[PATCH] batman-adv: Release references to inactive interfaces

b.a.t.m.a.n.lists.open-mesh.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] batman-adv: Release references to inactive interfaces
@ 2025-09-27 18:01 Sven Eckelmann
  2025-10-17 11:18 ` Tetsuo Handa
  0 siblings, 1 reply; 3+ messages in thread
From: Sven Eckelmann @ 2025-09-27 18:01 UTC (permalink / raw)
  To: b.a.t.m.a.n; +Cc: syzbot+881d65229ca4f9ae8c84, Tetsuo Handa

Trying to dump the originators or the neighbors via netlink for a meshif
with an inactive primary interface is not allowed. The dump functions were
checking this correctly but they didn't handle non-existing primary
interfaces and existing _inactive_ interfaces differently.

(Primary) batadv_hard_ifaces hold a references to a net_device. And
accessing them is only allowed when either being in a RCU/spinlock
protected section or when holding a valid reference to them. The netlink
dump functions use the latter.

But because the missing specific error handling for inactive primary
interfaces, the reference was never dropped. This reference counting error
was only detected when the interface should have been removed from the
system:

  unregister_netdevice: waiting for batadv_slave_0 to become free. Usage count = 2

Fixes: 50eddf397ac3 ("batman-adv: netlink: reduce duplicate code by returning interfaces")
Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
 net/batman-adv/originator.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c
index c84420cb410d5d948c6612cf27e320e7e0af017e..a662408ad8673c3f5532201bb6e47caa5779b627 100644
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -763,11 +763,16 @@ int batadv_hardif_neigh_dump(struct sk_buff *msg, struct netlink_callback *cb)
 	bat_priv = netdev_priv(mesh_iface);
 
 	primary_if = batadv_primary_if_get_selected(bat_priv);
-	if (!primary_if || primary_if->if_status != BATADV_IF_ACTIVE) {
+	if (!primary_if) {
 		ret = -ENOENT;
 		goto out_put_mesh_iface;
 	}
 
+	if (primary_if->if_status != BATADV_IF_ACTIVE) {
+		ret = -ENOENT;
+		goto out_put_primary_if;
+	}
+
 	hard_iface = batadv_netlink_get_hardif(bat_priv, cb);
 	if (IS_ERR(hard_iface) && PTR_ERR(hard_iface) != -ENONET) {
 		ret = PTR_ERR(hard_iface);
@@ -1327,11 +1332,16 @@ int batadv_orig_dump(struct sk_buff *msg, struct netlink_callback *cb)
 	bat_priv = netdev_priv(mesh_iface);
 
 	primary_if = batadv_primary_if_get_selected(bat_priv);
-	if (!primary_if || primary_if->if_status != BATADV_IF_ACTIVE) {
+	if (!primary_if) {
 		ret = -ENOENT;
 		goto out_put_mesh_iface;
 	}
 
+	if (primary_if->if_status != BATADV_IF_ACTIVE) {
+		ret = -ENOENT;
+		goto out_put_primary_if;
+	}
+
 	hard_iface = batadv_netlink_get_hardif(bat_priv, cb);
 	if (IS_ERR(hard_iface) && PTR_ERR(hard_iface) != -ENONET) {
 		ret = PTR_ERR(hard_iface);

---
base-commit: def64eeace3150b88d5823fcb733dadd79d7562a
change-id: 20250927-netlink-free-inactive-if-121d06a4b616

Best regards,
-- 
Sven Eckelmann <sven@narfation.org>


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] batman-adv: Release references to inactive interfaces
  2025-09-27 18:01 [PATCH] batman-adv: Release references to inactive interfaces Sven Eckelmann
@ 2025-10-17 11:18 ` Tetsuo Handa
  2025-10-17 14:02   ` Sven Eckelmann
  0 siblings, 1 reply; 3+ messages in thread
From: Tetsuo Handa @ 2025-10-17 11:18 UTC (permalink / raw)
  To: Sven Eckelmann, b.a.t.m.a.n
  Cc: Linus Lüssing, syzbot+881d65229ca4f9ae8c84

Is this patch recognized?

On 2025/09/28 3:01, Sven Eckelmann wrote:
> Trying to dump the originators or the neighbors via netlink for a meshif
> with an inactive primary interface is not allowed. The dump functions were
> checking this correctly but they didn't handle non-existing primary
> interfaces and existing _inactive_ interfaces differently.
> 
> (Primary) batadv_hard_ifaces hold a references to a net_device. And
> accessing them is only allowed when either being in a RCU/spinlock
> protected section or when holding a valid reference to them. The netlink
> dump functions use the latter.
> 
> But because the missing specific error handling for inactive primary
> interfaces, the reference was never dropped. This reference counting error
> was only detected when the interface should have been removed from the
> system:
> 
>   unregister_netdevice: waiting for batadv_slave_0 to become free. Usage count = 2
> 
> Fixes: 50eddf397ac3 ("batman-adv: netlink: reduce duplicate code by returning interfaces")
> Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
> Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
> Signed-off-by: Sven Eckelmann <sven@narfation.org>
> ---
>  net/batman-adv/originator.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] batman-adv: Release references to inactive interfaces
  2025-10-17 11:18 ` Tetsuo Handa
@ 2025-10-17 14:02   ` Sven Eckelmann
  0 siblings, 0 replies; 3+ messages in thread
From: Sven Eckelmann @ 2025-10-17 14:02 UTC (permalink / raw)
  To: b.a.t.m.a.n, Tetsuo Handa; +Cc: Linus Lüssing, syzbot+881d65229ca4f9ae8c84

[-- Attachment #1: Type: text/plain, Size: 1580 bytes --]

On Friday, 17 October 2025 13:18:20 CEST Tetsuo Handa wrote:
> Is this patch recognized?

Who should recognize the patch?

https://git.open-mesh.org/linux-merge.git/commit/?id=f12b69d8f22824a07f17c1399c99757072de73e0

Regards,
	Sven

> 
> On 2025/09/28 3:01, Sven Eckelmann wrote:
> > Trying to dump the originators or the neighbors via netlink for a meshif
> > with an inactive primary interface is not allowed. The dump functions were
> > checking this correctly but they didn't handle non-existing primary
> > interfaces and existing _inactive_ interfaces differently.
> > 
> > (Primary) batadv_hard_ifaces hold a references to a net_device. And
> > accessing them is only allowed when either being in a RCU/spinlock
> > protected section or when holding a valid reference to them. The netlink
> > dump functions use the latter.
> > 
> > But because the missing specific error handling for inactive primary
> > interfaces, the reference was never dropped. This reference counting error
> > was only detected when the interface should have been removed from the
> > system:
> > 
> >   unregister_netdevice: waiting for batadv_slave_0 to become free. Usage count = 2
> > 
> > Fixes: 50eddf397ac3 ("batman-adv: netlink: reduce duplicate code by returning interfaces")
> > Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
> > Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
> > Signed-off-by: Sven Eckelmann <sven@narfation.org>
> > ---
> >  net/batman-adv/originator.c | 14 ++++++++++++--
> >  1 file changed, 12 insertions(+), 2 deletions(-)
> 


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-10-17 14:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-27 18:01 [PATCH] batman-adv: Release references to inactive interfaces Sven Eckelmann
2025-10-17 11:18 ` Tetsuo Handa
2025-10-17 14:02   ` Sven Eckelmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).