[PATCH net 00/12] net: iflink and link-netnsid fixes
by Sabrina Dubroca
In a lot of places, we use this kind of comparison to detect if a
device has a lower link:
dev->ifindex != dev_get_iflink(dev)
This seems to be a leftover of the pre-netns days, when the ifindex
was unique over the whole system. Nowadays, with network namespaces,
it's very easy to create a device with the same ifindex as its lower
link:
ip netns add main
ip netns add peer
ip -net main link add dummy0 type dummy
ip -net main link add link dummy0 macvlan0 netns peer type macvlan
ip -net main link show type dummy
9: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop ...
ip -net peer link show type macvlan
9: macvlan0@if9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop ...
To detect if a device has a lower link, we can simply check the
existence of the dev->netdev_ops->ndo_get_iflink operation, instead of
checking its return value. In particular, I attempted to fix one of
these checks in commit feadc4b6cf42 ("rtnetlink: always put IFLA_LINK
for links with a link-netnsid"), but this patch isn't correct, since
tunnel devices can export IFLA_LINK_NETNSID without IFLA_LINK. That
patch needs to be reverted.
This series will fix all those bogus comparisons, and export missing
IFLA_LINK_NETNSID attributes in bridge and ipv6 dumps.
ipvlan and geneve are also missing the get_link_net operation, so
userspace can't know when those device are cross-netns. There are a
couple of other device types that have an ndo_get_iflink op but no
get_link_net (virt_wifi, ipoib), and should probably also have a
get_link_net.
Sabrina Dubroca (12):
ipvlan: add get_link_net
geneve: add get_link_net
Revert "rtnetlink: always put IFLA_LINK for links with a link-netnsid"
rtnetlink: always put IFLA_LINK for links with ndo_get_iflink
bridge: always put IFLA_LINK for ports with ndo_get_iflink
bridge: advertise IFLA_LINK_NETNSID when dumping bridge ports
ipv6: always put IFLA_LINK for devices with ndo_get_iflink
ipv6: advertise IFLA_LINK_NETNSID when dumping ipv6 addresses
net: link_watch: fix operstate when the link has the same index as the
device
net: link_watch: fix detection of urgent events
batman-adv: fix iflink detection in batadv_is_on_batman_iface
batman-adv: fix detection of lower link in batadv_get_real_netdevice
drivers/net/can/vxcan.c | 2 +-
drivers/net/geneve.c | 8 ++++++++
drivers/net/ipvlan/ipvlan_main.c | 9 +++++++++
drivers/net/veth.c | 2 +-
include/net/rtnetlink.h | 4 ++++
net/batman-adv/hard-interface.c | 4 ++--
net/bridge/br_netlink.c | 4 +++-
net/core/link_watch.c | 4 ++--
net/core/rtnetlink.c | 25 ++++++++++++-------------
net/ipv6/addrconf.c | 11 ++++++++++-
10 files changed, 52 insertions(+), 21 deletions(-)
--
2.28.0
1 month, 2 weeks
Dynamic DHCP server assignment and spin-up on batman-adv mesh network
by tanner.perkins@cnftech.com
If this is not the best place to ask questions regarding mesh networks utilizing the batman-adv kernel module, I apologies and please point me to where I need to be.
I'm looking to set up distributed mesh network using the batman-adv Linux kernel module. However, I don't want to have to statically assign IP addresses to all my nodes therefore my first thought was to use DHCP. The problem arises in my scenario that any node could come and go in the mesh network as they move in and out range of the network. Therefore manually allocating a single or even a few DHCP servers isn't realistic as that DHCP server may drop out of the network at anytime. Is there a dynamic way to reassign the DHCP server based on the nodes still within the network when the previous DHCP server drops from the network?
Thanks,
-tdev
10 months
[syzbot] INFO: task hung in __xfs_buf_submit (2)
by syzbot
Hello,
syzbot found the following issue on:
HEAD commit: 6e764bcd1cf7 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10504885300000
kernel config: https://syzkaller.appspot.com/x/.config?x=2fd902af77ff1e56
dashboard link: https://syzkaller.appspot.com/bug?extid=4bb1622c9a583bb6f9f2
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14427606300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149b3cce300000
The issue was bisected to:
commit 887e975c4172d0d5670c39ead2f18ba1e4ec8133
Author: Mike Christie <mchristi(a)redhat.com>
Date: Tue Aug 13 16:39:51 2019 +0000
nbd: add missing config put
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11980ad5300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=13980ad5300000
console output: https://syzkaller.appspot.com/x/log.txt?x=15980ad5300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4bb1622c9a583bb6f9f2(a)syzkaller.appspotmail.com
Fixes: 887e975c4172 ("nbd: add missing config put")
INFO: task syz-executor519:8442 blocked for more than 143 seconds.
