git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Sven Eckelmann <sven@narfation.org>
	Tue, 12 May 2026 07:13:31 +0000 (09:13 +0200)
committer	Sven Eckelmann <sven@narfation.org>
	Tue, 19 May 2026 07:09:34 +0000 (09:09 +0200)
commit	83ab69bd12b80f6ea169c8bea6977701b53a043d
tree	9958551d021ee7aa757f7e416c3636522e9db8f7	tree \| snapshot
parent	0459430add32ea41f3e2ef9351610e6d33627a6b	commit \| diff

batman-adv: bla: avoid double decrement of bla.num_requests

The bla.num_requests is increased when no request_sent was in progress. And
it is decremented in various places (announcement was received, backbone is
purged, periodic work). But the check if the request_sent is actually set
to a specific state and the atomic_dec/_inc are not safe because they are
not atomic (TOCTOU) and multiple such code portions can run concurrently.

At the same time, it is necessary to modify request_sent (state) and
bla.num_requests atomically. Otherwise batadv_bla_send_request() might set
request_sent to 1 and is interrupted. batadv_handle_announce() can then
set request_sent back to 0 and decrement num_requests before
batadv_bla_send_request() incremented it.

The two operations must therefore be locked. And since state (request_sent)
and wait_periods are only accessed inside this lock, they can be converted
to simpler datatypes. And to avoid that the bla.num_requests is touched by
a parallel running context with a valid backbone_gw reference after
batadv_bla_purge_backbone_gw() ran, a third state "stopped" is required to
correctly signal that a backbone_gw is in the state of being cleaned up.

Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>

net/batman-adv/bridge_loop_avoidance.c		diff \| blob \| blame \| history
net/batman-adv/mesh-interface.c		diff \| blob \| blame \| history
net/batman-adv/types.h		diff \| blob \| blame \| history