze Xie , Jiexun Wang , Juefei Pu , Luxing Yin , Ren Wei , Ruide Cao , Xin Liu , Yifan Wu , Yuan Tan , Sven Eckelmann , stable@kernel.org X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=2736; i=sven@narfation.org; h=from:subject:message-id; bh=cwFX/PPGnyeCdBiaqBfwgo9sdTVVEZNADft/KwhqTIE=; b=owGbwMvMwCXmy1+ufVnk62nG02pJDJnf7WQ/FHDUq02NSFpp/WWDvt+L1ebdoYsV08MlPr3ns +fm/f6wo5SFQYyLQVZMkWXPlfzzm9nfyn+e9vEozBxWJpAhDFycAjCR4/cYGS5cLJ4l1Hpf84dN l+CqgmmOv5/9KOv/8Ixn9gt+kzq7XfqMDHv2bLe8m1mqIZz27vy85+G7nsyZ8eOimjj3ubqQWqa DglwA X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF The local TT based TVLV is generated by first checking the number of VLANs which have at least one TT entry. A new buffer with the correct size for the VLANs is then allocated. Only then, the list of VLANs s used to fill the VLAN entries in the buffer. During this time, the meshif_vlan_list_lock is held. But the actual number of TT entries of each VLAN can still increase during this time - just not the number of VLANs in the list. But the prefilter used in the buffer size calculation might still cause an increase of the number of VLANs which need to be stored. Simply because a VLAN might now suddenly have at least one entry when it had none in the pre-alloc check - and then needs to occupy space which was not allocated. It is better to overestimate the buffer size at the beginning and then fill the buffer only with the VLANs which are not empty. Cc: stable@kernel.org Fixes: 16116dac2339 ("batman-adv: prevent TT request storms by not sending = inconsistent TT TLVLs") Signed-off-by: Sven Eckelmann --- net/batman-adv/translation-table.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translatio= n-table.c index 06548dae1039..f5b9143c803a 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -887,11 +887,8 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *= bat_priv, spin_lock_bh(&bat_priv->meshif_vlan_list_lock); hlist_for_each_entry(vlan, &bat_priv->meshif_vlan_list, list) { vlan_entries =3D atomic_read(&vlan->tt.num_entries); - if (vlan_entries < 1) - continue; - - num_vlan++; total_entries +=3D vlan_entries; + num_vlan++; } =20 change_offset =3D struct_size(*tt_data, vlan_data, num_vlan); @@ -913,9 +910,9 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *b= at_priv, =20 (*tt_data)->flags =3D BATADV_NO_FLAGS; (*tt_data)->ttvn =3D atomic_read(&bat_priv->tt.vn); - (*tt_data)->num_vlan =3D htons(num_vlan); =20 tt_vlan =3D (*tt_data)->vlan_data; + num_vlan =3D 0; hlist_for_each_entry(vlan, &bat_priv->meshif_vlan_list, list) { vlan_entries =3D atomic_read(&vlan->tt.num_entries); if (vlan_entries < 1) @@ -926,8 +923,15 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *= bat_priv, tt_vlan->reserved =3D 0; =20 tt_vlan++; + num_vlan++; } =20 + /* recalculate in case number of VLANs reduced */ + change_offset =3D struct_size(*tt_data, vlan_data, num_vlan); + tvlv_len =3D *tt_len + change_offset; + + (*tt_data)->num_vlan =3D htons(num_vlan); + tt_change_ptr =3D (u8 *)*tt_data + change_offset; *tt_change =3D (struct batadv_tvlv_tt_change *)tt_change_ptr; =20 --=20 2.47.3 From nobody Sun Jun 14 04:20:58 2026 Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 17976176FB1; Sun, 3 May 2026 12:23:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.160.73.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811019; cv=none; b=qHXiLy8FYCfHsK1XQQnFgPzh3JmFKYKYOwrUz+PL85cFSC03gsg9aQoJVNWn+4lMWrYLwqKRs1a6bY4/fJOrKMC/HQ1ESWc/tvOERU3RE0fBRiPQWUuP3yGFmSphabIgrRYMBL5I9uLDKZyIMY/lOEiz3tDmNMVeXk7bIU3mVnA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811019; c=relaxed/simple; bh=n6n5jwvCz38+o0+vFsAJCBUr18DFK/HTdcm7jn6fflQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=XyK5nnhBbZS1DkURhLqCWjwXW3v5OWkWjPjeOSaW+2dEilXhBxVRiIDcaajrCzxxMOGBXoecHtX2qy66Bf8miIO8AupF5onmwdPcwVE6AAmKdN+r5jwsdQFtIGCtC0f+GWiEYKSX90ibMyaG0OMtSk+4ZaUvXysuEZy0JUhd3IU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org; spf=pass smtp.mailfrom=narfation.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b=a0P767NB; arc=none smtp.client-ip=213.160.73.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=narfation.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b="a0P767NB" Received: by dvalin.narfation.org (Postfix) id 87254218D1; Sun, 03 May 2026 12:23:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1777811014; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NU82pacaH/7nS3zsa5YdCbCT31Gr8zFCSqlWYU2hLoA=; b=a0P767NBTkE9pKzFy+muqyG47jDDe6mf5qjkaVNytPv471KQS1VG8HqWJqvlE92G5hJkZf aTZPZahoERrDqQHudqr4dXmyHtb/G5/zhZCErV4gYOUallQoRX5gzmtcIrEXbqJ2mTrgn+ uSxX3eF34g8lF+CsSS/PTDpiNzkowEA= From: Sven Eckelmann Date: Sun, 03 May 2026 14:22:40 +0200 Subject: [PATCH batadv 7/8] batman-adv: tt: avoid empty VLAN responses Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260503-fixes-followup-v1-7-4313278918d3@narfation.org> References: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> In-Reply-To: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Ao Zhou , Haoze Xie , Jiexun Wang , Juefei Pu , Luxing Yin , Ren Wei , Ruide Cao , Xin Liu , Yifan Wu , Yuan Tan , Sven Eckelmann , stable@kernel.org X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=2790; i=sven@narfation.org; h=from:subject:message-id; bh=n6n5jwvCz38+o0+vFsAJCBUr18DFK/HTdcm7jn6fflQ=; b=owGbwMvMwCXmy1+ufVnk62nG02pJDJnf7WTdUs3XVQpwhvsnhiy73HJDTjvl2If8pdJN01JYz qWLZFV2lLIwiHExyIopsuy5kn9+M/tb+c/TPh6FmcPKBDKEgYtTACYy5T7D/7RLSqkTT52xfdHu Iuj0saf8Qt366wsebZVlfhqmuf23FxfD/zjeKr26VRe2bNFuvbv5/rM7P5k3mxxcVqJe3utsyr/ vKzsA X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF The commit 16116dac2339 ("batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs") added checks to the local (direct) TT response code. But the response can also be done indirectly by another node using the global TT state. To avoid such inconsistency states reported in the original fix, also avoid sending empty VLANs for replies from the global TT state. Cc: stable@kernel.org Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann --- net/batman-adv/translation-table.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translatio= n-table.c index f5b9143c803a..5a005d4e6cc6 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -797,24 +797,26 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig= _node *orig_node, s32 *tt_len) { u16 num_vlan =3D 0; - u16 num_entries =3D 0; u16 tvlv_len =3D 0; unsigned int change_offset; struct batadv_tvlv_tt_vlan_data *tt_vlan; struct batadv_orig_node_vlan *vlan; + u16 total_entries =3D 0; u8 *tt_change_ptr; + int vlan_entries; =20 spin_lock_bh(&orig_node->vlan_list_lock); hlist_for_each_entry(vlan, &orig_node->vlan_list, list) { + vlan_entries =3D atomic_read(&vlan->tt.num_entries); + total_entries +=3D vlan_entries; num_vlan++; - num_entries +=3D atomic_read(&vlan->tt.num_entries); } =20 change_offset =3D struct_size(*tt_data, vlan_data, num_vlan); =20 /* if tt_len is negative, allocate the space needed by the full table */ if (*tt_len < 0) - *tt_len =3D batadv_tt_len(num_entries); + *tt_len =3D batadv_tt_len(total_entries); =20 if (change_offset > U16_MAX || *tt_len > U16_MAX - change_offset) { *tt_len =3D 0; @@ -832,17 +834,28 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig= _node *orig_node, =20 (*tt_data)->flags =3D BATADV_NO_FLAGS; (*tt_data)->ttvn =3D atomic_read(&orig_node->last_ttvn); - (*tt_data)->num_vlan =3D htons(num_vlan); =20 tt_vlan =3D (*tt_data)->vlan_data; + num_vlan =3D 0; hlist_for_each_entry(vlan, &orig_node->vlan_list, list) { + vlan_entries =3D atomic_read(&vlan->tt.num_entries); + if (vlan_entries < 1) + continue; + tt_vlan->vid =3D htons(vlan->vid); tt_vlan->crc =3D htonl(vlan->tt.crc); tt_vlan->reserved =3D 0; =20 tt_vlan++; + num_vlan++; } =20 + /* recalculate in case number of VLANs reduced */ + change_offset =3D struct_size(*tt_data, vlan_data, num_vlan); + tvlv_len =3D *tt_len + change_offset; + + (*tt_data)->num_vlan =3D htons(num_vlan); + tt_change_ptr =3D (u8 *)*tt_data + change_offset; *tt_change =3D (struct batadv_tvlv_tt_change *)tt_change_ptr; =20 --=20 2.47.3 From nobody Sun Jun 14 04:20:58 2026 Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0850C176FB1; Sun, 3 May 2026 12:23:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.160.73.