]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
batman-adv: v: prevent OGM aggregation on disabled hardif
authorSven Eckelmann <sven@narfation.org>
Thu, 11 Jun 2026 19:47:28 +0000 (21:47 +0200)
committerSven Eckelmann <sven@narfation.org>
Sat, 13 Jun 2026 05:57:52 +0000 (07:57 +0200)
When an interface gets disabled, the worker is correctly disabled by
batadv_hardif_disable_interface() -> ... -> batadv_v_ogm_iface_disable().
In this process, the skb aggr_list is also freed.

But batadv_v_ogm_send_meshif() can still queue new skbs (via
batadv_v_ogm_queue_on_if()) to the aggr_list. This will only stop after all
cores can no longer find the RCU protected list of hard interfaces. These
queued skbs will never be freed or consumed by batadv_v_ogm_aggr_work.

The batadv_v_ogm_iface_disable() function must block
batadv_v_ogm_queue_on_if() to avoid leak of skbs.

Cc: stable@kernel.org
Fixes: f89255a02f1d ("batman-adv: BATMAN_V: introduce per hard-iface OGMv2 queues")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
net/batman-adv/bat_v.c
net/batman-adv/bat_v_ogm.c
net/batman-adv/types.h

index fe7c0113d0df3942f20c4d452491eaa2fc11d0cb..db6f5bdcaa9859624302bcf7482e175e8e44043f 100644 (file)
@@ -817,6 +817,7 @@ void batadv_v_hardif_init(struct batadv_hard_iface *hard_iface)
 
        hard_iface->bat_v.aggr_len = 0;
        skb_queue_head_init(&hard_iface->bat_v.aggr_list);
+       hard_iface->bat_v.aggr_list_enabled = false;
        INIT_DELAYED_WORK(&hard_iface->bat_v.aggr_wq,
                          batadv_v_ogm_aggr_work);
        /* make sure it doesn't run until interface gets enabled */
index 81926ef9c02c94777324fdfe473e9f067de7f758..95efd8a43c79ddf7e90babcb439daaf905c72f99 100644 (file)
@@ -254,11 +254,18 @@ static void batadv_v_ogm_queue_on_if(struct batadv_priv *bat_priv,
        }
 
        spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
+       if (!hard_iface->bat_v.aggr_list_enabled) {
+               kfree_skb(skb);
+               goto unlock;
+       }
+
        if (!batadv_v_ogm_queue_left(skb, hard_iface))
                batadv_v_ogm_aggr_send(bat_priv, hard_iface);
 
        hard_iface->bat_v.aggr_len += batadv_v_ogm_len(skb);
        __skb_queue_tail(&hard_iface->bat_v.aggr_list, skb);
+
+unlock:
        spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
 }
 
@@ -415,6 +422,10 @@ int batadv_v_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
 {
        struct batadv_priv *bat_priv = netdev_priv(hard_iface->mesh_iface);
 
+       spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
+       hard_iface->bat_v.aggr_list_enabled = true;
+       spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
+
        enable_delayed_work(&hard_iface->bat_v.aggr_wq);
 
        batadv_v_ogm_start_queue_timer(hard_iface);
@@ -432,6 +443,7 @@ void batadv_v_ogm_iface_disable(struct batadv_hard_iface *hard_iface)
        disable_delayed_work_sync(&hard_iface->bat_v.aggr_wq);
 
        spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
+       hard_iface->bat_v.aggr_list_enabled = false;
        batadv_v_ogm_aggr_list_free(hard_iface);
        spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
 }
index 5fd5bd358a249af63b83e864efc17784037e9fbb..5e81c93b8217dfffb8008304f3b073a3b2cc7873 100644 (file)
@@ -145,6 +145,12 @@ struct batadv_hard_iface_bat_v {
        /** @aggr_list: queue for to be aggregated OGM packets */
        struct sk_buff_head aggr_list;
 
+       /**
+        * @aggr_list_enabled: aggr_list is active and new skbs can be
+        * enqueued. Protected by aggr_list.lock after initialization
+        */
+       bool aggr_list_enabled:1;
+
        /** @aggr_len: size of the OGM aggregate (excluding ethernet header) */
        unsigned int aggr_len;