B.A.T.M.A.N July 2020

b.a.t.m.a.n@lists.open-mesh.org

14 participants
14 discussions

[PATCH] batman-adv: Drop repeated words in comments
by Sven Eckelmann 31 Jul '20

31 Jul '20

checkpatch found various instances of "Possible repeated word" in various comments. Signed-off-by: Sven Eckelmann <sven(a)narfation.org> --- net/batman-adv/bridge_loop_avoidance.c | 2 +- net/batman-adv/fragmentation.c | 2 +- net/batman-adv/hard-interface.c | 2 +- net/batman-adv/multicast.c | 2 +- net/batman-adv/network-coding.c | 2 +- net/batman-adv/send.c | 2 +- net/batman-adv/soft-interface.c | 4 ++-- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 91a04ca3..5c41cc52 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -1795,7 +1795,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, ret = queue_work(batadv_event_workqueue, &backbone_gw->report_work); - /* backbone_gw is unreferenced in the report work function function + /* backbone_gw is unreferenced in the report work function * if queue_work() call was successful */ if (!ret) diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c index 9fdbe306..9a47ef8b 100644 --- a/net/batman-adv/fragmentation.c +++ b/net/batman-adv/fragmentation.c @@ -306,7 +306,7 @@ batadv_frag_merge_packets(struct hlist_head *chain) * set *skb to merged packet; 2) Packet is buffered: Return true and set *skb * to NULL; 3) Error: Return false and free skb. * - * Return: true when the packet is merged or buffered, false when skb is not not + * Return: true when the packet is merged or buffered, false when skb is not * used. */ bool batadv_frag_skb_buffer(struct sk_buff **skb, diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c index fa06b51c..715f169c 100644 --- a/net/batman-adv/hard-interface.c +++ b/net/batman-adv/hard-interface.c @@ -599,7 +599,7 @@ int batadv_hardif_min_mtu(struct net_device *soft_iface) /* report to the other components the maximum amount of bytes that * batman-adv can send over the wire (without considering the payload * overhead). For example, this value is used by TT to compute the - * maximum local table table size + * maximum local table size */ atomic_set(&bat_priv->packet_size_max, min_mtu); diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c index bdc4a1fb..1622c3f5 100644 --- a/net/batman-adv/multicast.c +++ b/net/batman-adv/multicast.c @@ -207,7 +207,7 @@ static u8 batadv_mcast_mla_rtr_flags_bridge_get(struct batadv_priv *bat_priv, return BATADV_MCAST_WANT_NO_RTR4 | BATADV_MCAST_WANT_NO_RTR6; /* TODO: ask the bridge if a multicast router is present (the bridge - * is capable of performing proper RFC4286 multicast multicast router + * is capable of performing proper RFC4286 multicast router * discovery) instead of searching for a ff02::2 listener here */ ret = br_multicast_list_adjacent(dev, &bridge_mcast_list); diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c index 48d70785..64619b7a 100644 --- a/net/batman-adv/network-coding.c +++ b/net/batman-adv/network-coding.c @@ -250,7 +250,7 @@ static void batadv_nc_path_put(struct batadv_nc_path *nc_path) /** * batadv_nc_packet_free() - frees nc packet * @nc_packet: the nc packet to free - * @dropped: whether the packet is freed because is is dropped + * @dropped: whether the packet is freed because is dropped */ static void batadv_nc_packet_free(struct batadv_nc_packet *nc_packet, bool dropped) diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c index d267b948..87017332 100644 --- a/net/batman-adv/send.c +++ b/net/batman-adv/send.c @@ -461,7 +461,7 @@ int batadv_send_skb_via_gw(struct batadv_priv *bat_priv, struct sk_buff *skb, /** * batadv_forw_packet_free() - free a forwarding packet * @forw_packet: The packet to free - * @dropped: whether the packet is freed because is is dropped + * @dropped: whether the packet is freed because is dropped * * This frees a forwarding packet and releases any resources it might * have claimed. diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c index 23833a0b..9d3974ba 100644 --- a/net/batman-adv/soft-interface.c +++ b/net/batman-adv/soft-interface.c @@ -649,7 +649,7 @@ static void batadv_softif_destroy_vlan(struct batadv_priv *bat_priv, /** * batadv_interface_add_vid() - ndo_add_vid API implementation * @dev: the netdev of the mesh interface - * @proto: protocol of the the vlan id + * @proto: protocol of the vlan id * @vid: identifier of the new vlan * * Set up all the internal structures for handling the new vlan on top of the @@ -707,7 +707,7 @@ static int batadv_interface_add_vid(struct net_device *dev, __be16 proto, /** * batadv_interface_kill_vid() - ndo_kill_vid API implementation * @dev: the netdev of the mesh interface - * @proto: protocol of the the vlan id + * @proto: protocol of the vlan id * @vid: identifier of the deleted vlan * * Destroy all the internal structures used to handle the vlan identified by vid -- 2.20.1

1 0

[PATCH] batman-adv: Fix own OGM check in aggregated OGMs
by Linus Lüssing 30 Jul '20

30 Jul '20

The own OGM check is currently misplaced and can lead to the following issues: For one thing we might receive an aggregated OGM from a neighbor node which has our own OGM in the first place. We would then not only skip our own OGM but erroneously also any other, following OGM in the aggregate. For another, we might receive an OGM aggregate which has our own OGM in a place other then the first one. Then we would wrongly not skip this OGM, leading to populating the orginator and gateway table with ourself. The latter seems to not only be a cosmetic issue, but there were reports that this causes issues with various subsystems of batman-adv, too. For instance there were reports about issues with DAT and either disabling DAT or aggregation seemed to solve it. Fixing these issues by applying the own OGM check not on the first OGM in an aggregate but for each OGM in an aggregate instead. Fixes: 667996ebeab ("batman-adv: OGMv2 - implement originators logic") Signed-off-by: Linus Lüssing <linus.luessing(a)c0d3.blue> --- net/batman-adv/bat_v_ogm.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c index 0f8495b9..717fe657 100644 --- a/net/batman-adv/bat_v_ogm.c +++ b/net/batman-adv/bat_v_ogm.c @@ -881,6 +881,12 @@ static void batadv_v_ogm_process(const struct sk_buff *skb, int ogm_offset, ntohl(ogm_packet->seqno), ogm_throughput, ogm_packet->ttl, ogm_packet->version, ntohs(ogm_packet->tvlv_len)); + if (batadv_is_my_mac(bat_priv, ogm_packet->orig)) { + batadv_dbg(BATADV_DBG_BATMAN, bat_priv, + "Drop packet: originator packet from ourself\n"); + return; + } + /* If the throughput metric is 0, immediately drop the packet. No need * to create orig_node / neigh_node for an unusable route. */ @@ -1008,11 +1014,6 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb, if (batadv_is_my_mac(bat_priv, ethhdr->h_source)) goto free_skb; - ogm_packet = (struct batadv_ogm2_packet *)skb->data; - - if (batadv_is_my_mac(bat_priv, ogm_packet->orig)) - goto free_skb; - batadv_inc_counter(bat_priv, BATADV_CNT_MGMT_RX); batadv_add_counter(bat_priv, BATADV_CNT_MGMT_RX_BYTES, skb->len + ETH_HLEN); -- 2.28.0.rc1

1 0

batadv gw_mode client 0?
by Rob Cowart 28 Jul '20

28 Jul '20

Hi, We've been using batman with alfred and MQTT on raspbian for about 3 years. We found it to be useful up to about 15 nodes, and then we'd saturate the wifi. Then we downgraded the driver and we can get slightly over 30. but something we found was all of our nodes were using gw_mode client 0, and we realized this isn't listed in the spec. Do you know what it does in that case, does it use the default of 20? Thanks, Rov

3 8

Batman_V Originator Loop Issue
by lavincent15＠gmail.com 27 Jul '20

27 Jul '20

Running batctl 2020.1-openwrt-1 [batman-adv: 2020.1-openwrt-2] When running a two node network with one node connected to my lan and the other operating as an access point, my network works great. I can connect clients to my batman nodes and access my LAN. When booting up a third node. My network works for 1 minute, then breaks down. My LAN cannot ping any of the batman nodes anymore. I keep receiving messages like this: "[ 2900.755655] br-lan: received packet on bat0 with own address as source address (addr:8c:ae:4c:db:14:5c, vlan:0)" which signifies a bridge loop I think. My originator messages look wrong as I can see my host originator messages along with all the neigbor nodes: root@OpenWrt:/etc/config# batctl o -n [B.A.T.M.A.N. adv 2020.1-openwrt-2, MainIF/MAC: mesh0/00:30:1a:4e:b8:26 (bat0/f2:07:f1:5f:e0:78 BATMAN_V)] Originator last-seen ( throughput) Nexthop [outgoingIF] * 00:30:1a:4e:b8:18 0.570s ( 86.7) 00:30:1a:4e:b8:2e [ mesh0] 00:30:1a:4e:b8:18 0.570s ( 21.6) 00:30:1a:4e:b8:18 [ mesh0] * 00:30:1a:4e:b8:2e 1.510s ( 212.6) 00:30:1a:4e:b8:2e [ mesh0] 00:30:1a:4e:b8:2e 1.510s ( 38.9) 00:30:1a:4e:b8:18 [ mesh0] 00:30:1a:4e:b8:26 1.510s ( 38.9) 00:30:1a:4e:b8:18 [ mesh0] * 00:30:1a:4e:b8:26 1.510s ( 108.9) 00:30:1a:4e:b8:2e [ mesh0] root@OpenWrt:/etc/config# batctl n -n [B.A.T.M.A.N. adv 2020.1-openwrt-2, MainIF/MAC: mesh0/00:30:1a:4e:b8:26 (bat0/f2:07:f1:5f:e0:78 BATMAN_V)] IF Neighbor last-seen 00:30:1a:4e:b8:2e 0.490s ( 179.0) [ mesh0] 00:30:1a:4e:b8:18 0.380s ( 79.2) [ mesh0] Here is my /etc/config/network: config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fdc4:e092:8929::/48' config interface 'lan' option type 'bridge' option proto 'static' option ipaddr '192.168.0.32' option netmask '255.255.255.0' option ip6assign '60' option gateway '192.168.0.1' list dns '8.8.8.8' option ifname 'bat0 eth0' config interface 'nwi_mesh0' option mtu '2304' option proto 'batadv_hardif' option master 'bat0' config interface 'bat0' option proto 'batadv' option routing_algo 'BATMAN_V' option aggregated_ogms '1' option ap_isolation '0' option bonding '0' option fragmentation '1' option gw_mode 'server' option log_level '0' option orig_interval '1000' option bridge_loop_avoidance '1' option distributed_arp_table '1' option multicast_mode '1' option network_coding '0' option hop_penalty '30' option isolation_mark '0x00000000/0x00000000' And here is my /etc/config/wireless root@OpenWrt:/etc/config# cat wireless config wifi-device 'radio0' option type 'mac80211' option channel '36' option hwmode '11a' option path 'soc0/soc/1ffc000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' option htmode 'VHT80' config wifi-iface 'mesh0' option device 'radio0' option ifname 'mesh0' option network 'nwi_mesh0' option mode 'mesh' option mesh_fwding '0' option mesh_id 'batman_mesh' option encryption 'none' config wifi-iface 'wifinet0' option device 'radio0' option mode 'ap' option ssid 'N2-Lander' option encryption 'psk2' option key 'finnjamin' option ifname 'wlan0' option network 'lan' Any and all help is greatly appreciated