Not tainted 5.14.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor519 state:D stack:22808 pid: 8442 ppid: 8441 flags:0x00004004
Call Trace:
context_switch kernel/sched/core.c:4681 [inline]
__schedule+0xc07/0x11f0 kernel/sched/core.c:5938
schedule+0x14b/0x210 kernel/sched/core.c:6017
schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857
do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x48/0x60 kernel/sched/completion.c:138
xfs_buf_iowait fs/xfs/xfs_buf.c:1571 [inline]
__xfs_buf_submit+0x39d/0x6d0 fs/xfs/xfs_buf.c:1636
xfs_buf_submit fs/xfs/xfs_buf.c:58 [inline]
xfs_buf_read_uncached+0x1fa/0x390 fs/xfs/xfs_buf.c:884
xfs_readsb+0x1dc/0x670 fs/xfs/xfs_mount.c:178
xfs_fs_fill_super+0x483/0x1780 fs/xfs/xfs_super.c:1428
get_tree_bdev+0x406/0x630 fs/super.c:1293
vfs_get_tree+0x86/0x270 fs/super.c:1498
do_new_mount fs/namespace.c:2923 [inline]
path_mount+0x1981/0x2c10 fs/namespace.c:3253
do_mount fs/namespace.c:3266 [inline]
__do_sys_mount fs/namespace.c:3474 [inline]
__se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3451
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x444239
RSP: 002b:00007ffd4feb56f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000444239
RDX: 0000000020000140 RSI: 0000000020000000 RDI: 00000000200000c0
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffd4feb5898
R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000403550
R13: 431bde82d7b634db R14: 00000000004b2018 R15: 00000000004004a0
Showing all locks held in the system:
1 lock held by khungtaskd/1644:
#0: ffffffff8c717ec0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30 arch/x86/pci/mmconfig_64.c:151
2 locks held by in:imklog/8141:
#0: ffff888023be8870 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x24e/0x2f0 fs/file.c:974
#1: ffffffff8c717ec0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:266
1 lock held by syz-executor519/8442:
#0: ffff888030e060e0 (&type->s_umount_key#49/1){+.+.}-{3:3}, at: alloc_super+0x1c8/0x860 fs/super.c:229
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 1644 Comm: khungtaskd Not tainted 5.14.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1d3/0x29f lib/dump_stack.c:105
nmi_cpu_backtrace+0x16c/0x190 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x191/0x2f0 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:210 [inline]
watchdog+0xd06/0xd50 kernel/hung_task.c:295
kthread+0x453/0x480 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 4862 Comm: systemd-journal Not tainted 5.14.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4688 [inline]
RIP: 0010:__lock_acquire+0x5fc/0x6100 kernel/locking/lockdep.c:4965
Code: 00 fc ff df 4c 8b 7c 24 58 4c 8b 64 24 50 48 81 c3 b8 00 00 00 48 89 d8 48 c1 e8 03 8a 04 10 84 c0 0f 85 c1 25 00 00 44 8a 33 <48> 8b 44 24 60 8a 04 10 84 c0 0f 85 d2 25 00 00 41 8b 1c 24 81 e3
RSP: 0018:ffffc9000162f940 EFLAGS: 00000046
RAX: 1ffffffff1f10400 RBX: ffffffff8f882478 RCX: ffffffff816219b8
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffffff8faf3dd0
RBP: ffffc9000162fcd0 R08: dffffc0000000000 R09: fffffbfff1f5e7bb
R10: fffffbfff1f5e7bb R11: 0000000000000000 R12: ffff888015bc5ed0
R13: ffff888015bc5eb8 R14: 00000000000c0000 R15: ffff888015bc54c0
FS: 00007f6e3c3a48c0(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6e39776000 CR3: 00000000213b3000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
lock_acquire+0x182/0x4a0 kernel/locking/lockdep.c:5625
do_write_seqcount_begin_nested include/linux/seqlock.h:520 [inline]
do_write_seqcount_begin include/linux/seqlock.h:545 [inline]
vtime_user_exit+0xb9/0x3e0 kernel/sched/cputime.c:719
__context_tracking_exit+0x7a/0xd0 kernel/context_tracking.c:160
user_exit_irqoff include/linux/context_tracking.h:47 [inline]
__enter_from_user_mode kernel/entry/common.c:22 [inline]
syscall_enter_from_user_mode+0x199/0x1b0 kernel/entry/common.c:104
do_syscall_64+0x1e/0xb0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f6e3b65f9c7
Code: 83 c4 08 48 3d 01 f0 ff ff 73 01 c3 48 8b 0d c8 d4 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 15 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 d4 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007ffebb868098 EFLAGS: 00000246 ORIG_RAX: 0000000000000015
RAX: ffffffffffffffda RBX: 00007ffebb86b0c0 RCX: 00007f6e3b65f9c7
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055c77e4df9a3
RBP: 00007ffebb8681e0 R08: 000055c77e4d53e5 R09: 0000000000000018
R10: 0000000000000069 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 000055c77fce98a0 R15: 00007ffebb8686d0
----------------
Code disassembly (best guess), 3 bytes skipped:
0: df 4c 8b 7c fisttps 0x7c(%rbx,%rcx,4)
4: 24 58 and $0x58,%al
6: 4c 8b 64 24 50 mov 0x50(%rsp),%r12
b: 48 81 c3 b8 00 00 00 add $0xb8,%rbx
12: 48 89 d8 mov %rbx,%rax
15: 48 c1 e8 03 shr $0x3,%rax
19: 8a 04 10 mov (%rax,%rdx,1),%al
1c: 84 c0 test %al,%al
1e: 0f 85 c1 25 00 00 jne 0x25e5
24: 44 8a 33 mov (%rbx),%r14b
* 27: 48 8b 44 24 60 mov 0x60(%rsp),%rax <-- trapping instruction
2c: 8a 04 10 mov (%rax,%rdx,1),%al
2f: 84 c0 test %al,%al
31: 0f 85 d2 25 00 00 jne 0x2609
37: 41 8b 1c 24 mov (%r12),%ebx
3b: 81 .byte 0x81
3c: e3 .byte 0xe3
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
10 months, 1 week
Python script to setup batman networks
by Pranav Jerry
Hi!
I have made a python script [1] to setup batman-adv networks using
systemd-networkd. It requires iwd and systemd-networkd v248 or above.
It starts an adhoc network on wlan0 (or any other wireless interface)
and adds it to bat0. To allow non-mesh clients to connect to
the mesh, if there are two WiFi adapters, the script starts an
AP on one of the adapters.
The script is supposed to be run as a systemd service, since
it can ensure that the dependencies are started before it is run.
The network is configured with systemd-networkd runtime configs
(since it has not implemented configuration via D-Bus)
and the iwd D-Bus API.
All suggestions, criticism and contributions are welcome.
[1]: https://git.disroot.org/pranav/naxalnet
10 months, 1 week
[syzbot] KASAN: slab-out-of-bounds Write in ext4_write_inline_data_end
by syzbot
Hello,
syzbot found the following issue on:
HEAD commit: 614cb2751d31 Merge tag 'trace-v5.14-rc6' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=130112c5300000
kernel config: https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
dashboard link: https://syzkaller.appspot.com/bug?extid=13146364637c7363a7de
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104d7cc5300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1333ce0e300000
The issue was bisected to:
commit a154d5d83d21af6b9ee32adc5dbcea5ac1fb534c
Author: Arnd Bergmann <arnd(a)arndb.de>
Date: Mon Mar 4 20:38:03 2019 +0000
net: ignore sysctl_devconf_inherit_init_net without SYSCTL
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f970b6300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=100570b6300000
console output: https://syzkaller.appspot.com/x/log.txt?x=17f970b6300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+13146364637c7363a7de(a)syzkaller.appspotmail.com
Fixes: a154d5d83d21 ("net: ignore sysctl_devconf_inherit_init_net without SYSCTL")
==================================================================
BUG: KASAN: slab-out-of-bounds in ext4_write_inline_data fs/ext4/inline.c:245 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_write_inline_data_end+0x4d4/0x960 fs/ext4/inline.c:754
Write of size 70 at addr ffff8880195444ef by task syz-executor279/8426
