From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2640D3A1A3C; Thu, 2 Jul 2026 16:24:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783009476; cv=none; b=NAP4vI6iTVQImem6vWQF3BmshZxTDxXYCVjAoykTf/x2B43obkcJPXSHljTfCn8Sn68WLz4ddhr82wJplHVCFyF/q/mQPqikIFyhPhsNNMrdV6Yl4pizoJS1vDiLth1LbjdOagX4QPC2jbWV2raR8HW/YHr/vEVe+KPEIEeEtbw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783009476; c=relaxed/simple; bh=DfVZw77Ox7MkIB3Tv+iU5ASKQ1fsHcY+6Pbe7/407Z8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mqn0qj8uCaxEUFIRSP0sAYSe1WRdoT7NPelp+9tc+0ckBfqb1bb7C/PCud0o9RDAb+ErjXCHzbkmn0R+W6kUiof890ox6xLdA8ZiWr/KlkVCINW+vWTRkpNtji+ZcMixg5yDdI++RIOixI6Gx/ijXD+u04+yGsVCXuwxrIJm5G0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=upxyn13f; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="upxyn13f" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 23A961F00A3A; Thu, 2 Jul 2026 16:24:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1783009473; bh=3p8LPhPJ+IwqKXzogOsFVC33oSZuWqqggVF+seP4gV0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=upxyn13f6I+LlfMJBTXDNot46MJbuniSQn7OrlglgPCLL5uJ5DLA498NJJ5tEH/gy ONZF3SplLDDVc1rlBAUvH61ApJW8CCsah8JhypYBY6i7gcz97pHBK3+dzZWSVwW+VZ hu1MDSjnO3TIj+A5LWPGVPd4cy0aWcXOA7mEXt4g= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable@kernel.org, Sven Eckelmann , Sasha Levin Subject: [PATCH 5.10 48/96] batman-adv: tp_meter: restrict number of unacked list entries Date: Thu, 2 Jul 2026 18:19:40 +0200 Message-ID: <20260702155109.993994623@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260702155108.949633242@linuxfoundation.org> References: <20260702155108.949633242@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sven Eckelmann commit e7c775110e1858e5a7471a23a9c9658c0af9df89 upstream. When the unacked_list is unbound, an attacker could send messages with small lengths and appropriated seqno + gaps to force the receiver to allocate more and more unacked_list entries. And the end either causing an out-of-memory situation or increase the management overhead for the (large) list that significant portions of CPU cycles are wasted in searching through the list. When limiting the list to a specific number, it is important to still correctly add a new entry to the list. But if the list became larger than the limit, the last entry of the list (with the highest seqno) must be dropped to still allow the earlier seqnos to finish and therefore to continue the process. Otherwise, the process might get stuck with too high seqnos which are not handled by batadv_tp_ack_unordered(). Cc: stable@kernel.org Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") [ Switch to pre-splitted tp_vars structure names ] Signed-off-by: Sven Eckelmann Signed-off-by: Sasha Levin --- net/batman-adv/tp_meter.c | 23 ++++++++++++++++++++++- net/batman-adv/types.h | 3 +++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c index ea5640242ddc2e..c7de8dfe9b65bd 100644 --- a/net/batman-adv/tp_meter.c +++ b/net/batman-adv/tp_meter.c @@ -86,6 +86,11 @@ #define BATADV_TP_PLEN (BATADV_TP_PACKET_LEN - ETH_HLEN - \ sizeof(struct batadv_unicast_packet)) +/** + * BATADV_TP_MAX_UNACKED - maximum number of packets a receiver didn't yet ack + */ +#define BATADV_TP_MAX_UNACKED 100 + static u8 batadv_tp_prerandom[4096] __read_mostly; /** @@ -1205,6 +1210,7 @@ static void batadv_tp_receiver_shutdown(struct timer_list *t) list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) { list_del(&un->list); kfree(un); + tp_vars->unacked_count--; } spin_unlock_bh(&tp_vars->unacked_lock); @@ -1317,6 +1323,7 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars, /* if the list is empty immediately attach this new object */ if (list_empty(&tp_vars->unacked_list)) { list_add(&new->list, &tp_vars->unacked_list); + tp_vars->unacked_count++; goto out; } @@ -1347,12 +1354,24 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars, */ list_add(&new->list, &un->list); added = true; + tp_vars->unacked_count++; break; } /* received packet with smallest seqno out of order; add it to front */ - if (!added) + if (!added) { list_add(&new->list, &tp_vars->unacked_list); + tp_vars->unacked_count++; + } + + /* remove the last (biggest) unacked seqno when list is too large */ + if (tp_vars->unacked_count > BATADV_TP_MAX_UNACKED) { + un = list_last_entry(&tp_vars->unacked_list, + struct batadv_tp_unacked, list); + list_del(&un->list); + kfree(un); + tp_vars->unacked_count--; + } out: spin_unlock_bh(&tp_vars->unacked_lock); @@ -1389,6 +1408,7 @@ static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars) list_del(&un->list); kfree(un); + tp_vars->unacked_count--; } spin_unlock_bh(&tp_vars->unacked_lock); } @@ -1438,6 +1458,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv, spin_lock_init(&tp_vars->unacked_lock); INIT_LIST_HEAD(&tp_vars->unacked_list); + tp_vars->unacked_count = 0; kref_get(&tp_vars->refcount); timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0); diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h index 28f239421f74a3..b12b0851df6e7e 100644 --- a/net/batman-adv/types.h +++ b/net/batman-adv/types.h @@ -1508,6 +1508,9 @@ struct batadv_tp_vars { /** @unacked_lock: protect unacked_list */ spinlock_t unacked_lock; + /** @unacked_count: number of unacked entries */ + size_t unacked_count; + /** @last_recv_time: time (jiffies) a msg was received */ unsigned long last_recv_time; -- 2.53.0