From: Simon Wunderlich <sw@simonwunderlich.de>
To: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
b.a.t.m.a.n@lists.open-mesh.org,
Sven Eckelmann <sven@narfation.org>,
stable@kernel.org, Simon Wunderlich <sw@simonwunderlich.de>
Subject: [PATCH net 03/15] batman-adv: fix (m|b)cast csum after decrementing TTL
Date: Fri, 19 Jun 2026 09:00:33 +0200 [thread overview]
Message-ID: <20260619070045.438101-4-sw@simonwunderlich.de> (raw)
In-Reply-To: <20260619070045.438101-1-sw@simonwunderlich.de>
From: Sven Eckelmann <sven@narfation.org>
The broadcast and multicast packets can be received at the same time by the
local system and forwarded to other nodes. Both are simply decrementing the
TTL at the beginning of the receive path - independent of chosen paths
(receive/forward). But such a modification of the data conflicts with the
hw csum. This is not a problem when the packet is directly forwarded but
can cause errors in the local receive path.
Such a problem can then trigger a "hw csum failure". The receiver path must
therefore ensure that the csum is fixed for each modification of the
payload before batadv_interface_rx() is reached.
Since all batman-adv packet types with a ttl have it as u8 at offset 2, a
helper can be used for all of them. But it is only used at the moment for
batadv_bcast_packet and batadv_mcast_packet because they are the only ones
which deliver the packet locally but unconditionally modify the TTL.
Cc: stable@kernel.org
Fixes: 3f69339068f9 ("batman-adv: bcast: queue per interface, if needed")
Fixes: 07afe1ba288c ("batman-adv: mcast: implement multicast packet reception and forwarding")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
---
net/batman-adv/routing.c | 58 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 56 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 7b4acd1ad991a..8786b66c8a924 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -8,6 +8,7 @@
#include "main.h"
#include <linux/atomic.h>
+#include <linux/build_bug.h>
#include <linux/byteorder/generic.h>
#include <linux/compiler.h>
#include <linux/errno.h>
@@ -204,6 +205,59 @@ bool batadv_check_management_packet(struct sk_buff *skb,
return true;
}
+/**
+ * batadv_skb_decrement_ttl() - decrement ttl in a batman-adv header, csum-safe
+ * @skb: the received packet with @skb->data pointing to the batman-adv header
+ *
+ * Supports the following packet types, all of which carry the TTL at offset 2:
+ *
+ * - batadv_ogm_packet
+ * - batadv_ogm2_packet
+ * - batadv_icmp_header
+ * - batadv_icmp_packet
+ * - batadv_icmp_tp_packet
+ * - batadv_icmp_packet_rr
+ * - batadv_unicast_packet
+ * - batadv_frag_packet
+ * - batadv_bcast_packet
+ * - batadv_mcast_packet
+ * - batadv_coded_packet
+ * - batadv_unicast_tvlv_packet
+ *
+ * Return: true if the packet may be forwarded (ttl decremented),
+ * false if it must be dropped (ttl would expire)
+ */
+static bool batadv_skb_decrement_ttl(struct sk_buff *skb)
+{
+ static const size_t ttl_offset = 2;
+ u8 *ttl_pos;
+
+ BUILD_BUG_ON(offsetof(struct batadv_ogm_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_ogm2_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_header, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_tp_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_packet_rr, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_unicast_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_frag_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_bcast_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_mcast_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_coded_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_unicast_tvlv_packet, ttl) != ttl_offset);
+
+ ttl_pos = skb->data + ttl_offset;
+
+ /* would expire on this hop -> drop, leave header + csum untouched */
+ if (*ttl_pos < 2)
+ return false;
+
+ skb_postpull_rcsum(skb, ttl_pos, 1);
+ (*ttl_pos)--;
+ skb_postpush_rcsum(skb, ttl_pos, 1);
+
+ return true;
+}
+
/**
* batadv_recv_my_icmp_packet() - receive an icmp packet locally
* @bat_priv: the bat priv with all the mesh interface information
@@ -1197,7 +1251,7 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
bcast_packet = (struct batadv_bcast_packet *)skb->data;
- if (bcast_packet->ttl-- < 2)
+ if (!batadv_skb_decrement_ttl(skb))
goto free_skb;
orig_node = batadv_orig_hash_find(bat_priv, bcast_packet->orig);
@@ -1304,7 +1358,7 @@ int batadv_recv_mcast_packet(struct sk_buff *skb,
goto free_skb;
mcast_packet = (struct batadv_mcast_packet *)skb->data;
- if (mcast_packet->ttl-- < 2)
+ if (!batadv_skb_decrement_ttl(skb))
goto free_skb;
tvlv_buff = (unsigned char *)(skb->data + hdr_size);
--
2.47.3
next prev parent reply other threads:[~2026-06-19 7:10 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 7:00 [PATCH net 00/15] pull request: batman-adv 2026-06-19 Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 01/15] batman-adv: gw: don't deselect gateway with active hardif Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 02/15] batman-adv: ensure bcast is writable before modifying TTL Simon Wunderlich
2026-06-19 7:00 ` Simon Wunderlich [this message]
2026-06-19 7:00 ` [PATCH net 04/15] batman-adv: frag: ensure fragment " Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 05/15] batman-adv: frag: avoid underflow of TTL Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 06/15] batman-adv: v: prevent OGM aggregation on disabled hardif Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 07/15] batman-adv: tp_meter: restrict number of unacked list entries Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 08/15] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 09/15] batman-adv: tp_meter: prevent parallel modifications of last_recv Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 10/15] batman-adv: tp_meter: handle overlapping packets Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 11/15] batman-adv: tt: don't merge change entries with different VIDs Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 12/15] batman-adv: tt: track roam count per VID Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 13/15] batman-adv: dat: prevent false sharing between VLANs Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 14/15] batman-adv: tvlv: enforce 2-byte alignment Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 15/15] batman-adv: tvlv: avoid race of cifsnotfound handler state Simon Wunderlich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619070045.438101-4-sw@simonwunderlich.de \
--to=sw@simonwunderlich.de \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@kernel.org \
--cc=sven@narfation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox