batman-adv: tp_meter: avoid window underflow

In batadv_tp_avail(), win_left is calculated with 32-bit unsigned
arithmetic: win_left = win_limit - tp_vars->last_sent;

During Fast Recovery, cwnd is inflated and last_sent advances rapidly. When
Fast Recovery ends, cwnd drops abruptly back to ss_threshold. If the newly
shrunk win_limit is less than last_sent, the unsigned subtraction will
underflow, wrapping to a massive positive value. Instead of returning that
the window is full (unavailable), it returns that the sender can continue
sending.

To handle this situation, it must be checked whether the windows end
sequence number (win_limit) has to be compared with the last sent sequence
number. If it would be before the last sent sequence number, then more acks
are needed before the transmission can be started again.

Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>

diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index beabc264a4f16b8798d5353c89b98aeaa01037b4..9ecbc6023cfc9822cf7a98a3c46b9637908f6133 100644 (file)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -817,10 +817,15 @@ out:
 static bool batadv_tp_avail(struct batadv_tp_vars *tp_vars,
                            size_t payload_len)
 {
+       u32 last_sent = READ_ONCE(tp_vars->last_sent);
        u32 win_left, win_limit;
 
        win_limit = atomic_read(&tp_vars->last_acked) + tp_vars->cwnd;
-       win_left = win_limit - tp_vars->last_sent;
+
+       if (batadv_seq_before(last_sent, win_limit))
+               win_left = win_limit - last_sent;
+       else
+               win_left = 0;
 
        return win_left >= payload_len;
 }