From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, stable@kernel.org,
Sven Eckelmann <sven@narfation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 50/96] batman-adv: tp_meter: prevent parallel modifications of last_recv
Date: Thu, 2 Jul 2026 18:19:42 +0200 [thread overview]
Message-ID: <20260702155110.035435467@linuxfoundation.org> (raw)
In-Reply-To: <20260702155108.949633242@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 6dde0cfcb36e4d5b3de35b75696937478441eed4 upstream.
When last_recv is updated to store the last receive sequence number, it is
assuming that nothing is modifying in parallel while:
* check for outdated packets is done
* out of order check is performed (and packets are stored in out-of-order
queue)
* the out-of-order queue was searched for closed gaps
* sequence number for next ack is calculated
Nothing of that was actually protected. It could therefore happen that the
last_recv was updated multiple times in parallel and the final sequence
number was calculated with deltas which had no connection to the sequence
number they were added to.
Lock this whole region with the same lock which was already used to protect
the unacked (out-of-order) list.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ Switch to pre-splitted tp_vars structure names ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 22 +++++++++++++---------
net/batman-adv/types.h | 2 +-
2 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 91392e48514d64..c01ff6e72b5da5 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1303,6 +1303,7 @@ static int batadv_tp_send_ack(struct batadv_priv *bat_priv, const u8 *dst,
*/
static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
const struct sk_buff *skb)
+ __must_hold(&tp_vars->unacked_lock)
{
const struct batadv_icmp_tp_packet *icmp;
struct batadv_tp_unacked *un, *new;
@@ -1319,12 +1320,11 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
payload_len = skb->len - sizeof(struct batadv_unicast_packet);
new->len = payload_len;
- spin_lock_bh(&tp_vars->unacked_lock);
/* if the list is empty immediately attach this new object */
if (list_empty(&tp_vars->unacked_list)) {
list_add(&new->list, &tp_vars->unacked_list);
tp_vars->unacked_count++;
- goto out;
+ return true;
}
/* otherwise loop over the list and either drop the packet because this
@@ -1373,9 +1373,6 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
tp_vars->unacked_count--;
}
-out:
- spin_unlock_bh(&tp_vars->unacked_lock);
-
return true;
}
@@ -1385,6 +1382,7 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
* @tp_vars: the private data of the current TP meter session
*/
static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
+ __must_hold(&tp_vars->unacked_lock)
{
struct batadv_tp_unacked *un, *safe;
u32 to_ack;
@@ -1392,7 +1390,6 @@ static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
/* go through the unacked packet list and possibly ACK them as
* well
*/
- spin_lock_bh(&tp_vars->unacked_lock);
list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) {
/* the list is ordered, therefore it is possible to stop as soon
* there is a gap between the last acked seqno and the seqno of
@@ -1410,7 +1407,6 @@ static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
kfree(un);
tp_vars->unacked_count--;
}
- spin_unlock_bh(&tp_vars->unacked_lock);
}
/**
@@ -1489,6 +1485,7 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
const struct batadv_icmp_tp_packet *icmp;
struct batadv_tp_vars *tp_vars;
size_t packet_size;
+ u32 to_ack;
u32 seqno;
icmp = (struct batadv_icmp_tp_packet *)skb->data;
@@ -1517,6 +1514,8 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
WRITE_ONCE(tp_vars->last_recv_time, jiffies);
}
+ spin_lock_bh(&tp_vars->unacked_lock);
+
/* if the packet is a duplicate, it may be the case that an ACK has been
* lost. Resend the ACK
*/
@@ -1528,8 +1527,10 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
/* exit immediately (and do not send any ACK) if the packet has
* not been enqueued correctly
*/
- if (!batadv_tp_handle_out_of_order(tp_vars, skb))
+ if (!batadv_tp_handle_out_of_order(tp_vars, skb)) {
+ spin_unlock_bh(&tp_vars->unacked_lock);
goto out;
+ }
/* send a duplicate ACK */
goto send_ack;
@@ -1543,11 +1544,14 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
batadv_tp_ack_unordered(tp_vars);
send_ack:
+ to_ack = tp_vars->last_recv;
+ spin_unlock_bh(&tp_vars->unacked_lock);
+
/* send the ACK. If the received packet was out of order, the ACK that
* is going to be sent is a duplicate (the sender will count them and
* possibly enter Fast Retransmit as soon as it has reached 3)
*/
- batadv_tp_send_ack(bat_priv, icmp->orig, tp_vars->last_recv,
+ batadv_tp_send_ack(bat_priv, icmp->orig, to_ack,
icmp->timestamp, icmp->session, icmp->uid);
out:
if (likely(tp_vars))
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index b12b0851df6e7e..437d651a1cffe3 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1505,7 +1505,7 @@ struct batadv_tp_vars {
/** @unacked_list: list of unacked packets (meta-info only) */
struct list_head unacked_list;
- /** @unacked_lock: protect unacked_list */
+ /** @unacked_lock: protect unacked_list + &batadv_tp_receiver.last_recv */
spinlock_t unacked_lock;
/** @unacked_count: number of unacked entries */
--
2.53.0
next prev parent reply other threads:[~2026-07-02 16:25 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 16:18 [PATCH 5.10 00/96] 5.10.260-rc1 review Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 01/96] net/sched: act_pedit: use NLA_POLICY for parsing ex keys Greg Kroah-Hartman
2026-07-03 20:16 ` Ben Hutchings
2026-07-04 1:54 ` Wentao Guan
2026-07-02 16:18 ` [PATCH 5.10 02/96] net/sched: transition act_pedit to rcu and percpu stats Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 03/96] net/sched: simplify tcf_pedit_act Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 04/96] net/sched: act_pedit: remove extra check for key type Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 05/96] net/sched: act_pedit: check static offsets a priori Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 06/96] net/sched: act_pedit: rate limit datapath messages Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 07/96] net/sched: act_pedit: Parse L3 Header for L4 offset Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 08/96] net/sched: fix pedit partial COW leading to page cache corruption Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 09/96] net/sched: act_pedit: free pedit keys on bail from offset check Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 10/96] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 11/96] slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd Greg Kroah-Hartman
2026-07-03 21:16 ` Ben Hutchings
