From: Sven Eckelmann Date: Thu, 4 Jun 2026 08:58:51 +0000 (+0200) Subject: batman-adv: tp_meter: initialize last_recv_time during init X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=811cb00fa8cdc3f0a7f6eefc000a6888367c8c8f;p=thirdparty%2Flinux.git batman-adv: tp_meter: initialize last_recv_time during init The last_recv_time is the most important indicator for a receiver session to figure out whether a session timed out or not. But this information was only initialized after the session was added to the tp_receiver_list and after the timer was started. In the worst case, the timer (function) could have tried to access this information before the actual initialization was reached. Like rest of the variables of the tp_meter receiver session, this field has to be filled out before any other (parallel running) context has the chance to access it. Cc: stable@kernel.org Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") Signed-off-by: Sven Eckelmann --- diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c index 978e32d94e6c..cc72468ca2ab 100644 --- a/net/batman-adv/tp_meter.c +++ b/net/batman-adv/tp_meter.c @@ -1511,8 +1511,10 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv, tp_vars = batadv_tp_list_find_receiver_session(bat_priv, icmp->orig, icmp->session); - if (tp_vars) + if (tp_vars) { + tp_vars->last_recv_time = jiffies; goto out_unlock; + } if (!atomic_add_unless(&bat_priv->tp_num, 1, BATADV_TP_MAX_NUM)) { batadv_dbg(BATADV_DBG_TP_METER, bat_priv, @@ -1539,6 +1541,8 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv, kref_get(&tp_vars->common.refcount); timer_setup(&tp_vars->common.timer, batadv_tp_receiver_shutdown, 0); + tp_vars->last_recv_time = jiffies; + kref_get(&tp_vars->common.refcount); hlist_add_head_rcu(&tp_vars->common.list, &bat_priv->tp_receiver_list); @@ -1587,9 +1591,9 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv, icmp->orig); goto out; } - } - tp_vars->last_recv_time = jiffies; + tp_vars->last_recv_time = jiffies; + } /* if the packet is a duplicate, it may be the case that an ACK has been * lost. Resend the ACK