]>
Commit | Line | Data |
---|---|---|
0ebf78d5 GKH |
1 | From b1f532a3b1e6d2e5559c7ace49322922637a28aa Mon Sep 17 00:00:00 2001 |
2 | From: Sven Eckelmann <sven@narfation.org> | |
3 | Date: Mon, 12 Feb 2024 13:58:33 +0100 | |
4 | Subject: batman-adv: Avoid infinite loop trying to resize local TT | |
5 | ||
6 | From: Sven Eckelmann <sven@narfation.org> | |
7 | ||
8 | commit b1f532a3b1e6d2e5559c7ace49322922637a28aa upstream. | |
9 | ||
10 | If the MTU of one of an attached interface becomes too small to transmit | |
11 | the local translation table then it must be resized to fit inside all | |
12 | fragments (when enabled) or a single packet. | |
13 | ||
14 | But if the MTU becomes too low to transmit even the header + the VLAN | |
15 | specific part then the resizing of the local TT will never succeed. This | |
16 | can for example happen when the usable space is 110 bytes and 11 VLANs are | |
17 | on top of batman-adv. In this case, at least 116 byte would be needed. | |
18 | There will just be an endless spam of | |
19 | ||
20 | batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110) | |
21 | ||
22 | in the log but the function will never finish. Problem here is that the | |
23 | timeout will be halved all the time and will then stagnate at 0 and | |
24 | therefore never be able to reduce the table even more. | |
25 | ||
26 | There are other scenarios possible with a similar result. The number of | |
27 | BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too | |
28 | high to fit inside a packet. Such a scenario can therefore happen also with | |
29 | only a single VLAN + 7 non-purgable addresses - requiring at least 120 | |
30 | bytes. | |
31 | ||
32 | While this should be handled proactively when: | |
33 | ||
34 | * interface with too low MTU is added | |
35 | * VLAN is added | |
36 | * non-purgeable local mac is added | |
37 | * MTU of an attached interface is reduced | |
38 | * fragmentation setting gets disabled (which most likely requires dropping | |
39 | attached interfaces) | |
40 | ||
41 | not all of these scenarios can be prevented because batman-adv is only | |
42 | consuming events without the the possibility to prevent these actions | |
43 | (non-purgable MAC address added, MTU of an attached interface is reduced). | |
44 | It is therefore necessary to also make sure that the code is able to handle | |
45 | also the situations when there were already incompatible system | |
46 | configuration are present. | |
47 | ||
48 | Cc: stable@vger.kernel.org | |
49 | Fixes: a19d3d85e1b8 ("batman-adv: limit local translation table max size") | |
50 | Reported-by: syzbot+a6a4b5bb3da165594cff@syzkaller.appspotmail.com | |
51 | Signed-off-by: Sven Eckelmann <sven@narfation.org> | |
52 | Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> | |
53 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
54 | --- | |
55 | net/batman-adv/translation-table.c | 2 +- | |
56 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
57 | ||
58 | --- a/net/batman-adv/translation-table.c | |
59 | +++ b/net/batman-adv/translation-table.c | |
60 | @@ -4188,7 +4188,7 @@ void batadv_tt_local_resize_to_mtu(struc | |
61 | ||
62 | spin_lock_bh(&bat_priv->tt.commit_lock); | |
63 | ||
64 | - while (true) { | |
65 | + while (timeout) { | |
66 | table_size = batadv_tt_local_table_transmit_size(bat_priv); | |
67 | if (packet_size_max >= table_size) | |
68 | break; |