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811028; cv=none; b=iG3dF8AgRLmXux+TALLJgT0R078vde2IXJUyRPe9bQur7OHeRd+TWrWEwIvWiclDRX1u6SJGfQVmhOuqy+dwCZBZQ7qOMpmYNP2PpRquXjCRdsI4lc2t45ygfAHQFv6hBmxbB9V884fQk4ZlxTfQCdZKdeF0kETDgTDTDWX9la0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777811028; c=relaxed/simple; bh=og/KbJTzMBuS0M1D9ny3QC96ABI6fM7k015VpJIfs3c=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=kn99LQo+PouWk4p9823f6FHTvzGP/YIljICnNz2RhLVOday/V+TprQwgGTRSupp3t/TCXDDAH9JOF5YDEl+brtAvi8IXdhGawZuf4UvCHfAHDUwU7aKWTw9RSNDEbxHM/y84IZKEckMRrcYkvcYDat6Kmf+mxOfDRG4D59QadTo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org; spf=pass smtp.mailfrom=narfation.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b=SIiJoF+G; arc=none smtp.client-ip=213.160.73.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=narfation.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b="SIiJoF+G" Received: by dvalin.narfation.org (Postfix) id 6A13D1FF1D; Sun, 03 May 2026 12:23:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1777811025; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KhEbXNhkPfNvLqtNPlezsj4uw+CjuYhQZoIojUxX1vQ=; b=SIiJoF+GuOYBQBXDzSTj6QFlEeRy8CMj9C1U41hLFPkn2Cm64Ao0vE5Ii6d/IIvnestbuu xWOfFqf2vXNwAS5TT76RFqXDHIiTJy2l0fe/g0aTd1WwItMnMMMljQGaaIWmjPOBJwj/SI lJNbiawix4V7SGWUN3O1pRQOSd2PYAA= From: Sven Eckelmann Date: Sun, 03 May 2026 14:22:41 +0200 Subject: [PATCH batadv 8/8] batman-adv: tt: prevent TVLV entry number overflow Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260503-fixes-followup-v1-8-4313278918d3@narfation.org> References: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> In-Reply-To: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org> To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Ao Zhou , Haoze Xie , Jiexun Wang , Juefei Pu , Luxing Yin , Ren Wei , Ruide Cao , Xin Liu , Yifan Wu , Yuan Tan , Sven Eckelmann , stable@kernel.org X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=2180; i=sven@narfation.org; h=from:subject:message-id; bh=og/KbJTzMBuS0M1D9ny3QC96ABI6fM7k015VpJIfs3c=; b=owGbwMvMwCXmy1+ufVnk62nG02pJDJnf7WQ32n5Z//5qFfO5u7mOG/kcPN8kMnnqfeyeeuXin JITywoedpSyMIhxMciKKbLsuZJ/fjP7W/nP0z4ehZnDygQyhIGLUwAm8ukNw39/tRAB9hurBKdP mnH/wvObR9LOl94+1qm7L3eCue+Bb7dWMPyVUhO2X/dh+eVfxZ6L97wJ1Pd4fqrjw1ROa6bcaxf VAiezAgA= X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF The helpers to prepare the buffers for the local and global TT based replies are trying to sum up all TT entries which can be found for each VLAN. In theory, this sum can be too big for an u16 and therefore overflow. A too small buffer would then be allocated for the TVLV. The too small buffer will be handled gracefully by batadv_tt_tvlv_generate() and is not causing a buffer overflow - just a truncated reply. But this overflow shouldn't have happened in the first and the too small buffer should never have been allocated when an overflow was detected. Cc: stable@kernel.org Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann --- net/batman-adv/translation-table.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translatio= n-table.c index 5a005d4e6cc6..630ae8a66beb 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -804,11 +804,18 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig= _node *orig_node, u16 total_entries =3D 0; u8 *tt_change_ptr; int vlan_entries; + u16 sum_entries; =20 spin_lock_bh(&orig_node->vlan_list_lock); hlist_for_each_entry(vlan, &orig_node->vlan_list, list) { vlan_entries =3D atomic_read(&vlan->tt.num_entries); - total_entries +=3D vlan_entries; + + if (check_add_overflow(vlan_entries, total_entries, &sum_entries)) { + *tt_len =3D 0; + goto out; + } + + total_entries =3D sum_entries; num_vlan++; } =20 @@ -896,11 +903,18 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv = *bat_priv, u16 total_entries =3D 0; u16 tvlv_len; u8 *tt_change_ptr; + u16 sum_entries; =20 spin_lock_bh(&bat_priv->meshif_vlan_list_lock); hlist_for_each_entry(vlan, &bat_priv->meshif_vlan_list, list) { vlan_entries =3D atomic_read(&vlan->tt.num_entries); - total_entries +=3D vlan_entries; + + if (check_add_overflow(vlan_entries, total_entries, &sum_entries)) { + tvlv_len =3D 0; + goto out; + } + + total_entries =3D sum_entries; num_vlan++; } =20 --=20 2.47.3