From: Simon Wunderlich <sw@simonwunderlich.de>
To: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
b.a.t.m.a.n@lists.open-mesh.org,
Sven Eckelmann <sven@narfation.org>,
stable@kernel.org, Simon Wunderlich <sw@simonwunderlich.de>
Subject: [PATCH net 07/15] batman-adv: tp_meter: restrict number of unacked list entries
Date: Fri, 19 Jun 2026 09:00:37 +0200 [thread overview]
Message-ID: <20260619070045.438101-8-sw@simonwunderlich.de> (raw)
In-Reply-To: <20260619070045.438101-1-sw@simonwunderlich.de>
From: Sven Eckelmann <sven@narfation.org>
When the unacked_list is unbound, an attacker could send messages with
small lengths and appropriated seqno + gaps to force the receiver to
allocate more and more unacked_list entries. And the end either causing an
out-of-memory situation or increase the management overhead for the (large)
list that significant portions of CPU cycles are wasted in searching
through the list.
When limiting the list to a specific number, it is important to still
correctly add a new entry to the list. But if the list became larger than
the limit, the last entry of the list (with the highest seqno) must be
dropped to still allow the earlier seqnos to finish and therefore to
continue the process. Otherwise, the process might get stuck with too high
seqnos which are not handled by batadv_tp_ack_unordered().
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
---
net/batman-adv/tp_meter.c | 23 ++++++++++++++++++++++-
net/batman-adv/types.h | 3 +++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 7e98cbfbbb70d..259ac8c307359 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -87,6 +87,11 @@
#define BATADV_TP_PLEN (BATADV_TP_PACKET_LEN - ETH_HLEN - \
sizeof(struct batadv_unicast_packet))
+/**
+ * BATADV_TP_MAX_UNACKED - maximum number of packets a receiver didn't yet ack
+ */
+#define BATADV_TP_MAX_UNACKED 100
+
static u8 batadv_tp_prerandom[4096] __read_mostly;
/**
@@ -1303,6 +1308,7 @@ static void batadv_tp_receiver_shutdown(struct timer_list *t)
list_for_each_entry_safe(un, safe, &tp_vars->common.unacked_list, list) {
list_del(&un->list);
kfree(un);
+ tp_vars->common.unacked_count--;
}
spin_unlock_bh(&tp_vars->common.unacked_lock);
@@ -1416,6 +1422,7 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_receiver *tp_vars,
/* if the list is empty immediately attach this new object */
if (list_empty(&tp_vars->common.unacked_list)) {
list_add(&new->list, &tp_vars->common.unacked_list);
+ tp_vars->common.unacked_count++;
goto out;
}
@@ -1446,12 +1453,24 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_receiver *tp_vars,
*/
list_add(&new->list, &un->list);
added = true;
+ tp_vars->common.unacked_count++;
break;
}
/* received packet with smallest seqno out of order; add it to front */
- if (!added)
+ if (!added) {
list_add(&new->list, &tp_vars->common.unacked_list);
+ tp_vars->common.unacked_count++;
+ }
+
+ /* remove the last (biggest) unacked seqno when list is too large */
+ if (tp_vars->common.unacked_count > BATADV_TP_MAX_UNACKED) {
+ un = list_last_entry(&tp_vars->common.unacked_list,
+ struct batadv_tp_unacked, list);
+ list_del(&un->list);
+ kfree(un);
+ tp_vars->common.unacked_count--;
+ }
out:
spin_unlock_bh(&tp_vars->common.unacked_lock);
@@ -1488,6 +1507,7 @@ static void batadv_tp_ack_unordered(struct batadv_tp_receiver *tp_vars)
list_del(&un->list);
kfree(un);
+ tp_vars->common.unacked_count--;
}
spin_unlock_bh(&tp_vars->common.unacked_lock);
}
@@ -1537,6 +1557,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
spin_lock_init(&tp_vars->common.unacked_lock);
INIT_LIST_HEAD(&tp_vars->common.unacked_list);
+ tp_vars->common.unacked_count = 0;
kref_get(&tp_vars->common.refcount);
timer_setup(&tp_vars->common.timer, batadv_tp_receiver_shutdown, 0);
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 5e81c93b8217d..9fa8e73ff6e59 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1366,6 +1366,9 @@ struct batadv_tp_vars_common {
/** @unacked_lock: protect unacked_list */
spinlock_t unacked_lock;
+ /** @unacked_count: number of unacked entries */
+ size_t unacked_count;
+
/** @refcount: number of context where the object is used */
struct kref refcount;
--
2.47.3
next prev parent reply other threads:[~2026-06-19 7:00 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 7:00 [PATCH net 00/15] pull request: batman-adv 2026-06-19 Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 01/15] batman-adv: gw: don't deselect gateway with active hardif Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 02/15] batman-adv: ensure bcast is writable before modifying TTL Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 03/15] batman-adv: fix (m|b)cast csum after decrementing TTL Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 04/15] batman-adv: frag: ensure fragment is writable before modifying TTL Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 05/15] batman-adv: frag: avoid underflow of TTL Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 06/15] batman-adv: v: prevent OGM aggregation on disabled hardif Simon Wunderlich
2026-06-19 7:00 ` Simon Wunderlich [this message]
2026-06-19 7:00 ` [PATCH net 08/15] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 09/15] batman-adv: tp_meter: prevent parallel modifications of last_recv Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 10/15] batman-adv: tp_meter: handle overlapping packets Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 11/15] batman-adv: tt: don't merge change entries with different VIDs Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 12/15] batman-adv: tt: track roam count per VID Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 13/15] batman-adv: dat: prevent false sharing between VLANs Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 14/15] batman-adv: tvlv: enforce 2-byte alignment Simon Wunderlich
2026-06-19 7:00 ` [PATCH net 15/15] batman-adv: tvlv: avoid race of cifsnotfound handler state Simon Wunderlich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619070045.438101-8-sw@simonwunderlich.de \
--to=sw@simonwunderlich.de \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@kernel.org \
--cc=sven@narfation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox