]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
batman-adv: tp_meter: restrict number of unacked list entries
authorSven Eckelmann <sven@narfation.org>
Wed, 10 Jun 2026 19:36:15 +0000 (21:36 +0200)
committerSven Eckelmann <sven@narfation.org>
Sat, 13 Jun 2026 05:57:52 +0000 (07:57 +0200)
When the unacked_list is unbound, an attacker could send messages with
small lengths and appropriated seqno + gaps to force the receiver to
allocate more and more unacked_list entries. And the end either causing an
out-of-memory situation or increase the management overhead for the (large)
list that significant portions of CPU cycles are wasted in searching
through the list.

When limiting the list to a specific number, it is important to still
correctly add a new entry to the list. But if the list became larger than
the limit, the last entry of the list (with the highest seqno) must be
dropped to still allow the earlier seqnos to finish and therefore to
continue the process. Otherwise, the process might get stuck with too high
seqnos which are not handled by batadv_tp_ack_unordered().

Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
net/batman-adv/tp_meter.c
net/batman-adv/types.h

index 7e98cbfbbb70d1ec4d183addcace3ffc1fd26e46..259ac8c307359605c0cbfe2c53b9ac53ec64304d 100644 (file)
 #define BATADV_TP_PLEN (BATADV_TP_PACKET_LEN - ETH_HLEN - \
                        sizeof(struct batadv_unicast_packet))
 
+/**
+ * BATADV_TP_MAX_UNACKED - maximum number of packets a receiver didn't yet ack
+ */
+#define BATADV_TP_MAX_UNACKED 100
+
 static u8 batadv_tp_prerandom[4096] __read_mostly;
 
 /**
@@ -1303,6 +1308,7 @@ static void batadv_tp_receiver_shutdown(struct timer_list *t)
        list_for_each_entry_safe(un, safe, &tp_vars->common.unacked_list, list) {
                list_del(&un->list);
                kfree(un);
+               tp_vars->common.unacked_count--;
        }
        spin_unlock_bh(&tp_vars->common.unacked_lock);
 
@@ -1416,6 +1422,7 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_receiver *tp_vars,
        /* if the list is empty immediately attach this new object */
        if (list_empty(&tp_vars->common.unacked_list)) {
                list_add(&new->list, &tp_vars->common.unacked_list);
+               tp_vars->common.unacked_count++;
                goto out;
        }
 
@@ -1446,12 +1453,24 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_receiver *tp_vars,
                 */
                list_add(&new->list, &un->list);
                added = true;
+               tp_vars->common.unacked_count++;
                break;
        }
 
        /* received packet with smallest seqno out of order; add it to front */
-       if (!added)
+       if (!added) {
                list_add(&new->list, &tp_vars->common.unacked_list);
+               tp_vars->common.unacked_count++;
+       }
+
+       /* remove the last (biggest) unacked seqno when list is too large */
+       if (tp_vars->common.unacked_count > BATADV_TP_MAX_UNACKED) {
+               un = list_last_entry(&tp_vars->common.unacked_list,
+                                    struct batadv_tp_unacked, list);
+               list_del(&un->list);
+               kfree(un);
+               tp_vars->common.unacked_count--;
+       }
 
 out:
        spin_unlock_bh(&tp_vars->common.unacked_lock);
@@ -1488,6 +1507,7 @@ static void batadv_tp_ack_unordered(struct batadv_tp_receiver *tp_vars)
 
                list_del(&un->list);
                kfree(un);
+               tp_vars->common.unacked_count--;
        }
        spin_unlock_bh(&tp_vars->common.unacked_lock);
 }
@@ -1537,6 +1557,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
 
        spin_lock_init(&tp_vars->common.unacked_lock);
        INIT_LIST_HEAD(&tp_vars->common.unacked_list);
+       tp_vars->common.unacked_count = 0;
 
        kref_get(&tp_vars->common.refcount);
        timer_setup(&tp_vars->common.timer, batadv_tp_receiver_shutdown, 0);
index 5e81c93b8217dfffb8008304f3b073a3b2cc7873..9fa8e73ff6e59548d38494613e631d677c5fef88 100644 (file)
@@ -1366,6 +1366,9 @@ struct batadv_tp_vars_common {
        /** @unacked_lock: protect unacked_list */
        spinlock_t unacked_lock;
 
+       /** @unacked_count: number of unacked entries */
+       size_t unacked_count;
+
        /** @refcount: number of context where the object is used */
        struct kref refcount;