CPU: 0 PID: 8426 Comm: syz-executor279 Not tainted 5.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
print_address_description+0x66/0x3b0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x163/0x210 mm/kasan/report.c:436
check_region_inline mm/kasan/generic.c:135 [inline]
kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
memcpy+0x3c/0x60 mm/kasan/shadow.c:66
ext4_write_inline_data fs/ext4/inline.c:245 [inline]
ext4_write_inline_data_end+0x4d4/0x960 fs/ext4/inline.c:754
ext4_write_end+0x1ff/0xbd0 fs/ext4/inode.c:1290
generic_perform_write+0x361/0x580 mm/filemap.c:3667
ext4_buffered_write_iter+0x41c/0x590 fs/ext4/file.c:269
ext4_file_write_iter+0x8f7/0x1b90 fs/ext4/file.c:519
call_write_iter include/linux/fs.h:2114 [inline]
new_sync_write fs/read_write.c:518 [inline]
vfs_write+0xa39/0xc90 fs/read_write.c:605
ksys_write+0x171/0x2a0 fs/read_write.c:658
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x44ac89
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff12e8852f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004ce4d0 RCX: 000000000044ac89
RDX: 0000000000000082 RSI: 0000000020000180 RDI: 0000000000000006
RBP: 000000000049de98 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 024645fc87234f45 R14: 26e1d8b70aefbc5b R15: 00000000004ce4d8
Allocated by task 1:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x96/0xd0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:2959 [inline]
slab_alloc mm/slub.c:2967 [inline]
kmem_cache_alloc+0x1d1/0x340 mm/slub.c:2972
kmem_cache_zalloc include/linux/slab.h:711 [inline]
acpi_os_acquire_object include/acpi/platform/aclinuxex.h:67 [inline]
acpi_ut_allocate_object_desc_dbg+0xd8/0x165 drivers/acpi/acpica/utobject.c:359
acpi_ut_create_internal_object_dbg+0x21/0x195 drivers/acpi/acpica/utobject.c:69
acpi_ds_build_internal_object+0x15f/0x732 drivers/acpi/acpica/dsobject.c:94
acpi_ds_create_node+0xe9/0x1a8 drivers/acpi/acpica/dsobject.c:281
acpi_ds_load2_end_op+0x7d0/0xebc drivers/acpi/acpica/dswload2.c:618
acpi_ds_exec_end_op+0x6ce/0x11d4 drivers/acpi/acpica/dswexec.c:637
acpi_ps_parse_loop+0xd9f/0x1cf0 drivers/acpi/acpica/psloop.c:525
acpi_ps_parse_aml+0x1d5/0x955 drivers/acpi/acpica/psparse.c:475
acpi_ps_execute_table+0x317/0x3ef drivers/acpi/acpica/psxface.c:295
acpi_ns_execute_table+0x436/0x5bf drivers/acpi/acpica/nsparse.c:116
acpi_ns_load_table+0x5e/0x120 drivers/acpi/acpica/nsload.c:71
acpi_tb_load_namespace+0x456/0x6b9 drivers/acpi/acpica/tbxfload.c:186
acpi_load_tables+0x45/0xf5 drivers/acpi/acpica/tbxfload.c:59
acpi_bus_init+0x9a/0x993 drivers/acpi/bus.c:1213
acpi_init+0x8c/0x22c drivers/acpi/bus.c:1324
do_one_initcall+0x197/0x3f0 init/main.c:1287
do_initcall_level+0x14a/0x1f5 init/main.c:1360
do_initcalls+0x4b/0x8c init/main.c:1376
kernel_init_freeable+0x3f1/0x57e init/main.c:1598
kernel_init+0x19/0x2a0 init/main.c:1490
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
The buggy address belongs to the object at ffff8880195444e0
which belongs to the cache Acpi-Operand of size 72
The buggy address is located 15 bytes inside of
72-byte region [ffff8880195444e0, ffff888019544528)
The buggy address belongs to the page:
page:ffffea0000655100 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888019544068 pfn:0x19544
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0000654f88 ffffea0000654e08 ffff8880110c2b40
raw: ffff888019544068 000000000027001d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 3012488798, free_ts 0
prep_new_page mm/page_alloc.c:2436 [inline]
get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169
__alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391
alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2119
alloc_slab_page mm/slub.c:1691 [inline]
