From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 850D9433E87; Thu, 2 Jul 2026 16:54:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783011292; cv=none; b=Ik7Ey6Zksr7TdGPsyuTnUm2RLwEziZdCbRedW0KzaWIZ82HI575Ykx6gbGDZ1CPd4JpwXRjknmEznsJMaA5yyXGOSWkLTtWkW+Ri/b+4uByQIYcQd93/CDC+BFY2MNY/qIFWYSWnbHK8gwso6ZIzKsHb2Af8eQgKqxADQmSlaPA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783011292; c=relaxed/simple; bh=/j4Bt2VJY/iKf4ME/aWP1qFOvAju52BESIZD8Kk5K0c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Mu7dWso0RL/xHu40E09vHjgZnIz9V9cZOHVp46RpatVSb8sPV/G7TLkUTZRX0k/wu1swT6PDv/GRbdSvSHtsQa8AtSepaXX7xug5cS1dU7gAtV2un6vnqYsOnESHsXTpLa72dO2aqQ1efd1Ua16yX883KNRb9oRbQ/z2gzyRyAw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=eCZF16dw; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="eCZF16dw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EBC101F000E9; Thu, 2 Jul 2026 16:54:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1783011291; bh=CBqVdfB+dqnjGJiiT/27UhOc/Z7ykV5W4o+nIkBWnwQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=eCZF16dwl8ax+o2ciu2mfJhUD9xAWvSIxKF+PEI2BvR2qYIMvKfGUYdde2hDEIgDt 5IeeLVpytTRoI+rJXdBJ4jnGBiB3q5OB4KkIDo/URLHuern7jwHAKj1BpBXkoMWrIK v0WNv8ZSOxAgzYEhW/k91qAo3XB6e75Zgw0kS7mU= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable@kernel.org, Sven Eckelmann , Sasha Levin Subject: [PATCH 6.18 009/108] batman-adv: tp_meter: avoid window underflow Date: Thu, 2 Jul 2026 18:20:06 +0200 Message-ID: <20260702155112.305480001@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260702155112.110058792@linuxfoundation.org> References: <20260702155112.110058792@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sven Eckelmann commit 765947b81fb54b6ebb0bc1cfe55c0fa399e002b8 upstream. In batadv_tp_avail(), win_left is calculated with 32-bit unsigned arithmetic: win_left = win_limit - tp_vars->last_sent; During Fast Recovery, cwnd is inflated and last_sent advances rapidly. When Fast Recovery ends, cwnd drops abruptly back to ss_threshold. If the newly shrunk win_limit is less than last_sent, the unsigned subtraction will underflow, wrapping to a massive positive value. Instead of returning that the window is full (unavailable), it returns that the sender can continue sending. To handle this situation, it must be checked whether the windows end sequence number (win_limit) has to be compared with the last sent sequence number. If it would be before the last sent sequence number, then more acks are needed before the transmission can be started again. Cc: stable@kernel.org Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") Signed-off-by: Sven Eckelmann Signed-off-by: Sasha Levin --- net/batman-adv/tp_meter.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c index 473641d32dc683..71a4352cd78c77 100644 --- a/net/batman-adv/tp_meter.c +++ b/net/batman-adv/tp_meter.c @@ -817,10 +817,15 @@ static void batadv_tp_recv_ack(struct batadv_priv *bat_priv, static bool batadv_tp_avail(struct batadv_tp_vars *tp_vars, size_t payload_len) { + u32 last_sent = READ_ONCE(tp_vars->last_sent); u32 win_left, win_limit; win_limit = atomic_read(&tp_vars->last_acked) + tp_vars->cwnd; - win_left = win_limit - tp_vars->last_sent; + + if (batadv_seq_before(last_sent, win_limit)) + win_left = win_limit - last_sent; + else + win_left = 0; return win_left >= payload_len; } -- 2.53.0