3 9

Delay starting TCP connections across the mesh
by John Sager 27 Jul '20

27 Jul '20

I'm experimenting with a mesh network in the house. It has 4 nodes running batman_adv (BATMAN_IV) on stock OpenWrt 19.07.3 (i.e batman-adv-2019.2) on TP-Link WR902AC devices. The nodes mesh on 'mesh point' links on 2.4GHz and one node connects to the home wired network. In the scenario, I have a laptop connected to the AP on one of the mesh nodes (not the gateway). I make a ssh connection from this to a host on the wired network. There is a consistent delay of about 8 seconds before the 'password' prompt comes back from the remote host. I rebuilt OpenWrt 19.07.3 for that device, and ticked all the debug options for batman-adv. Running tcpdump on both soft and hard interfaces, and trace-cmd to capture the debug info, I find the following: The DNS request and response for the remote host name, and the consequent ARP request and response go through within milliseconds. However the TCP SYN is received by the bat0 interface but is not forwarded on the mesh0 interface. SYN re-sends after 1 sec, then 2 sec are not forwarded either. Only the 3rd re-send (after another 4 sec) gets forwarded and then the ssh session proceeds normally. Looking at the code, and after adding extra batadv_dbg() calls, I discover that the 'orig_node' returned by 'batadv_transtable_search()' on the dest address is NULL so the SYN gets thrown away by 'batadv_send_skb_unicast()'. It is only after receiving an OGM message with a TT update for the remote host MAC from the gateway node that the local translation table gets populated with the remote host's MAC. I should say that I've set the 'orig_interval' to 3000 to reduce batman traffic, so that probably has an effect on the delay. I do wonder why the ARP response is not used to populate the translation table immediately, as an ARP response is always going to be followed immediately by returning IP packets. The ARPs are snooped for the distributed ARP table anyway so why not use that information for the translation table too? regards, John Sager

1 0

INFO: rcu detected stall in netlink_sendmsg (4)
by syzbot 24 Jul '20

24 Jul '20

Hello, syzbot found the following crash on: HEAD commit: ae661dec Merge branch 'ifla_xdp_expected_fd' git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=12245647e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=b5acf5ac38a50651 dashboard link: https://syzkaller.appspot.com/bug?extid=0fb70e87d8e0ac278fe9 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+0fb70e87d8e0ac278fe9(a)syzkaller.appspotmail.com rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 0-....: (1 GPs behind) idle=5c2/1/0x4000000000000002 softirq=376075/376076 fqs=5176 (t=10500 jiffies g=506061 q=176208) NMI backtrace for cpu 0 CPU: 0 PID: 17281 Comm: syz-executor.5 Not tainted 5.6.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 nmi_cpu_backtrace.cold+0x70/0xb1 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x231/0x27e lib/nmi_backtrace.c:62 trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] rcu_dump_cpu_stacks+0x169/0x1b3 kernel/rcu/tree_stall.h:254 print_cpu_stall kernel/rcu/tree_stall.h:475 [inline] check_cpu_stall kernel/rcu/tree_stall.h:549 [inline] rcu_pending kernel/rcu/tree.c:3030 [inline] rcu_sched_clock_irq.cold+0x518/0xc55 kernel/rcu/tree.c:2276 update_process_times+0x25/0x60 kernel/time/timer.c:1726 tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:171 tick_sched_timer+0x4e/0x140 kernel/time/tick-sched.c:1314 __run_hrtimer kernel/time/hrtimer.c:1517 [inline] __hrtimer_run_queues+0x32c/0xdd0 kernel/time/hrtimer.c:1579 hrtimer_interrupt+0x312/0x770 kernel/time/hrtimer.c:1641 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1119 [inline] smp_apic_timer_interrupt+0x15b/0x600 arch/x86/kernel/apic/apic.c:1144 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 </IRQ> RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:759 [inline] RIP: 0010:lock_release+0x45f/0x7c0 kernel/locking/lockdep.c:4505 Code: 94 08 00 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 0f 85 d0 02 00 00 48 83 3d 6d 1d 1b 08 00 0f 84 71 01 00 00 48 8b 3c 24 57 9d <0f> 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 48 01 c3 48 c7 03 00 RSP: 0018:ffffc90003d9ec30 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff12e7698 RBX: 1ffff920007b3d89 RCX: 1ffff110098769b9 RDX: dffffc0000000000 RSI: 1ffff110098769c5 RDI: 0000000000000282 RBP: ffff88804c3b4540 R08: 0000000000000004 R09: fffffbfff14cc269 R10: fffffbfff14cc268 R11: ffffffff8a661347 R12: bc95c6993a9665e0 R13: ffffffff87a36fb1 R14: ffff88804c3b4dd0 R15: 0000000000000003 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:174 [inline] _raw_spin_unlock_bh+0x12/0x30 kernel/locking/spinlock.c:207 spin_unlock_bh include/linux/spinlock.h:383 [inline] batadv_tt_local_purge_pending_clients+0x2a1/0x3b0 net/batman-adv/translation-table.c:3914 batadv_tt_local_resize_to_mtu+0x96/0x130 net/batman-adv/translation-table.c:4198 batadv_update_min_mtu net/batman-adv/hard-interface.c:626 [inline] batadv_hardif_activate_interface.part.0.cold+0xc6/0x294 net/batman-adv/hard-interface.c:653 batadv_hardif_activate_interface net/batman-adv/hard-interface.c:800 [inline] batadv_hardif_enable_interface+0x9f2/0xaa0 net/batman-adv/hard-interface.c:792 batadv_softif_slave_add+0x92/0x150 net/batman-adv/soft-interface.c:859 do_set_master net/core/rtnetlink.c:2470 [inline] do_set_master+0x1d7/0x230 net/core/rtnetlink.c:2443 do_setlink+0xaa2/0x3680 net/core/rtnetlink.c:2605 __rtnl_newlink+0xad5/0x1590 net/core/rtnetlink.c:3266 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3391 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2478 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6b9/0x7d0 net/socket.c:2343 ___sys_sendmsg+0x100/0x170 net/socket.c:2397 __sys_sendmsg+0xec/0x1b0 net/socket.c:2430 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c849 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f043b72fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f043b7306d4 RCX: 000000000045c849 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000009f5 R14: 00000000004ccac9 R15: 000000000076bf0c --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller(a)googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

1 2

[PATCH maint] batman-adv: Avoid uninitialized chaddr when handling DHCP
by Sven Eckelmann 22 Jul '20

22 Jul '20

The gateway client code can try to optimize the delivery of DHCP packets to avoid broadcasting them through the whole mesh. But also transmissions to the client can be optimized by looking up the destination via the chaddr of the DHCP packet. But the chaddr is currently only done when chaddr is fully inside the non-paged area of the skbuff. Otherwise it will not be initialized and the unoptimized path should have been taken. But the implementation didn't handle this correctly. It didn't retrieve the correct chaddr but still tried to perform the TT lookup with this uninitialized memory. Reported-by: syzbot+ab16e463b903f5a37036(a)syzkaller.appspotmail.com Fixes: 2d5b555644b2 ("batman-adv: send every DHCP packet as bat-unicast") Signed-off-by: Sven Eckelmann <sven(a)narfation.org> --- net/batman-adv/gateway_client.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c index a18dcc68..ef3f85b5 100644 --- a/net/batman-adv/gateway_client.c +++ b/net/batman-adv/gateway_client.c @@ -703,8 +703,10 @@ batadv_gw_dhcp_recipient_get(struct sk_buff *skb, unsigned int *header_len, chaddr_offset = *header_len + BATADV_DHCP_CHADDR_OFFSET; /* store the client address if the message is going to a client */ - if (ret == BATADV_DHCP_TO_CLIENT && - pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) { + if (ret == BATADV_DHCP_TO_CLIENT) { + if (!pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) + return BATADV_DHCP_NO; + /* check if the DHCP packet carries an Ethernet DHCP */ p = skb->data + *header_len + BATADV_DHCP_HTYPE_OFFSET; if (*p != BATADV_DHCP_HTYPE_ETHERNET) -- 2.20.1

2 1

INFO: rcu detected stall in seq_read (2)
by syzbot 22 Jul '20

22 Jul '20

Hello, syzbot found the following issue on: HEAD commit: 4fa640dc Merge tag 'vfio-v5.8-rc7' of git://github.com/awi.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=145cac30900000 kernel config: https://syzkaller.appspot.com/x/.config?x=f87a5e4232fdb267 dashboard link: https://syzkaller.appspot.com/bug?extid=c28b5fee66fd3b7f766e compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17e23ac8900000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1198c440900000 The issue was bisected to: commit 53e233ea2fa9fa7e2405e95070981f327d90e519 Author: Vasundhara Volam <vasundhara-v.volam(a)broadcom.com> Date: Thu Oct 4 05:43:52 2018 +0000 devlink: Add Documentation/networking/devlink-params-bnxt.txt bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15e22b94900000 final oops: https://syzkaller.appspot.com/x/report.txt?x=17e22b94900000 console output: https://syzkaller.appspot.com/x/log.txt?x=13e22b94900000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c28b5fee66fd3b7f766e(a)syzkaller.appspotmail.com Fixes: 53e233ea2fa9 ("devlink: Add Documentation/networking/devlink-params-bnxt.txt") hrtimer: interrupt took 6305559 ns rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 1-...!: (1 GPs behind) idle=91e/1/0x4000000000000000 softirq=10105/10107 fqs=1 (t=18319 jiffies g=8905 q=457) NMI backtrace for cpu 1 CPU: 1 PID: 4008 Comm: systemd-journal Not tainted 5.8.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 nmi_cpu_backtrace.cold+0x70/0xb1 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x1b3/0x223 lib/nmi_backtrace.c:62 trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] rcu_dump_cpu_stacks+0x194/0x1cf kernel/rcu/tree_stall.h:320 print_cpu_stall kernel/rcu/tree_stall.h:553 [inline] check_cpu_stall kernel/rcu/tree_stall.h:627 [inline] rcu_pending kernel/rcu/tree.c:3489 [inline] rcu_sched_clock_irq.cold+0x5b3/0xccc kernel/rcu/tree.c:2504 update_process_times+0x25/0x60 kernel/time/timer.c:1737 tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:176 tick_sched_timer+0x108/0x290 kernel/time/tick-sched.c:1320 __run_hrtimer kernel/time/hrtimer.c:1520 [inline] __hrtimer_run_queues+0x1d5/0xfc0 kernel/time/hrtimer.c:1584 hrtimer_interrupt+0x32a/0x930 kernel/time/hrtimer.c:1646 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1080 [inline] __sysvec_apic_timer_interrupt+0x142/0x5e0 arch/x86/kernel/apic/apic.c:1097 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:711 </IRQ> __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] sysvec_apic_timer_interrupt+0xe0/0x120 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:585 RIP: 0010:format_decode+0x0/0xad0 lib/vsprintf.c:2329 Code: c7 c7 10 05 af 8a be 10 00 00 00 e8 5a c3 46 00 48 c7 c7 20 78 0d 8a e9 6e f2 e2 fd 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 <41> 57 41 56 41 55 41 54 55 48 89 f5 53 48 bb 00 00 00 00 00 fc ff RSP: 0018:ffffc90001077a10 EFLAGS: 00000293 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff83b0a497 RDX: ffff888093224040 RSI: ffffc90001077a80 RDI: ffffffff884e6293 RBP: ffffffff884e6293 R08: 0000000000000001 R09: ffff8880952a63d1 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880952a63d2 R13: ffffffff884e6293 R14: 0000000000000025 R15: ffffc90001077b30 vsnprintf+0x155/0x14f0 lib/vsprintf.c:2572 seq_vprintf fs/seq_file.c:379 [inline] seq_printf+0x195/0x240 fs/seq_file.c:394 proc_pid_status+0x1c6d/0x24b0 fs/proc/array.c:424 proc_single_show+0x116/0x1e0 fs/proc/base.c:766 seq_read+0x432/0x1070 fs/seq_file.c:208 vfs_read+0x1df/0x520 fs/read_write.c:479 ksys_read+0x12d/0x250 fs/read_write.c:607 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f0fc43d9910 Code: Bad RIP value. RSP: 002b:00007ffdcb193978 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000055b1476b96f0 RCX: 00007f0fc43d9910 RDX: 0000000000000800 RSI: 000055b1476b8b00 RDI: 0000000000000013 RBP: 00007f0fc4694440 R08: 00007f0fc4697fc8 R09: 0000000000000410 R10: 000055b1476b96f0 R11: 0000000000000246 R12: 0000000000000800 R13: 0000000000000d68 R14: 000055b1476b8b00 R15: 00007f0fc4693900 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller(a)googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches

2 1

[PATCH] net: batman-adv: types.h: delete duplicated words
by Randy Dunlap 19 Jul '20

19 Jul '20

Delete the doubled word "time" in a comment. Delete the doubled word "address" in a comment. Signed-off-by: Randy Dunlap <rdunlap(a)infradead.org> Cc: Marek Lindner <mareklindner(a)neomailbox.ch> Cc: Simon Wunderlich <sw(a)simonwunderlich.de> Cc: Antonio Quartulli <a(a)unstable.cc> Cc: Sven Eckelmann <sven(a)narfation.org> Cc: b.a.t.m.a.n(a)lists.open-mesh.org --- net/batman-adv/types.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- linux-next-20200717.orig/net/batman-adv/types.h +++ linux-next-20200717/net/batman-adv/types.h @@ -1492,7 +1492,7 @@ struct batadv_tp_vars { /** @unacked_lock: protect unacked_list */ spinlock_t unacked_lock; - /** @last_recv_time: time time (jiffies) a msg was received */ + /** @last_recv_time: time (jiffies) a msg was received */ unsigned long last_recv_time; /** @refcount: number of context where the object is used */ @@ -1996,7 +1996,7 @@ struct batadv_tt_change_node { */ struct batadv_tt_req_node { /** - * @addr: mac address address of the originator this request was sent to + * @addr: mac address of the originator this request was sent to */ u8 addr[ETH_ALEN];

