From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E24712EF652; Thu, 28 May 2026 20:39:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780000781; cv=none; b=EA8+GX1XXG8PM/nqZD4uWtU/A/Q7eEwDKWLTu/ANPgZgsIsotLhLPbnia+HQMQYD6mWJ6hur2wCqbL4FlASTFsPaZwWwrqy8DfuIk7q7EsTYR5ITpHwKoLsWHGuuC1OASeBJ/q5MXPi+0dmrjB+CarTUfDCEL8QAYo6JfUFfUTI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780000781; c=relaxed/simple; bh=Zo+Lxhg/NCEgYHAY49N6pkZ84vVi7N3qZfnAh4nYgvo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OIW4OIua3RLDl48MAl1wkChDlbkqHSdnz4chHoE8VGLOwF43nRU5ypOEGjMu/CYsRRwmBhZcrRJF9Zdc4V5oqQJKXh/yBRgqoprHkwsuEZGc7tFtXNQIJgpELwyrY8Tcp6tSRz34g+7XnNDEm3VgyvEItQTx+7CCwI0AtCzheQQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=qXytd3vc; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="qXytd3vc" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4BE911F000E9; Thu, 28 May 2026 20:39:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1780000780; bh=6X5Ulakz24WVySs7QuKrMuKvty/VH0VeO3Ql3A84Dhs=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=qXytd3vchJ5RMsIRWbcgDRj5L3tWZw5bHfK08HrWnAnvakIIumIgzd2fbRgb+YHjm zJ3ghKGPp3XV2Vh4GxyDzxqPcxMBe47mkd3iVWzjriNRfME01SlhwjYLvLlPobUi6d Fl3rg4rzaqai8fa4RW1+P3KXF9aAfN1vbIlsv79Y= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable@kernel.org, Sven Eckelmann Subject: [PATCH 6.12 129/272] batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown Date: Thu, 28 May 2026 21:48:23 +0200 Message-ID: <20260528194632.992136205@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260528194629.379955525@linuxfoundation.org> References: <20260528194629.379955525@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sven Eckelmann commit 77098e4bea37af51d3962efa88a5af2ea5e1ac57 upstream. The receiver shutdown timer handler, batadv_tp_receiver_shutdown(), is responsible for releasing the tp_vars reference it holds. However, the existing logic for coordinating this release with batadv_tp_stop_all() was flawed. timer_shutdown_sync() guarantees the timer will not fire again after it returns, but it returns non-zero only when the timer was pending at the time of the call. If the timer had already expired (and batadv_tp_stop_all() would unsucessfully try to rearm itself), batadv_tp_stop_all() skips its batadv_tp_vars_put(), and batadv_tp_receiver_shutdown() fails to put its own reference as well. Fix this by introducing a new atomic variable receiving that is set to 1 when the receiver is initialized and cleared atomically with atomic_xchg() by whichever side claims it first. Only the side that observes the transition from 1 to 0 is responsible for releasing the tp_vars timer reference, eliminating the uncertainty. Cc: stable@kernel.org Fixes: 3d3cf6a7314a ("batman-adv: stop tp_meter sessions during mesh teardown") Signed-off-by: Sven Eckelmann Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/tp_meter.c | 13 +++++++++++-- net/batman-adv/types.h | 3 +++ 2 files changed, 14 insertions(+), 2 deletions(-) --- a/net/batman-adv/tp_meter.c +++ b/net/batman-adv/tp_meter.c @@ -8,6 +8,7 @@ #include "main.h" #include +#include #include #include #include @@ -1163,6 +1164,9 @@ static void batadv_tp_receiver_shutdown( spin_unlock_bh(&tp_vars->unacked_lock); /* drop reference of timer */ + if (WARN_ON(atomic_xchg(&tp_vars->receiving, 0) != 1)) + return; + batadv_tp_vars_put(tp_vars); } @@ -1381,6 +1385,7 @@ batadv_tp_init_recv(struct batadv_priv * ether_addr_copy(tp_vars->other_end, icmp->orig); tp_vars->role = BATADV_TP_RECEIVER; + atomic_set(&tp_vars->receiving, 1); memcpy(tp_vars->session, icmp->session, sizeof(tp_vars->session)); tp_vars->last_recv = BATADV_TP_FIRST_SEQ; tp_vars->bat_priv = bat_priv; @@ -1553,8 +1558,12 @@ void batadv_tp_stop_all(struct batadv_pr break; case BATADV_TP_RECEIVER: batadv_tp_list_detach(tp_var); - if (timer_shutdown_sync(&tp_var->timer)) - batadv_tp_vars_put(tp_var); + timer_shutdown_sync(&tp_var->timer); + + if (atomic_xchg(&tp_var->receiving, 0) != 1) + break; + + batadv_tp_vars_put(tp_var); break; } --- a/net/batman-adv/types.h +++ b/net/batman-adv/types.h @@ -1461,6 +1461,9 @@ struct batadv_tp_vars { /** @sending: sending binary semaphore: 1 if sending, 0 is not */ atomic_t sending; + /** @receiving: receiving binary semaphore: 1 if receiving, 0 is not */ + atomic_t receiving; + /** @reason: reason for a stopped session */ enum batadv_tp_meter_reason reason;