2026-07-02 16:19 ` [PATCH 5.10 12/96] drm/amd/display: Bound VBIOS record-chain walk loops Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 13/96] ip6_vti: set netns_immutable on the fallback device Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 14/96] net: add skb_header_pointer_careful() helper Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 15/96] net/sched: cls_u32: use skb_header_pointer_careful() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 16/96] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 17/96] net: 9p: fix refcount leak in p9_read_work() error handling Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 18/96] netdevsim: Fix memory leak of nsim_dev->fa_cookie Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 19/96] batman-adv: tt: reject oversized local TVLV buffers Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 20/96] batman-adv: tt: prevent TVLV entry number overflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 21/96] vfio/iommu_type1: replace kfree with kvfree Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 22/96] RDMA/bnxt_re: zero shared page before exposing to userspace Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 23/96] i2c: stub: Reject I2C block transfers with invalid length Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 24/96] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 25/96] agp/amd64: Fix broken error propagation in agp_amd64_probe() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 26/96] regulator: core: fix locking in regulator_resolve_supply() error path Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 27/96] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 28/96] media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 29/96] Documentation: ioctl-number: Extend "Include File" column width Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 30/96] crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 31/96] crypto: qat - Return pointer directly in adf_ctl_alloc_resources Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 32/96] crypto: qat - remove unused character device and IOCTLs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 33/96] net/sched: act_pedit: fix action bind logic Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 34/96] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 35/96] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 36/96] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 37/96] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 38/96] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 39/96] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 40/96] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 41/96] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 42/96] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 43/96] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 44/96] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 45/96] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 46/96] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 47/96] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 48/96] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 49/96] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:19 ` Greg Kroah-Hartman [this message]
2026-07-02 16:19 ` [PATCH 5.10 51/96] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 52/96] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 53/96] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 54/96] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 55/96] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 56/96] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 57/96] ring-buffer: Remove ring_buffer_read_prepare_sync() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 58/96] ext4: add bounds check for inline data length in ext4_read_inline_page Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 59/96] crypto: af_alg - Set merge to zero early in af_alg_sendmsg Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 60/96] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 61/96] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 62/96] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 63/96] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 64/96] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 65/96] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 66/96] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 67/96] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 68/96] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 69/96] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 70/96] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 71/96] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 72/96] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 73/96] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 74/96] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 75/96] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 76/96] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 77/96] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 78/96] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 79/96] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 80/96] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 81/96] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 82/96] dlm: prevent NPD when writing a positive value to event_done Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 83/96] usb: cdns3: gadget: fix NULL pointer dereference in ep_queue Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 84/96] bnxt_en: Modify bnxt_disable_int_sync() to be called more than once Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 85/96] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 86/96] hv: utils: handle and propagate errors in kvp_register Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 87/96] mptcp: fix missing wakeups in edge scenarios Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 88/96] misc: fastrpc: Add dma_mask to fastrpc_channel_ctx Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 89/96] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 90/96] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 91/96] phonet: Pass ifindex to fill_addr() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 92/96] phonet: Pass net and ifindex to phonet_address_notify() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 93/96] net: phonet: free phonet_device after RCU grace period Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 94/96] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 95/96] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 96/96] virtiofs: fix UAF on submount umount Greg Kroah-Hartman
2026-07-02 19:46 ` [PATCH 5.10 00/96] 5.10.260-rc1 review Brett A C Sheffield
2026-07-02 20:18 ` Woody Suwalski
2026-07-03 8:30 ` Pavel Machek
2026-07-03 13:54 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702155110.035435467@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=sven@narfation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox