B.A.T.M.A.N August 2021

b.a.t.m.a.n@lists.open-mesh.org

13 participants
12 discussions

[PATCH net 00/12] net: iflink and link-netnsid fixes
by Sabrina Dubroca 14 May '22

14 May '22

In a lot of places, we use this kind of comparison to detect if a device has a lower link: dev->ifindex != dev_get_iflink(dev) This seems to be a leftover of the pre-netns days, when the ifindex was unique over the whole system. Nowadays, with network namespaces, it's very easy to create a device with the same ifindex as its lower link: ip netns add main ip netns add peer ip -net main link add dummy0 type dummy ip -net main link add link dummy0 macvlan0 netns peer type macvlan ip -net main link show type dummy 9: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop ... ip -net peer link show type macvlan 9: macvlan0@if9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop ... To detect if a device has a lower link, we can simply check the existence of the dev->netdev_ops->ndo_get_iflink operation, instead of checking its return value. In particular, I attempted to fix one of these checks in commit feadc4b6cf42 ("rtnetlink: always put IFLA_LINK for links with a link-netnsid"), but this patch isn't correct, since tunnel devices can export IFLA_LINK_NETNSID without IFLA_LINK. That patch needs to be reverted. This series will fix all those bogus comparisons, and export missing IFLA_LINK_NETNSID attributes in bridge and ipv6 dumps. ipvlan and geneve are also missing the get_link_net operation, so userspace can't know when those device are cross-netns. There are a couple of other device types that have an ndo_get_iflink op but no get_link_net (virt_wifi, ipoib), and should probably also have a get_link_net. Sabrina Dubroca (12): ipvlan: add get_link_net geneve: add get_link_net Revert "rtnetlink: always put IFLA_LINK for links with a link-netnsid" rtnetlink: always put IFLA_LINK for links with ndo_get_iflink bridge: always put IFLA_LINK for ports with ndo_get_iflink bridge: advertise IFLA_LINK_NETNSID when dumping bridge ports ipv6: always put IFLA_LINK for devices with ndo_get_iflink ipv6: advertise IFLA_LINK_NETNSID when dumping ipv6 addresses net: link_watch: fix operstate when the link has the same index as the device net: link_watch: fix detection of urgent events batman-adv: fix iflink detection in batadv_is_on_batman_iface batman-adv: fix detection of lower link in batadv_get_real_netdevice drivers/net/can/vxcan.c | 2 +- drivers/net/geneve.c | 8 ++++++++ drivers/net/ipvlan/ipvlan_main.c | 9 +++++++++ drivers/net/veth.c | 2 +- include/net/rtnetlink.h | 4 ++++ net/batman-adv/hard-interface.c | 4 ++-- net/bridge/br_netlink.c | 4 +++- net/core/link_watch.c | 4 ++-- net/core/rtnetlink.c | 25 ++++++++++++------------- net/ipv6/addrconf.c | 11 ++++++++++- 10 files changed, 52 insertions(+), 21 deletions(-) -- 2.28.0

3 5

Dynamic DHCP server assignment and spin-up on batman-adv mesh network
by tanner.perkins＠cnftech.com 02 Sep '21

02 Sep '21

If this is not the best place to ask questions regarding mesh networks utilizing the batman-adv kernel module, I apologies and please point me to where I need to be. I'm looking to set up distributed mesh network using the batman-adv Linux kernel module. However, I don't want to have to statically assign IP addresses to all my nodes therefore my first thought was to use DHCP. The problem arises in my scenario that any node could come and go in the mesh network as they move in and out range of the network. Therefore manually allocating a single or even a few DHCP servers isn't realistic as that DHCP server may drop out of the network at anytime. Is there a dynamic way to reassign the DHCP server based on the nodes still within the network when the previous DHCP server drops from the network? Thanks, -tdev

3 3

[syzbot] INFO: task hung in __xfs_buf_submit (2)
by syzbot 25 Aug '21

25 Aug '21

Hello, syzbot found the following issue on: HEAD commit: 6e764bcd1cf7 Merge tag 'for-linus' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10504885300000 kernel config: https://syzkaller.appspot.com/x/.config?x=2fd902af77ff1e56 dashboard link: https://syzkaller.appspot.com/bug?extid=4bb1622c9a583bb6f9f2 compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14427606300000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149b3cce300000 The issue was bisected to: commit 887e975c4172d0d5670c39ead2f18ba1e4ec8133 Author: Mike Christie <mchristi(a)redhat.com> Date: Tue Aug 13 16:39:51 2019 +0000 nbd: add missing config put bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11980ad5300000 final oops: https://syzkaller.appspot.com/x/report.txt?x=13980ad5300000 console output: https://syzkaller.appspot.com/x/log.txt?x=15980ad5300000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+4bb1622c9a583bb6f9f2(a)syzkaller.appspotmail.com Fixes: 887e975c4172 ("nbd: add missing config put") INFO: task syz-executor519:8442 blocked for more than 143 seconds. Not tainted 5.14.0-rc7-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor519 state:D stack:22808 pid: 8442 ppid: 8441 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:4681 [inline] __schedule+0xc07/0x11f0 kernel/sched/core.c:5938 schedule+0x14b/0x210 kernel/sched/core.c:6017 schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857 do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85 __wait_for_common kernel/sched/completion.c:106 [inline] wait_for_common kernel/sched/completion.c:117 [inline] wait_for_completion+0x48/0x60 kernel/sched/completion.c:138 xfs_buf_iowait fs/xfs/xfs_buf.c:1571 [inline] __xfs_buf_submit+0x39d/0x6d0 fs/xfs/xfs_buf.c:1636 xfs_buf_submit fs/xfs/xfs_buf.c:58 [inline] xfs_buf_read_uncached+0x1fa/0x390 fs/xfs/xfs_buf.c:884 xfs_readsb+0x1dc/0x670 fs/xfs/xfs_mount.c:178 xfs_fs_fill_super+0x483/0x1780 fs/xfs/xfs_super.c:1428 get_tree_bdev+0x406/0x630 fs/super.c:1293 vfs_get_tree+0x86/0x270 fs/super.c:1498 do_new_mount fs/namespace.c:2923 [inline] path_mount+0x1981/0x2c10 fs/namespace.c:3253 do_mount fs/namespace.c:3266 [inline] __do_sys_mount fs/namespace.c:3474 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3451 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x444239 RSP: 002b:00007ffd4feb56f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000444239 RDX: 0000000020000140 RSI: 0000000020000000 RDI: 00000000200000c0 RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffd4feb5898 R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000403550 R13: 431bde82d7b634db R14: 00000000004b2018 R15: 00000000004004a0 Showing all locks held in the system: 1 lock held by khungtaskd/1644: #0: ffffffff8c717ec0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30 arch/x86/pci/mmconfig_64.c:151 2 locks held by in:imklog/8141: #0: ffff888023be8870 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x24e/0x2f0 fs/file.c:974 #1: ffffffff8c717ec0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:266 1 lock held by syz-executor519/8442: #0: ffff888030e060e0 (&type->s_umount_key#49/1){+.+.}-{3:3}, at: alloc_super+0x1c8/0x860 fs/super.c:229 ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 1644 Comm: khungtaskd Not tainted 5.14.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1d3/0x29f lib/dump_stack.c:105 nmi_cpu_backtrace+0x16c/0x190 lib/nmi_backtrace.c:105 nmi_trigger_cpumask_backtrace+0x191/0x2f0 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:210 [inline] watchdog+0xd06/0xd50 kernel/hung_task.c:295 kthread+0x453/0x480 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 4862 Comm: systemd-journal Not tainted 5.14.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:check_wait_context kernel/locking/lockdep.c:4688 [inline] RIP: 0010:__lock_acquire+0x5fc/0x6100 kernel/locking/lockdep.c:4965 Code: 00 fc ff df 4c 8b 7c 24 58 4c 8b 64 24 50 48 81 c3 b8 00 00 00 48 89 d8 48 c1 e8 03 8a 04 10 84 c0 0f 85 c1 25 00 00 44 8a 33 <48> 8b 44 24 60 8a 04 10 84 c0 0f 85 d2 25 00 00 41 8b 1c 24 81 e3 RSP: 0018:ffffc9000162f940 EFLAGS: 00000046 RAX: 1ffffffff1f10400 RBX: ffffffff8f882478 RCX: ffffffff816219b8 RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffffff8faf3dd0 RBP: ffffc9000162fcd0 R08: dffffc0000000000 R09: fffffbfff1f5e7bb R10: fffffbfff1f5e7bb R11: 0000000000000000 R12: ffff888015bc5ed0 R13: ffff888015bc5eb8 R14: 00000000000c0000 R15: ffff888015bc54c0 FS: 00007f6e3c3a48c0(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e39776000 CR3: 00000000213b3000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire+0x182/0x4a0 kernel/locking/lockdep.c:5625 do_write_seqcount_begin_nested include/linux/seqlock.h:520 [inline] do_write_seqcount_begin include/linux/seqlock.h:545 [inline] vtime_user_exit+0xb9/0x3e0 kernel/sched/cputime.c:719 __context_tracking_exit+0x7a/0xd0 kernel/context_tracking.c:160 user_exit_irqoff include/linux/context_tracking.h:47 [inline] __enter_from_user_mode kernel/entry/common.c:22 [inline] syscall_enter_from_user_mode+0x199/0x1b0 kernel/entry/common.c:104 do_syscall_64+0x1e/0xb0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f6e3b65f9c7 Code: 83 c4 08 48 3d 01 f0 ff ff 73 01 c3 48 8b 0d c8 d4 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 15 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 d4 2b 00 f7 d8 64 89 01 48 RSP: 002b:00007ffebb868098 EFLAGS: 00000246 ORIG_RAX: 0000000000000015 RAX: ffffffffffffffda RBX: 00007ffebb86b0c0 RCX: 00007f6e3b65f9c7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055c77e4df9a3 RBP: 00007ffebb8681e0 R08: 000055c77e4d53e5 R09: 0000000000000018 R10: 0000000000000069 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 000055c77fce98a0 R15: 00007ffebb8686d0 ---------------- Code disassembly (best guess), 3 bytes skipped: 0: df 4c 8b 7c fisttps 0x7c(%rbx,%rcx,4) 4: 24 58 and $0x58,%al 6: 4c 8b 64 24 50 mov 0x50(%rsp),%r12 b: 48 81 c3 b8 00 00 00 add $0xb8,%rbx 12: 48 89 d8 mov %rbx,%rax 15: 48 c1 e8 03 shr $0x3,%rax 19: 8a 04 10 mov (%rax,%rdx,1),%al 1c: 84 c0 test %al,%al 1e: 0f 85 c1 25 00 00 jne 0x25e5 24: 44 8a 33 mov (%rbx),%r14b * 27: 48 8b 44 24 60 mov 0x60(%rsp),%rax <-- trapping instruction 2c: 8a 04 10 mov (%rax,%rdx,1),%al 2f: 84 c0 test %al,%al 31: 0f 85 d2 25 00 00 jne 0x2609 37: 41 8b 1c 24 mov (%r12),%ebx 3b: 81 .byte 0x81 3c: e3 .byte 0xe3 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller(a)googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches

2 1

Python script to setup batman networks
by Pranav Jerry 22 Aug '21

22 Aug '21

Hi! I have made a python script [1] to setup batman-adv networks using systemd-networkd. It requires iwd and systemd-networkd v248 or above. It starts an adhoc network on wlan0 (or any other wireless interface) and adds it to bat0. To allow non-mesh clients to connect to the mesh, if there are two WiFi adapters, the script starts an AP on one of the adapters. The script is supposed to be run as a systemd service, since it can ensure that the dependencies are started before it is run. The network is configured with systemd-networkd runtime configs (since it has not implemented configuration via D-Bus) and the iwd D-Bus API. All suggestions, criticism and contributions are welcome. [1]: https://git.disroot.org/pranav/naxalnet

1 0

[syzbot] KASAN: slab-out-of-bounds Write in ext4_write_inline_data_end
by syzbot 21 Aug '21

21 Aug '21

Hello, syzbot found the following issue on: HEAD commit: 614cb2751d31 Merge tag 'trace-v5.14-rc6' of git://git.kern.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=130112c5300000 kernel config: https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f dashboard link: https://syzkaller.appspot.com/bug?extid=13146364637c7363a7de compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104d7cc5300000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1333ce0e300000 The issue was bisected to: commit a154d5d83d21af6b9ee32adc5dbcea5ac1fb534c Author: Arnd Bergmann <arnd(a)arndb.de> Date: Mon Mar 4 20:38:03 2019 +0000 net: ignore sysctl_devconf_inherit_init_net without SYSCTL bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f970b6300000 final oops: https://syzkaller.appspot.com/x/report.txt?x=100570b6300000 console output: https://syzkaller.appspot.com/x/log.txt?x=17f970b6300000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+13146364637c7363a7de(a)syzkaller.appspotmail.com Fixes: a154d5d83d21 ("net: ignore sysctl_devconf_inherit_init_net without SYSCTL") ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_write_inline_data fs/ext4/inline.c:245 [inline] BUG: KASAN: slab-out-of-bounds in ext4_write_inline_data_end+0x4d4/0x960 fs/ext4/inline.c:754 Write of size 70 at addr ffff8880195444ef by task syz-executor279/8426 CPU: 0 PID: 8426 Comm: syz-executor279 Not tainted 5.14.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105 print_address_description+0x66/0x3b0 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report+0x163/0x210 mm/kasan/report.c:436 check_region_inline mm/kasan/generic.c:135 [inline] kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189 memcpy+0x3c/0x60 mm/kasan/shadow.c:66 ext4_write_inline_data fs/ext4/inline.c:245 [inline] ext4_write_inline_data_end+0x4d4/0x960 fs/ext4/inline.c:754 ext4_write_end+0x1ff/0xbd0 fs/ext4/inode.c:1290 generic_perform_write+0x361/0x580 mm/filemap.c:3667 ext4_buffered_write_iter+0x41c/0x590 fs/ext4/file.c:269 ext4_file_write_iter+0x8f7/0x1b90 fs/ext4/file.c:519 call_write_iter include/linux/fs.h:2114 [inline] new_sync_write fs/read_write.c:518 [inline] vfs_write+0xa39/0xc90 fs/read_write.c:605 ksys_write+0x171/0x2a0 fs/read_write.c:658 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x44ac89 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff12e8852f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000004ce4d0 RCX: 000000000044ac89 RDX: 0000000000000082 RSI: 0000000020000180 RDI: 0000000000000006 RBP: 000000000049de98 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e R13: 024645fc87234f45 R14: 26e1d8b70aefbc5b R15: 00000000004ce4d8 Allocated by task 1: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x96/0xd0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:2959 [inline] slab_alloc mm/slub.c:2967 [inline] kmem_cache_alloc+0x1d1/0x340 mm/slub.c:2972 kmem_cache_zalloc include/linux/slab.h:711 [inline] acpi_os_acquire_object include/acpi/platform/aclinuxex.h:67 [inline] acpi_ut_allocate_object_desc_dbg+0xd8/0x165 drivers/acpi/acpica/utobject.c:359 acpi_ut_create_internal_object_dbg+0x21/0x195 drivers/acpi/acpica/utobject.c:69 acpi_ds_build_internal_object+0x15f/0x732 drivers/acpi/acpica/dsobject.c:94 acpi_ds_create_node+0xe9/0x1a8 drivers/acpi/acpica/dsobject.c:281 acpi_ds_load2_end_op+0x7d0/0xebc drivers/acpi/acpica/dswload2.c:618 acpi_ds_exec_end_op+0x6ce/0x11d4 drivers/acpi/acpica/dswexec.c:637 acpi_ps_parse_loop+0xd9f/0x1cf0 drivers/acpi/acpica/psloop.c:525 acpi_ps_parse_aml+0x1d5/0x955 drivers/acpi/acpica/psparse.c:475 acpi_ps_execute_table+0x317/0x3ef drivers/acpi/acpica/psxface.c:295 acpi_ns_execute_table+0x436/0x5bf drivers/acpi/acpica/nsparse.c:116 acpi_ns_load_table+0x5e/0x120 drivers/acpi/acpica/nsload.c:71 acpi_tb_load_namespace+0x456/0x6b9 drivers/acpi/acpica/tbxfload.c:186 acpi_load_tables+0x45/0xf5 drivers/acpi/acpica/tbxfload.c:59 acpi_bus_init+0x9a/0x993 drivers/acpi/bus.c:1213 acpi_init+0x8c/0x22c drivers/acpi/bus.c:1324 do_one_initcall+0x197/0x3f0 init/main.c:1287 do_initcall_level+0x14a/0x1f5 init/main.c:1360 do_initcalls+0x4b/0x8c init/main.c:1376 kernel_init_freeable+0x3f1/0x57e init/main.c:1598 kernel_init+0x19/0x2a0 init/main.c:1490 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the object at ffff8880195444e0 which belongs to the cache Acpi-Operand of size 72 The buggy address is located 15 bytes inside of 72-byte region [ffff8880195444e0, ffff888019544528) The buggy address belongs to the page: page:ffffea0000655100 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888019544068 pfn:0x19544 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0000654f88 ffffea0000654e08 ffff8880110c2b40 raw: ffff888019544068 000000000027001d 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 3012488798, free_ts 0 prep_new_page mm/page_alloc.c:2436 [inline] get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391 alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2119 alloc_slab_page mm/slub.c:1691 [inline] allocate_slab+0xf1/0x540 mm/slub.c:1831 new_slab mm/slub.c:1894 [inline] new_slab_objects mm/slub.c:2640 [inline] ___slab_alloc+0x1cf/0x350 mm/slub.c:2803 __slab_alloc mm/slub.c:2843 [inline] slab_alloc_node mm/slub.c:2925 [inline] slab_alloc mm/slub.c:2967 [inline] kmem_cache_alloc+0x299/0x340 mm/slub.c:2972 kmem_cache_zalloc include/linux/slab.h:711 [inline] acpi_os_acquire_object include/acpi/platform/aclinuxex.h:67 [inline] acpi_ut_allocate_object_desc_dbg+0xd8/0x165 drivers/acpi/acpica/utobject.c:359 acpi_ut_create_internal_object_dbg+0x21/0x195 drivers/acpi/acpica/utobject.c:69 acpi_ds_build_internal_object+0x15f/0x732 drivers/acpi/acpica/dsobject.c:94 acpi_ds_create_node+0xe9/0x1a8 drivers/acpi/acpica/dsobject.c:281 acpi_ds_load2_end_op+0x7d0/0xebc drivers/acpi/acpica/dswload2.c:618 acpi_ds_exec_end_op+0x6ce/0x11d4 drivers/acpi/acpica/dswexec.c:637 acpi_ps_parse_loop+0xd9f/0x1cf0 drivers/acpi/acpica/psloop.c:525 acpi_ps_parse_aml+0x1d5/0x955 drivers/acpi/acpica/psparse.c:475 acpi_ps_execute_table+0x317/0x3ef drivers/acpi/acpica/psxface.c:295 acpi_ns_execute_table+0x436/0x5bf drivers/acpi/acpica/nsparse.c:116 page_owner free stack trace missing Memory state around the buggy address: ffff888019544400: fc fc 00 00 00 00 00 00 00 00 00 fc fc fc fc 00 ffff888019544480: 00 00 00 00 00 00 00 00 fc fc fc fc 00 00 00 00 >ffff888019544500: 00 00 00 00 00 fc fc fc fc fb fb fb fb fb fb fb ^ ffff888019544580: fb fb fc fc fc fc 00 00 00 00 00 00 00 00 00 fc ffff888019544600: fc fc fc 00 00 00 00 00 00 00 00 00 fc fc fc fc ================================================================== ---------------- Code disassembly (best guess), 1 bytes skipped: 0: ff c3 inc %ebx 2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 9: 00 00 00 c: 0f 1f 40 00 nopl 0x0(%rax) 10: 48 89 f8 mov %rdi,%rax 13: 48 89 f7 mov %rsi,%rdi 16: 48 89 d6 mov %rdx,%rsi 19: 48 89 ca mov %rcx,%rdx 1c: 4d 89 c2 mov %r8,%r10 1f: 4d 89 c8 mov %r9,%r8 22: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 27: 0f 05 syscall 29: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 2f: 73 01 jae 0x32 31: c3 retq 32: 48 c7 c1 b8 ff ff ff mov $0xffffffffffffffb8,%rcx 39: f7 d8 neg %eax 3b: 64 89 01 mov %eax,%fs:(%rcx) 3e: 48 rex.W --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller(a)googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches

2 1

[PATCH 0/6] (updated) pull request for net-next: batman-adv 2021-08-20
by Simon Wunderlich 20 Aug '21

20 Aug '21

Hi Jakub, here is the updated pull request of batman-adv, with the missing sign-off added which you pointed out yesterday. Please pull or let me know of any problem! Thank you, Simon The following changes since commit b37a466837393af72fe8bcb8f1436410f3f173f3: netdevice: add the case if dev is NULL (2021-08-05 13:29:26 +0100) are available in the Git repository at: git://git.open-mesh.org/linux-merge.git tags/batadv-next-pullrequest-20210820 for you to fetch changes up to a006aa51ea27fa64afc7990f8f100ff0baa92413: batman-adv: bcast: remove remaining skb-copy calls (2021-08-20 08:17:10 +0200) ---------------------------------------------------------------- This (updated) cleanup patchset includes the following patches: - bump version strings, by Simon Wunderlich - update docs about move IRC channel away from freenode, by Sven Eckelmann (updated, added missing sign-off) - Switch to kstrtox.h for kstrtou64, by Sven Eckelmann - Update NULL checks, by Sven Eckelmann (2 patches) - remove remaining skb-copy calls for broadcast packets, by Linus Lüssing ---------------------------------------------------------------- Linus Lüssing (1): batman-adv: bcast: remove remaining skb-copy calls Simon Wunderlich (1): batman-adv: Start new development cycle Sven Eckelmann (4): batman-adv: Move IRC channel to hackint.org batman-adv: Switch to kstrtox.h for kstrtou64 batman-adv: Check ptr for NULL before reducing its refcnt batman-adv: Drop NULL check before dropping references Documentation/networking/batman-adv.rst | 2 +- MAINTAINERS | 2 +- net/batman-adv/bat_iv_ogm.c | 75 ++++++++--------------- net/batman-adv/bat_v.c | 30 ++++------ net/batman-adv/bat_v_elp.c | 9 +-- net/batman-adv/bat_v_ogm.c | 39 ++++-------- net/batman-adv/bridge_loop_avoidance.c | 33 +++++------ net/batman-adv/distributed-arp-table.c | 24 ++++---- net/batman-adv/fragmentation.c | 6 +- net/batman-adv/gateway_client.c | 57 +++++------------- net/batman-adv/gateway_client.h | 16 ++++- net/batman-adv/gateway_common.c | 2 +- net/batman-adv/hard-interface.c | 21 +++---- net/batman-adv/hard-interface.h | 3 + net/batman-adv/main.h | 2 +- net/batman-adv/multicast.c | 2 +- net/batman-adv/netlink.c | 6 +- net/batman-adv/network-coding.c | 24 ++++---- net/batman-adv/originator.c | 102 +++++--------------------------- net/batman-adv/originator.h | 96 +++++++++++++++++++++++++++--- net/batman-adv/routing.c | 39 ++++-------- net/batman-adv/send.c | 33 ++++++----- net/batman-adv/soft-interface.c | 27 ++------- net/batman-adv/soft-interface.h | 16 ++++- net/batman-adv/tp_meter.c | 27 ++++----- net/batman-adv/translation-table.c | 100 +++++++++++-------------------- net/batman-adv/translation-table.h | 18 +++++- net/batman-adv/tvlv.c | 9 ++- 28 files changed, 364 insertions(+), 456 deletions(-)

2 7

[PATCH 0/6] pull request for net-next: batman-adv 2021-08-19
by Simon Wunderlich 19 Aug '21

19 Aug '21

Hi Jakub, hi David, here is a little cleanup pull request of batman-adv to go into net-next. Please pull or let me know of any problem! Thank you, Simon The following changes since commit b37a466837393af72fe8bcb8f1436410f3f173f3: netdevice: add the case if dev is NULL (2021-08-05 13:29:26 +0100) are available in the Git repository at: git://git.open-mesh.org/linux-merge.git tags/batadv-next-pullrequest-20210819 for you to fetch changes up to 808cfdfad57999c85f9ab13499a38d136d032232: batman-adv: bcast: remove remaining skb-copy calls (2021-08-18 18:39:00 +0200) ---------------------------------------------------------------- This cleanup patchset includes the following patches: - bump version strings, by Simon Wunderlich - update docs about move IRC channel away from freenode, by Sven Eckelmann - Switch to kstrtox.h for kstrtou64, by Sven Eckelmann - Update NULL checks, by Sven Eckelmann (2 patches) - remove remaining skb-copy calls for broadcast packets, by Linus Lüssing ---------------------------------------------------------------- Linus Lüssing (1): batman-adv: bcast: remove remaining skb-copy calls Simon Wunderlich (1): batman-adv: Start new development cycle Sven Eckelmann (4): batman-adv: Move IRC channel to hackint.org batman-adv: Switch to kstrtox.h for kstrtou64 batman-adv: Check ptr for NULL before reducing its refcnt batman-adv: Drop NULL check before dropping references Documentation/networking/batman-adv.rst | 2 +- MAINTAINERS | 2 +- net/batman-adv/bat_iv_ogm.c | 75 ++++++++--------------- net/batman-adv/bat_v.c | 30 ++++------ net/batman-adv/bat_v_elp.c | 9 +-- net/batman-adv/bat_v_ogm.c | 39 ++++-------- net/batman-adv/bridge_loop_avoidance.c | 33 +++++------ net/batman-adv/distributed-arp-table.c | 24 ++++---- net/batman-adv/fragmentation.c | 6 +- net/batman-adv/gateway_client.c | 57 +++++------------- net/batman-adv/gateway_client.h | 16 ++++- net/batman-adv/gateway_common.c | 2 +- net/batman-adv/hard-interface.c | 21 +++---- net/batman-adv/hard-interface.h | 3 + net/batman-adv/main.h | 2 +- net/batman-adv/multicast.c | 2 +- net/batman-adv/netlink.c | 6 +- net/batman-adv/network-coding.c | 24 ++++---- net/batman-adv/originator.c | 102 +++++--------------------------- net/batman-adv/originator.h | 96 +++++++++++++++++++++++++++--- net/batman-adv/routing.c | 39 ++++-------- net/batman-adv/send.c | 33 ++++++----- net/batman-adv/soft-interface.c | 27 ++------- net/batman-adv/soft-interface.h | 16 ++++- net/batman-adv/tp_meter.c | 27 ++++----- net/batman-adv/translation-table.c | 100 +++++++++++-------------------- net/batman-adv/translation-table.h | 18 +++++- net/batman-adv/tvlv.c | 9 ++- 28 files changed, 364 insertions(+), 456 deletions(-)

2 7

[PATCH v4] batman-adv: bcast: remove remaining skb-copy calls
by Sven Eckelmann 18 Aug '21

18 Aug '21

From: Linus Lüssing <linus.luessing(a)c0d3.blue> We currently have two code paths for broadcast packets: A) self-generated, via batadv_interface_tx()-> batadv_send_bcast_packet(). B) received/forwarded, via batadv_recv_bcast_packet()-> batadv_forw_bcast_packet(). For A), self-generated broadcast packets: the only modifications to the skb data is the ethernet header which is added/pushed to the skb in batadv_send_broadcast_skb()->batadv_send_skb_packet(). However before doing so, batadv_skb_head_push() is called which calls skb_cow_head() to unshare the space for the to be pushed ethernet header. So for this case, it is safe to use skb clones. For B), received/forwarded packets: the same applies as in A) for the to be forwarded packets. Only the ethernet header is added. However after (queueing for) forwarding the packet in batadv_recv_bcast_packet()->batadv_forw_bcast_packet(), a packet is additionally decapsulated and is sent up the stack through batadv_recv_bcast_packet()->batadv_interface_rx(). Protocols higher up the stack are already required to check if the packet is shared and create a copy for further modifications. When the next (protocol) layer works correctly, it cannot happen that ot tries to operate on the data behind the skb clone which is still queued up for forwarding. Signed-off-by: Linus Lüssing <linus.luessing(a)c0d3.blue> Co-authored-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Sven Eckelmann <sven(a)narfation.org> --- v3: * newly added this patch, to move skb_copy()->skb_clone() changes from PATCH 01/03 to a separate patch with its own explanation v4: * dropped skb_cow call in __batadv_forw_bcast_packet and adjusted the text for B) to explain the reasoning behind it net/batman-adv/send.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c index 0b9dd29d..b1cb9eb3 100644 --- a/net/batman-adv/send.c +++ b/net/batman-adv/send.c @@ -748,6 +748,10 @@ void batadv_forw_packet_ogmv1_queue(struct batadv_priv *bat_priv, * Adds a broadcast packet to the queue and sets up timers. Broadcast packets * are sent multiple times to increase probability for being received. * + * This call clones the given skb, hence the caller needs to take into + * account that the data segment of the original skb might not be + * modifiable anymore. + * * Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors. */ static int batadv_forw_bcast_packet_to_list(struct batadv_priv *bat_priv, @@ -761,7 +765,7 @@ static int batadv_forw_bcast_packet_to_list(struct batadv_priv *bat_priv, unsigned long send_time = jiffies; struct sk_buff *newskb; - newskb = skb_copy(skb, GFP_ATOMIC); + newskb = skb_clone(skb, GFP_ATOMIC); if (!newskb) goto err; @@ -800,6 +804,10 @@ static int batadv_forw_bcast_packet_to_list(struct batadv_priv *bat_priv, * or if a delay is given after that. Furthermore, queues additional * retransmissions if this interface is a wireless one. * + * This call clones the given skb, hence the caller needs to take into + * account that the data segment of the original skb might not be + * modifiable anymore. + * * Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors. */ static int batadv_forw_bcast_packet_if(struct batadv_priv *bat_priv, @@ -814,7 +822,7 @@ static int batadv_forw_bcast_packet_if(struct batadv_priv *bat_priv, int ret = NETDEV_TX_OK; if (!delay) { - newskb = skb_copy(skb, GFP_ATOMIC); + newskb = skb_clone(skb, GFP_ATOMIC); if (!newskb) return NETDEV_TX_BUSY; -- 2.30.2

1 0

[PATCH v3 1/3] batman-adv: bcast: queue per interface, if needed
by Linus Lüssing 17 Aug '21

17 Aug '21

Currently we schedule a broadcast packet like: 3x: [ [(re-)queue] --> for(hard-if): maybe-transmit ] The intention of queueing a broadcast packet multiple times is to increase robustness for wireless interfaces. However on interfaces which we only broadcast on once the queueing induces an unnecessary penalty. This patch restructures the queueing to be performed on a per interface basis: for(hard-if): - transmit - if wireless: [queue] --> transmit --> [requeue] --> transmit Next to the performance benefits on non-wireless interfaces this should also make it easier to apply alternative strategies for transmissions on wireless interfaces in the future (for instance sending via unicast transmissions on wireless interfaces, without queueing in batman-adv, if appropriate). Signed-off-by: Linus Lüssing <linus.luessing(a)c0d3.blue> --- Changelog v3: * changed all skb_clone() calls to skb_copy(), to move the skb_copy()->skb_clone() changes to extra commits with their own explanation Changelog v2: * fixed spelling of "unnecessary" in commit message (thanks Sven) * removed now superflous kerneldoc for hard_iface in batadv_forw_packet_bcasts_left() (thanks Sven) * removed delay check for queued (re)broadcasts in batadv_forw_bcast_packet_if(): the only case where a delay is set for this function is for a delayed, DAT fallback ARP Request from this node, then however num_bcasts will be >=1, too, and the fallback ARP Request will be scheduled anyway --- net/batman-adv/main.h | 1 - net/batman-adv/routing.c | 9 +- net/batman-adv/send.c | 374 +++++++++++++++++++++----------- net/batman-adv/send.h | 12 +- net/batman-adv/soft-interface.c | 12 +- 5 files changed, 270 insertions(+), 138 deletions(-) diff --git a/net/batman-adv/main.h b/net/batman-adv/main.h index 8f0102b7..baa9fcbe 100644 --- a/net/batman-adv/main.h +++ b/net/batman-adv/main.h @@ -88,7 +88,6 @@ /* number of packets to send for broadcasts on different interface types */ #define BATADV_NUM_BCASTS_DEFAULT 1 #define BATADV_NUM_BCASTS_WIRELESS 3 -#define BATADV_NUM_BCASTS_MAX 3 /* length of the single packet used by the TP meter */ #define BATADV_TP_PACKET_LEN ETH_DATA_LEN diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c index 40f5cffd..bb9e93e3 100644 --- a/net/batman-adv/routing.c +++ b/net/batman-adv/routing.c @@ -1182,9 +1182,9 @@ int batadv_recv_bcast_packet(struct sk_buff *skb, struct batadv_bcast_packet *bcast_packet; struct ethhdr *ethhdr; int hdr_size = sizeof(*bcast_packet); - int ret = NET_RX_DROP; s32 seq_diff; u32 seqno; + int ret; /* drop packet if it has not necessary minimum size */ if (unlikely(!pskb_may_pull(skb, hdr_size))) @@ -1210,7 +1210,7 @@ int batadv_recv_bcast_packet(struct sk_buff *skb, if (batadv_is_my_mac(bat_priv, bcast_packet->orig)) goto free_skb; - if (bcast_packet->ttl < 2) + if (bcast_packet->ttl-- < 2) goto free_skb; orig_node = batadv_orig_hash_find(bat_priv, bcast_packet->orig); @@ -1249,7 +1249,9 @@ int batadv_recv_bcast_packet(struct sk_buff *skb, batadv_skb_set_priority(skb, sizeof(struct batadv_bcast_packet)); /* rebroadcast packet */ - batadv_add_bcast_packet_to_list(bat_priv, skb, 1, false); + ret = batadv_forw_bcast_packet(bat_priv, skb, 0, false); + if (ret == NETDEV_TX_BUSY) + goto free_skb; /* don't hand the broadcast up if it is from an originator * from the same backbone. @@ -1275,6 +1277,7 @@ int batadv_recv_bcast_packet(struct sk_buff *skb, spin_unlock_bh(&orig_node->bcast_seqno_lock); free_skb: kfree_skb(skb); + ret = NET_RX_DROP; out: if (orig_node) batadv_orig_node_put(orig_node); diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c index 157abe92..07b0ba26 100644 --- a/net/batman-adv/send.c +++ b/net/batman-adv/send.c @@ -737,57 +737,48 @@ void batadv_forw_packet_ogmv1_queue(struct batadv_priv *bat_priv, } /** - * batadv_add_bcast_packet_to_list() - queue broadcast packet for multiple sends + * batadv_forw_bcast_packet_to_list() - queue broadcast packet for transmissions * @bat_priv: the bat priv with all the soft interface information * @skb: broadcast packet to add * @delay: number of jiffies to wait before sending * @own_packet: true if it is a self-generated broadcast packet + * @if_in: the interface where the packet was received on + * @if_out: the outgoing interface to queue on * - * add a broadcast packet to the queue and setup timers. broadcast packets + * Adds a broadcast packet to the queue and sets up timers. Broadcast packets * are sent multiple times to increase probability for being received. * - * The skb is not consumed, so the caller should make sure that the - * skb is freed. - * * Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors. */ -int batadv_add_bcast_packet_to_list(struct batadv_priv *bat_priv, - const struct sk_buff *skb, - unsigned long delay, - bool own_packet) +static int batadv_forw_bcast_packet_to_list(struct batadv_priv *bat_priv, + struct sk_buff *skb, + unsigned long delay, + bool own_packet, + struct batadv_hard_iface *if_in, + struct batadv_hard_iface *if_out) { - struct batadv_hard_iface *primary_if; struct batadv_forw_packet *forw_packet; - struct batadv_bcast_packet *bcast_packet; + unsigned long send_time = jiffies; struct sk_buff *newskb; - primary_if = batadv_primary_if_get_selected(bat_priv); - if (!primary_if) - goto err; - newskb = skb_copy(skb, GFP_ATOMIC); - if (!newskb) { - batadv_hardif_put(primary_if); + if (!newskb) goto err; - } - forw_packet = batadv_forw_packet_alloc(primary_if, NULL, + forw_packet = batadv_forw_packet_alloc(if_in, if_out, &bat_priv->bcast_queue_left, bat_priv, newskb); - batadv_hardif_put(primary_if); if (!forw_packet) goto err_packet_free; - /* as we have a copy now, it is safe to decrease the TTL */ - bcast_packet = (struct batadv_bcast_packet *)newskb->data; - bcast_packet->ttl--; - forw_packet->own = own_packet; INIT_DELAYED_WORK(&forw_packet->delayed_work, batadv_send_outstanding_bcast_packet); - batadv_forw_packet_bcast_queue(bat_priv, forw_packet, jiffies + delay); + send_time += delay ? delay : msecs_to_jiffies(5); + + batadv_forw_packet_bcast_queue(bat_priv, forw_packet, send_time); return NETDEV_TX_OK; err_packet_free: @@ -796,10 +787,220 @@ int batadv_add_bcast_packet_to_list(struct batadv_priv *bat_priv, return NETDEV_TX_BUSY; } +/** + * batadv_forw_bcast_packet_if() - forward and queue a broadcast packet + * @bat_priv: the bat priv with all the soft interface information + * @skb: broadcast packet to add + * @delay: number of jiffies to wait before sending + * @own_packet: true if it is a self-generated broadcast packet + * @if_in: the interface where the packet was received on + * @if_out: the outgoing interface to forward to + * + * Transmits a broadcast packet on the specified interface either immediately + * or if a delay is given after that. Furthermore, queues additional + * retransmissions if this interface is a wireless one. + * + * Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors. + */ +static int batadv_forw_bcast_packet_if(struct batadv_priv *bat_priv, + struct sk_buff *skb, + unsigned long delay, + bool own_packet, + struct batadv_hard_iface *if_in, + struct batadv_hard_iface *if_out) +{ + unsigned int num_bcasts = if_out->num_bcasts; + struct sk_buff *newskb; + int ret = NETDEV_TX_OK; + + if (!delay) { + newskb = skb_copy(skb, GFP_ATOMIC); + if (!newskb) + return NETDEV_TX_BUSY; + + batadv_send_broadcast_skb(newskb, if_out); + num_bcasts--; + } + + /* delayed broadcast or rebroadcasts? */ + if (num_bcasts >= 1) { + BATADV_SKB_CB(skb)->num_bcasts = num_bcasts; + + ret = batadv_forw_bcast_packet_to_list(bat_priv, skb, delay, + own_packet, if_in, + if_out); + } + + return ret; +} + +/** + * batadv_send_no_broadcast() - check whether (re)broadcast is necessary + * @bat_priv: the bat priv with all the soft interface information + * @skb: broadcast packet to check + * @own_packet: true if it is a self-generated broadcast packet + * @if_out: the outgoing interface checked and considered for (re)broadcast + * + * Return: False if a packet needs to be (re)broadcasted on the given interface, + * true otherwise. + */ +static bool batadv_send_no_broadcast(struct batadv_priv *bat_priv, + struct sk_buff *skb, bool own_packet, + struct batadv_hard_iface *if_out) +{ + struct batadv_hardif_neigh_node *neigh_node = NULL; + struct batadv_bcast_packet *bcast_packet; + u8 *orig_neigh; + u8 *neigh_addr; + char *type; + int ret; + + if (!own_packet) { + neigh_addr = eth_hdr(skb)->h_source; + neigh_node = batadv_hardif_neigh_get(if_out, + neigh_addr); + } + + bcast_packet = (struct batadv_bcast_packet *)skb->data; + orig_neigh = neigh_node ? neigh_node->orig : NULL; + + ret = batadv_hardif_no_broadcast(if_out, bcast_packet->orig, + orig_neigh); + + if (neigh_node) + batadv_hardif_neigh_put(neigh_node); + + /* ok, may broadcast */ + if (!ret) + return false; + + /* no broadcast */ + switch (ret) { + case BATADV_HARDIF_BCAST_NORECIPIENT: + type = "no neighbor"; + break; + case BATADV_HARDIF_BCAST_DUPFWD: + type = "single neighbor is source"; + break; + case BATADV_HARDIF_BCAST_DUPORIG: + type = "single neighbor is originator"; + break; + default: + type = "unknown"; + } + + batadv_dbg(BATADV_DBG_BATMAN, bat_priv, + "BCAST packet from orig %pM on %s suppressed: %s\n", + bcast_packet->orig, + if_out->net_dev->name, type); + + return true; +} + +/** + * __batadv_forw_bcast_packet() - forward and queue a broadcast packet + * @bat_priv: the bat priv with all the soft interface information + * @skb: broadcast packet to add + * @delay: number of jiffies to wait before sending + * @own_packet: true if it is a self-generated broadcast packet + * + * Transmits a broadcast packet either immediately or if a delay is given + * after that. Furthermore, queues additional retransmissions on wireless + * interfaces. + * + * This call clones the given skb, hence the caller needs to take into + * account that the data segment of the given skb might not be + * modifiable anymore. + * + * Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors. + */ +static int __batadv_forw_bcast_packet(struct batadv_priv *bat_priv, + struct sk_buff *skb, + unsigned long delay, + bool own_packet) +{ + struct batadv_hard_iface *hard_iface; + struct batadv_hard_iface *primary_if; + int ret = NETDEV_TX_OK; + + primary_if = batadv_primary_if_get_selected(bat_priv); + if (!primary_if) + return NETDEV_TX_BUSY; + + rcu_read_lock(); + list_for_each_entry_rcu(hard_iface, &batadv_hardif_list, list) { + if (hard_iface->soft_iface != bat_priv->soft_iface) + continue; + + if (!kref_get_unless_zero(&hard_iface->refcount)) + continue; + + if (batadv_send_no_broadcast(bat_priv, skb, own_packet, + hard_iface)) { + batadv_hardif_put(hard_iface); + continue; + } + + ret = batadv_forw_bcast_packet_if(bat_priv, skb, delay, + own_packet, primary_if, + hard_iface); + batadv_hardif_put(hard_iface); + + if (ret == NETDEV_TX_BUSY) + break; + } + rcu_read_unlock(); + + batadv_hardif_put(primary_if); + return ret; +} + +/** + * batadv_forw_bcast_packet() - forward and queue a broadcast packet + * @bat_priv: the bat priv with all the soft interface information + * @skb: broadcast packet to add + * @delay: number of jiffies to wait before sending + * @own_packet: true if it is a self-generated broadcast packet + * + * Transmits a broadcast packet either immediately or if a delay is given + * after that. Furthermore, queues additional retransmissions on wireless + * interfaces. + * + * Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors. + */ +int batadv_forw_bcast_packet(struct batadv_priv *bat_priv, + struct sk_buff *skb, + unsigned long delay, + bool own_packet) +{ + return __batadv_forw_bcast_packet(bat_priv, skb, delay, own_packet); +} + +/** + * batadv_send_bcast_packet() - send and queue a broadcast packet + * @bat_priv: the bat priv with all the soft interface information + * @skb: broadcast packet to add + * @delay: number of jiffies to wait before sending + * @own_packet: true if it is a self-generated broadcast packet + * + * Transmits a broadcast packet either immediately or if a delay is given + * after that. Furthermore, queues additional retransmissions on wireless + * interfaces. + * + * Consumes the provided skb. + */ +void batadv_send_bcast_packet(struct batadv_priv *bat_priv, + struct sk_buff *skb, + unsigned long delay, + bool own_packet) +{ + __batadv_forw_bcast_packet(bat_priv, skb, delay, own_packet); + consume_skb(skb); +} + /** * batadv_forw_packet_bcasts_left() - check if a retransmission is necessary * @forw_packet: the forwarding packet to check - * @hard_iface: the interface to check on * * Checks whether a given packet has any (re)transmissions left on the provided * interface. @@ -811,28 +1012,20 @@ int batadv_add_bcast_packet_to_list(struct batadv_priv *bat_priv, * Return: True if (re)transmissions are left, false otherwise. */ static bool -batadv_forw_packet_bcasts_left(struct batadv_forw_packet *forw_packet, - struct batadv_hard_iface *hard_iface) +batadv_forw_packet_bcasts_left(struct batadv_forw_packet *forw_packet) { - unsigned int max; - - if (hard_iface) - max = hard_iface->num_bcasts; - else - max = BATADV_NUM_BCASTS_MAX; - - return BATADV_SKB_CB(forw_packet->skb)->num_bcasts < max; + return BATADV_SKB_CB(forw_packet->skb)->num_bcasts; } /** - * batadv_forw_packet_bcasts_inc() - increment retransmission counter of a + * batadv_forw_packet_bcasts_dec() - decrement retransmission counter of a * packet - * @forw_packet: the packet to increase the counter for + * @forw_packet: the packet to decrease the counter for */ static void -batadv_forw_packet_bcasts_inc(struct batadv_forw_packet *forw_packet) +batadv_forw_packet_bcasts_dec(struct batadv_forw_packet *forw_packet) { - BATADV_SKB_CB(forw_packet->skb)->num_bcasts++; + BATADV_SKB_CB(forw_packet->skb)->num_bcasts--; } /** @@ -843,30 +1036,30 @@ batadv_forw_packet_bcasts_inc(struct batadv_forw_packet *forw_packet) */ bool batadv_forw_packet_is_rebroadcast(struct batadv_forw_packet *forw_packet) { - return BATADV_SKB_CB(forw_packet->skb)->num_bcasts > 0; + unsigned char num_bcasts = BATADV_SKB_CB(forw_packet->skb)->num_bcasts; + + return num_bcasts != forw_packet->if_outgoing->num_bcasts; } +/** + * batadv_send_outstanding_bcast_packet() - transmit a queued broadcast packet + * @work: work queue item + * + * Transmits a queued broadcast packet and if necessary reschedules it. + */ static void batadv_send_outstanding_bcast_packet(struct work_struct *work) { - struct batadv_hard_iface *hard_iface; - struct batadv_hardif_neigh_node *neigh_node; + unsigned long send_time = jiffies + msecs_to_jiffies(5); + struct batadv_forw_packet *forw_packet; struct delayed_work *delayed_work; - struct batadv_forw_packet *forw_packet; - struct batadv_bcast_packet *bcast_packet; + struct batadv_priv *bat_priv; struct sk_buff *skb1; - struct net_device *soft_iface; - struct batadv_priv *bat_priv; - unsigned long send_time = jiffies + msecs_to_jiffies(5); bool dropped = false; - u8 *neigh_addr; - u8 *orig_neigh; - int ret = 0; delayed_work = to_delayed_work(work); forw_packet = container_of(delayed_work, struct batadv_forw_packet, delayed_work); - soft_iface = forw_packet->if_incoming->soft_iface; - bat_priv = netdev_priv(soft_iface); + bat_priv = netdev_priv(forw_packet->if_incoming->soft_iface); if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_DEACTIVATING) { dropped = true; @@ -878,76 +1071,15 @@ static void batadv_send_outstanding_bcast_packet(struct work_struct *work) goto out; } - bcast_packet = (struct batadv_bcast_packet *)forw_packet->skb->data; + /* send a copy of the saved skb */ + skb1 = skb_copy(forw_packet->skb, GFP_ATOMIC); + if (!skb1) + goto out; - /* rebroadcast packet */ - rcu_read_lock(); - list_for_each_entry_rcu(hard_iface, &batadv_hardif_list, list) { - if (hard_iface->soft_iface != soft_iface) - continue; + batadv_send_broadcast_skb(skb1, forw_packet->if_outgoing); + batadv_forw_packet_bcasts_dec(forw_packet); - if (!batadv_forw_packet_bcasts_left(forw_packet, hard_iface)) - continue; - - if (forw_packet->own) { - neigh_node = NULL; - } else { - neigh_addr = eth_hdr(forw_packet->skb)->h_source; - neigh_node = batadv_hardif_neigh_get(hard_iface, - neigh_addr); - } - - orig_neigh = neigh_node ? neigh_node->orig : NULL; - - ret = batadv_hardif_no_broadcast(hard_iface, bcast_packet->orig, - orig_neigh); - - if (ret) { - char *type; - - switch (ret) { - case BATADV_HARDIF_BCAST_NORECIPIENT: - type = "no neighbor"; - break; - case BATADV_HARDIF_BCAST_DUPFWD: - type = "single neighbor is source"; - break; - case BATADV_HARDIF_BCAST_DUPORIG: - type = "single neighbor is originator"; - break; - default: - type = "unknown"; - } - - batadv_dbg(BATADV_DBG_BATMAN, bat_priv, "BCAST packet from orig %pM on %s suppressed: %s\n", - bcast_packet->orig, - hard_iface->net_dev->name, type); - - if (neigh_node) - batadv_hardif_neigh_put(neigh_node); - - continue; - } - - if (neigh_node) - batadv_hardif_neigh_put(neigh_node); - - if (!kref_get_unless_zero(&hard_iface->refcount)) - continue; - - /* send a copy of the saved skb */ - skb1 = skb_clone(forw_packet->skb, GFP_ATOMIC); - if (skb1) - batadv_send_broadcast_skb(skb1, hard_iface); - - batadv_hardif_put(hard_iface); - } - rcu_read_unlock(); - - batadv_forw_packet_bcasts_inc(forw_packet); - - /* if we still have some more bcasts to send */ - if (batadv_forw_packet_bcasts_left(forw_packet, NULL)) { + if (batadv_forw_packet_bcasts_left(forw_packet)) { batadv_forw_packet_bcast_queue(bat_priv, forw_packet, send_time); return; diff --git a/net/batman-adv/send.h b/net/batman-adv/send.h index 2b0daf8b..08af251b 100644 --- a/net/batman-adv/send.h +++ b/net/batman-adv/send.h @@ -39,10 +39,14 @@ int batadv_send_broadcast_skb(struct sk_buff *skb, struct batadv_hard_iface *hard_iface); int batadv_send_unicast_skb(struct sk_buff *skb, struct batadv_neigh_node *neigh_node); -int batadv_add_bcast_packet_to_list(struct batadv_priv *bat_priv, - const struct sk_buff *skb, - unsigned long delay, - bool own_packet); +int batadv_forw_bcast_packet(struct batadv_priv *bat_priv, + struct sk_buff *skb, + unsigned long delay, + bool own_packet); +void batadv_send_bcast_packet(struct batadv_priv *bat_priv, + struct sk_buff *skb, + unsigned long delay, + bool own_packet); void batadv_purge_outstanding_packets(struct batadv_priv *bat_priv, const struct batadv_hard_iface *hard_iface); diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c index 6b8181bc..a21884c0 100644 --- a/net/batman-adv/soft-interface.c +++ b/net/batman-adv/soft-interface.c @@ -191,7 +191,7 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb, struct vlan_ethhdr *vhdr; unsigned int header_len = 0; int data_len = skb->len, ret; - unsigned long brd_delay = 1; + unsigned long brd_delay = 0; bool do_bcast = false, client_added; unsigned short vid; u32 seqno; @@ -330,7 +330,7 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb, bcast_packet = (struct batadv_bcast_packet *)skb->data; bcast_packet->version = BATADV_COMPAT_VERSION; - bcast_packet->ttl = BATADV_TTL; + bcast_packet->ttl = BATADV_TTL - 1; /* batman packet type: broadcast */ bcast_packet->packet_type = BATADV_BCAST; @@ -346,13 +346,7 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb, seqno = atomic_inc_return(&bat_priv->bcast_seqno); bcast_packet->seqno = htonl(seqno); - batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay, true); - - /* a copy is stored in the bcast list, therefore removing - * the original skb. - */ - consume_skb(skb); - + batadv_send_bcast_packet(bat_priv, skb, brd_delay, true); /* unicast packet */ } else { /* DHCP packets going to a server will use the GW feature */ -- 2.31.0

2 4

[syzbot] WARNING in __v9fs_get_acl
by syzbot 17 Aug '21

17 Aug '21

Hello, syzbot found the following issue on: HEAD commit: 761c6d7ec820 Merge tag 'arc-5.14-rc6' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11d87ca1300000 kernel config: https://syzkaller.appspot.com/x/.config?x=730106bfb5bf8ace dashboard link: https://syzkaller.appspot.com/bug?extid=56fdf7f6291d819b9b19 compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ca6029300000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13bf42a1300000 The issue was bisected to: commit 0ac1077e3a549bf8d35971613e2be05bdbb41a00 Author: Xin Long <lucien.xin(a)gmail.com> Date: Tue Oct 16 07:52:02 2018 +0000 sctp: get pr_assoc and pr_stream all status with SCTP_PR_SCTP_ALL instead bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16f311fa300000 final oops: https://syzkaller.appspot.com/x/report.txt?x=15f311fa300000 console output: https://syzkaller.appspot.com/x/log.txt?x=11f311fa300000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+56fdf7f6291d819b9b19(a)syzkaller.appspotmail.com Fixes: 0ac1077e3a54 ("sctp: get pr_assoc and pr_stream all status with SCTP_PR_SCTP_ALL instead") ------------[ cut here ]------------ WARNING: CPU: 1 PID: 8426 at mm/page_alloc.c:5366 __alloc_pages+0x588/0x5f0 mm/page_alloc.c:5413 Modules linked in: CPU: 1 PID: 8426 Comm: syz-executor477 Not tainted 5.14.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__alloc_pages+0x588/0x5f0 mm/page_alloc.c:5413 Code: 00 48 ba 00 00 00 00 00 fc ff df e9 5e fd ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 6d fd ff ff e8 bd 62 0a 00 e9 63 fd ff ff <0f> 0b 45 31 e4 e9 7a fd ff ff 48 8d 4c 24 50 80 e1 07 80 c1 03 38 RSP: 0018:ffffc90000fff9a0 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000014 RCX: 0000000000000000 RDX: 0000000000000028 RSI: 0000000000000000 RDI: ffffc90000fffa28 RBP: ffffc90000fffaa8 R08: dffffc0000000000 R09: ffffc90000fffa00 R10: fffff520001fff45 R11: 0000000000000000 R12: 0000000000040d40 R13: ffffc90000fffa00 R14: 1ffff920001fff3c R15: 1ffff920001fff38 FS: 000000000148e300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa1e9a97740 CR3: 000000003406e000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kmalloc_order+0x41/0x170 mm/slab_common.c:955 kmalloc_order_trace+0x15/0x70 mm/slab_common.c:971 kmalloc_large include/linux/slab.h:520 [inline] __kmalloc+0x292/0x390 mm/slub.c:4101 kmalloc include/linux/slab.h:596 [inline] kzalloc include/linux/slab.h:721 [inline] __v9fs_get_acl+0x40/0x110 fs/9p/acl.c:36 v9fs_get_acl+0xa5/0x290 fs/9p/acl.c:71 v9fs_mount+0x6ea/0x870 fs/9p/vfs_super.c:182 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x86/0x270 fs/super.c:1498 do_new_mount fs/namespace.c:2919 [inline] path_mount+0x196f/0x2be0 fs/namespace.c:3249 do_mount fs/namespace.c:3262 [inline] __do_sys_mount fs/namespace.c:3470 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3447 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x43f2e9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcc30ccf58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f2e9 RDX: 0000000020000200 RSI: 0000000020000000 RDI: 0000000000000000 RBP: 0000000000403040 R08: 0000000020004440 R09: 0000000000400488 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030d0 R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller(a)googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches

3 2

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

B.A.T.M.A.N August 2021