From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D30FD481DD for ; Fri, 20 Mar 2026 10:20:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.160.73.56 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774002062; cv=none; b=uTuDKJP1Ha3JXvjqrmNTnrLCPVkcSyq/pxkFFahY8UNfV9QNBlUj3L41lXK0hwP8EDwe1uZUBe3BkS4X+k0EIqNGNsN8ovrevEaW3x7oY+c2ny04bfa2rGI2Ri7Uqq9vkTkx3+IGIi+q4+jkN8kkCcC8Xpvig15i+c0mEYWeXhw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774002062; c=relaxed/simple; bh=r5QPv00cbSjaiHlEndGXtd6J9lWwJ+ipO1cfMiBTSvw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ftvKLg5TZFzZ9SiivOxFWAVPz1ePs407t0IQBuH9BnNYcGfs1hL2HqFlLgnhImKMylfUFBSj2oXZIRdLNR5yHZrAXsqr56Hvnql5zYCU+L1Cqt4ergMj028ocETeh78F2Nbyl3OMF7IfDCGCLxSCqva7zQDC4Uhh28kGckoz5oI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org; spf=pass smtp.mailfrom=narfation.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b=alE9WPqA; arc=none smtp.client-ip=213.160.73.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=narfation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=narfation.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=narfation.org header.i=@narfation.org header.b="alE9WPqA" Received: by dvalin.narfation.org (Postfix) id 69A0F2035A; Fri, 20 Mar 2026 10:20:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1774002053; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4NdzyQEmCPszGyI4LLdMYuA0h6cotbbT1rRui9D682E=; b=alE9WPqAh5p1/LGRzvhUOyfTELsoqoGncx52PQr9lVUuvS1qwdrQkfeym/AnG9GqZLUEYe MsVD321M4IakbRgU1auwPwxKWsdarvQ4CmfjS1m8ztslUq8r7UYkRUxXdGE8I8TG48EkvU gwKC7M4BMPSj0ClC9mEZ+Fy3Dcm0XMo= From: Sven Eckelmann To: stable@vger.kernel.org Cc: Yang Yang , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Sven Eckelmann , Simon Wunderlich Subject: [PATCH 6.12.y] batman-adv: avoid OGM aggregation when skb tailroom is insufficient Date: Fri, 20 Mar 2026 11:20:40 +0100 Message-ID: <20260320102040.1648972-1-sven@narfation.org> X-Mailer: git-send-email 2.47.3 In-Reply-To: <2026032056-kettle-helmet-7e5d@gregkh> References: <2026032056-kettle-helmet-7e5d@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Yang Yang commit 0d4aef630be9d5f9c1227d07669c26c4383b5ad0 upstream. When OGM aggregation state is toggled at runtime, an existing forwarded packet may have been allocated with only packet_len bytes, while a later packet can still be selected for aggregation. Appending in this case can hit skb_put overflow conditions. Reject aggregation when the target skb tailroom cannot accommodate the new packet. The caller then falls back to creating a new forward packet instead of appending. Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Cc: stable@vger.kernel.org Reported-by: Yifan Wu Reported-by: Juefei Pu Signed-off-by: Yuan Tan Signed-off-by: Xin Liu Signed-off-by: Ao Zhou Signed-off-by: Yang Yang Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich [ Adjust context ] Signed-off-by: Sven Eckelmann --- net/batman-adv/bat_iv_ogm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c index 209180b4c268..c31edbd7c2ab 100644 --- a/net/batman-adv/bat_iv_ogm.c +++ b/net/batman-adv/bat_iv_ogm.c @@ -464,6 +464,9 @@ batadv_iv_ogm_can_aggregate(const struct batadv_ogm_packet *new_bat_ogm_packet, !time_after_eq(aggregation_end_time, forw_packet->send_time)) return false; + if (skb_tailroom(forw_packet->skb) < packet_len) + return false; + if (aggregated_bytes > BATADV_MAX_AGGREGATION_BYTES) return false; -- 2.47.3