1 0

KMSAN: uninit-value in batadv_tt_hash_find
by syzbot 14 Jul '20

14 Jul '20

Hello, syzbot found the following crash on: HEAD commit: f0d5ec90 kmsan: apply __no_sanitize_memory to dotraplinkag.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=10c0883b100000 kernel config: https://syzkaller.appspot.com/x/.config?x=86e4f8af239686c6 dashboard link: https://syzkaller.appspot.com/bug?extid=ab16e463b903f5a37036 compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) userspace arch: i386 Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+ab16e463b903f5a37036(a)syzkaller.appspotmail.com ===================================================== BUG: KMSAN: uninit-value in __read_once_size include/linux/compiler.h:206 [inline] BUG: KMSAN: uninit-value in batadv_tt_hash_find+0x38a/0x810 net/batman-adv/translation-table.c:144 CPU: 0 PID: 23320 Comm: syz-executor.5 Not tainted 5.7.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x220 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 __read_once_size include/linux/compiler.h:206 [inline] batadv_tt_hash_find+0x38a/0x810 net/batman-adv/translation-table.c:144 batadv_tt_global_hash_find net/batman-adv/translation-table.c:203 [inline] batadv_transtable_search+0x292/0xa00 net/batman-adv/translation-table.c:2618 batadv_send_skb_via_tt_generic+0x181/0x290 net/batman-adv/send.c:423 batadv_send_skb_via_tt net/batman-adv/send.h:82 [inline] batadv_interface_tx+0x1b3d/0x2450 net/batman-adv/soft-interface.c:378 __netdev_start_xmit include/linux/netdevice.h:4533 [inline] netdev_start_xmit include/linux/netdevice.h:4547 [inline] xmit_one net/core/dev.c:3477 [inline] dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3493 __dev_queue_xmit+0x2f8d/0x3b20 net/core/dev.c:4052 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4085 neigh_hh_output include/net/neighbour.h:499 [inline] neigh_output include/net/neighbour.h:508 [inline] ip_finish_output2+0x20fd/0x2610 net/ipv4/ip_output.c:228 ip_do_fragment+0x2c98/0x3570 net/ipv4/ip_output.c:849 ip_fragment+0x242/0x400 net/ipv4/ip_output.c:585 __ip_finish_output+0xd34/0xd80 net/ipv4/ip_output.c:304 ip_finish_output+0x166/0x410 net/ipv4/ip_output.c:316 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip_mc_output+0xfbf/0x1090 net/ipv4/ip_output.c:415 dst_output include/net/dst.h:435 [inline] ip_local_out net/ipv4/ip_output.c:125 [inline] ip_send_skb+0x179/0x360 net/ipv4/ip_output.c:1560 udp_send_skb+0x1046/0x18b0 net/ipv4/udp.c:891 udp_sendmsg+0x3bb5/0x4100 net/ipv4/udp.c:1178 inet_sendmsg+0x276/0x2e0 net/ipv4/af_inet.c:807 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg net/socket.c:672 [inline] ____sys_sendmsg+0x1056/0x1350 net/socket.c:2362 ___sys_sendmsg net/socket.c:2416 [inline] __sys_sendmmsg+0x863/0xd60 net/socket.c:2499 __compat_sys_sendmmsg net/compat.c:672 [inline] __do_compat_sys_sendmmsg net/compat.c:679 [inline] __se_compat_sys_sendmmsg+0xcd/0xf0 net/compat.c:676 __ia32_compat_sys_sendmmsg+0x56/0x70 net/compat.c:676 do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] do_fast_syscall_32+0x3bf/0x6d0 arch/x86/entry/common.c:398 entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f3add9 Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f5d140cc EFLAGS: 00000296 ORIG_RAX: 0000000000000159 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020007f80 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:310 __msan_chain_origin+0x50/0x90 mm/kmsan/kmsan_instr.c:165 ether_addr_copy include/linux/etherdevice.h:279 [inline] batadv_tt_hash_find+0x333/0x810 net/batman-adv/translation-table.c:137 batadv_tt_global_hash_find net/batman-adv/translation-table.c:203 [inline] batadv_transtable_search+0x292/0xa00 net/batman-adv/translation-table.c:2618 batadv_send_skb_via_tt_generic+0x181/0x290 net/batman-adv/send.c:423 batadv_send_skb_via_tt net/batman-adv/send.h:82 [inline] batadv_interface_tx+0x1b3d/0x2450 net/batman-adv/soft-interface.c:378 __netdev_start_xmit include/linux/netdevice.h:4533 [inline] netdev_start_xmit include/linux/netdevice.h:4547 [inline] xmit_one net/core/dev.c:3477 [inline] dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3493 __dev_queue_xmit+0x2f8d/0x3b20 net/core/dev.c:4052 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4085 neigh_hh_output include/net/neighbour.h:499 [inline] neigh_output include/net/neighbour.h:508 [inline] ip_finish_output2+0x20fd/0x2610 net/ipv4/ip_output.c:228 ip_do_fragment+0x2c98/0x3570 net/ipv4/ip_output.c:849 ip_fragment+0x242/0x400 net/ipv4/ip_output.c:585 __ip_finish_output+0xd34/0xd80 net/ipv4/ip_output.c:304 ip_finish_output+0x166/0x410 net/ipv4/ip_output.c:316 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip_mc_output+0xfbf/0x1090 net/ipv4/ip_output.c:415 dst_output include/net/dst.h:435 [inline] ip_local_out net/ipv4/ip_output.c:125 [inline] ip_send_skb+0x179/0x360 net/ipv4/ip_output.c:1560 udp_send_skb+0x1046/0x18b0 net/ipv4/udp.c:891 udp_sendmsg+0x3bb5/0x4100 net/ipv4/udp.c:1178 inet_sendmsg+0x276/0x2e0 net/ipv4/af_inet.c:807 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg net/socket.c:672 [inline] ____sys_sendmsg+0x1056/0x1350 net/socket.c:2362 ___sys_sendmsg net/socket.c:2416 [inline] __sys_sendmmsg+0x863/0xd60 net/socket.c:2499 __compat_sys_sendmmsg net/compat.c:672 [inline] __do_compat_sys_sendmmsg net/compat.c:679 [inline] __se_compat_sys_sendmmsg+0xcd/0xf0 net/compat.c:676 __ia32_compat_sys_sendmmsg+0x56/0x70 net/compat.c:676 do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] do_fast_syscall_32+0x3bf/0x6d0 arch/x86/entry/common.c:398 entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 Local variable ----chaddr@batadv_interface_tx created at: batadv_interface_tx+0x66/0x2450 net/batman-adv/soft-interface.c:191 batadv_interface_tx+0x66/0x2450 net/batman-adv/soft-interface.c:191 ===================================================== --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller(a)googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

1 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

B.A.T.M.A.N July 2020