Re: [PATCH RFC batadv v2 4/5] batman-adv: limit numbers of parallel learned BLA backbones

[Simon Wunderlich <sw@simonwunderlich.de>]

This looks mostly good and I like the approach in general!

commit message: batman-adv: limit numbers of parallel learned BLA backbones

numbers -> number

On Tuesday, May 19, 2026 9:02:18 AM Central European Summer Time Sven 
Eckelmann wrote:
> A malicious actor behind one bridge port may spam the kernel with OGMs with
> a random source MAC address, each of which will create a BLA backbone, each
> of which is a dynamic allocation in the kernel. This will at some point
> exhaust the available memory.

To get backbone gateways, spamming OGMs is not sufficient (or not even 
necessary), but BLA claims and/or BLA announcements need to be sent (with the 
same group ID or need to exist on the mesh) on the backbone Ethernet. 

Just sending OGMs will not create backbone GWs, so I think this commit message 
needs to be revised (you already said it's a placeholder, so I think those are 
the specifics for this counter ;] ).

> 
> Mitigate this by maintaining a per meshif count of those automatically
> generated entries in orig_learned, and a limit in orig_max_learned. If the
> limit is hit new entries are not learned anymore.
> 
> For backwards compatibility, the default setting of 0 disables the limit.
> 
> Signed-off-by: Sven Eckelmann <sven@narfation.org>
> [...]
> ---
>  include/uapi/linux/batman_adv.h        |  6 ++++++
>  net/batman-adv/bridge_loop_avoidance.c | 11 +++++++++++
>  net/batman-adv/mesh-interface.c        |  3 +++
>  net/batman-adv/netlink.c               | 10 ++++++++++
>  net/batman-adv/types.h                 |  6 ++++++
>  5 files changed, 36 insertions(+)
> 
> diff --git a/include/uapi/linux/batman_adv.h
> b/include/uapi/linux/batman_adv.h index cca87d42..4188d83c 100644
> --- a/include/uapi/linux/batman_adv.h
> +++ b/include/uapi/linux/batman_adv.h
> @@ -499,6 +499,12 @@ enum batadv_nl_attrs {
>  	 */
>  	BATADV_ATTR_DAT_MAX_LEARNED,
> 
> +	/**
> +	 * @BATADV_ATTR_BLA_BACKBONE_MAX_LEARNED: defines the maximum 
number of
> BLA backbone 

number of BLA backbones (add the s)

> +	 * which can be learned in parallel
> +	 */
> +	BATADV_ATTR_BLA_BACKBONE_MAX_LEARNED,
> +
>  	/* add attributes above here, update the policy in netlink.c */
> 
>  	/**
> diff --git a/net/batman-adv/bridge_loop_avoidance.c
> b/net/batman-adv/bridge_loop_avoidance.c index cec11f12..8bb8dec6 100644
> --- a/net/batman-adv/bridge_loop_avoidance.c
> +++ b/net/batman-adv/bridge_loop_avoidance.c
> @@ -494,6 +494,8 @@ batadv_bla_get_backbone_gw(struct batadv_priv *bat_priv,
> const u8 *orig, {
>  	struct batadv_bla_backbone_gw *entry;
>  	struct batadv_orig_node *orig_node;
> +	u32 bla_backbone_max_learned;
> +	int bla_backbone_learned;
>  	int hash_added;
> 
>  	entry = batadv_backbone_hash_find(bat_priv, orig, vid);
> @@ -505,6 +507,11 @@ batadv_bla_get_backbone_gw(struct batadv_priv
> *bat_priv, const u8 *orig, "%s(): not found (%pM, %d), creating new
> entry\n", __func__, orig, batadv_print_vid(vid));
> 
> +	bla_backbone_max_learned = READ_ONCE(bat_priv-
>bla_backbone_max_learned);
> +	bla_backbone_learned = atomic_read(&bat_priv-
>bla_backbone_learned);
> +	if (bla_backbone_max_learned && bla_backbone_learned >=
> bla_backbone_max_learned) +		return NULL;
> +

I think we should always allow "own backbones" to pass. This could be done by 
adding an exception in this check.

If (for some, probably unlikely reason) an attacker fills up the table before 
the own backbone is registered, this may create problems on many other 
occurences.

>  	entry = kzalloc_obj(*entry, GFP_ATOMIC);
>  	if (!entry)
>  		return NULL;

> --- a/net/batman-adv/types.h
> +++ b/net/batman-adv/types.h
> @@ -1656,6 +1656,12 @@ struct batadv_priv {
>  	atomic_t orig_learned;
> 
>  #ifdef CONFIG_BATMAN_ADV_BLA
> +	/** @bla_backbone_max_learned: Maximum number of backbone_gw */
> +	u32 bla_backbone_max_learned;
> +
> +	/** @bla_backbone_learned: current number of learned backbone_gw 
entries
> */ +	atomic_t bla_backbone_learned;
> +

should this go into batadv_priv_bla or along the other counters in 
batadv_priv? I'm fine either way.

Thank you!
        Simon

>  	/** @bla: bridge loop avoidance data */
>  	struct batadv_priv_bla bla;
>  #endif