allocate_slab+0xf1/0x540 mm/slub.c:1831
new_slab mm/slub.c:1894 [inline]
new_slab_objects mm/slub.c:2640 [inline]
___slab_alloc+0x1cf/0x350 mm/slub.c:2803
__slab_alloc mm/slub.c:2843 [inline]
slab_alloc_node mm/slub.c:2925 [inline]
slab_alloc mm/slub.c:2967 [inline]
kmem_cache_alloc+0x299/0x340 mm/slub.c:2972
kmem_cache_zalloc include/linux/slab.h:711 [inline]
acpi_os_acquire_object include/acpi/platform/aclinuxex.h:67 [inline]
acpi_ut_allocate_object_desc_dbg+0xd8/0x165 drivers/acpi/acpica/utobject.c:359
acpi_ut_create_internal_object_dbg+0x21/0x195 drivers/acpi/acpica/utobject.c:69
acpi_ds_build_internal_object+0x15f/0x732 drivers/acpi/acpica/dsobject.c:94
acpi_ds_create_node+0xe9/0x1a8 drivers/acpi/acpica/dsobject.c:281
acpi_ds_load2_end_op+0x7d0/0xebc drivers/acpi/acpica/dswload2.c:618
acpi_ds_exec_end_op+0x6ce/0x11d4 drivers/acpi/acpica/dswexec.c:637
acpi_ps_parse_loop+0xd9f/0x1cf0 drivers/acpi/acpica/psloop.c:525
acpi_ps_parse_aml+0x1d5/0x955 drivers/acpi/acpica/psparse.c:475
acpi_ps_execute_table+0x317/0x3ef drivers/acpi/acpica/psxface.c:295
acpi_ns_execute_table+0x436/0x5bf drivers/acpi/acpica/nsparse.c:116
page_owner free stack trace missing
Memory state around the buggy address:
ffff888019544400: fc fc 00 00 00 00 00 00 00 00 00 fc fc fc fc 00
ffff888019544480: 00 00 00 00 00 00 00 00 fc fc fc fc 00 00 00 00
>ffff888019544500: 00 00 00 00 00 fc fc fc fc fb fb fb fb fb fb fb
^
ffff888019544580: fb fb fc fc fc fc 00 00 00 00 00 00 00 00 00 fc
ffff888019544600: fc fc fc 00 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 40 00 nopl 0x0(%rax)
10: 48 89 f8 mov %rdi,%rax
13: 48 89 f7 mov %rsi,%rdi
16: 48 89 d6 mov %rdx,%rsi
19: 48 89 ca mov %rcx,%rdx
1c: 4d 89 c2 mov %r8,%r10
1f: 4d 89 c8 mov %r9,%r8
22: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
27: 0f 05 syscall
29: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
2f: 73 01 jae 0x32
31: c3 retq
32: 48 c7 c1 b8 ff ff ff mov $0xffffffffffffffb8,%rcx
39: f7 d8 neg %eax
3b: 64 89 01 mov %eax,%fs:(%rcx)
3e: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
10 months, 1 week
[PATCH 0/6] (updated) pull request for net-next: batman-adv 2021-08-20
by Simon Wunderlich
Hi Jakub,
here is the updated pull request of batman-adv, with the missing sign-off
added which you pointed out yesterday.
Please pull or let me know of any problem!
Thank you,
Simon
The following changes since commit b37a466837393af72fe8bcb8f1436410f3f173f3:
netdevice: add the case if dev is NULL (2021-08-05 13:29:26 +0100)
are available in the Git repository at:
git://git.open-mesh.org/linux-merge.git tags/batadv-next-pullrequest-20210820
for you to fetch changes up to a006aa51ea27fa64afc7990f8f100ff0baa92413:
batman-adv: bcast: remove remaining skb-copy calls (2021-08-20 08:17:10 +0200)
----------------------------------------------------------------
This (updated) cleanup patchset includes the following patches:
- bump version strings, by Simon Wunderlich
- update docs about move IRC channel away from freenode,
by Sven Eckelmann (updated, added missing sign-off)
- Switch to kstrtox.h for kstrtou64, by Sven Eckelmann
- Update NULL checks, by Sven Eckelmann (2 patches)
- remove remaining skb-copy calls for broadcast packets,
by Linus Lüssing
----------------------------------------------------------------
Linus Lüssing (1):
batman-adv: bcast: remove remaining skb-copy calls
Simon Wunderlich (1):
batman-adv: Start new development cycle
Sven Eckelmann (4):
batman-adv: Move IRC channel to hackint.org
batman-adv: Switch to kstrtox.h for kstrtou64
batman-adv: Check ptr for NULL before reducing its refcnt
batman-adv: Drop NULL check before dropping references
Documentation/networking/batman-adv.rst | 2 +-
MAINTAINERS | 2 +-
net/batman-adv/bat_iv_ogm.c | 75 ++++++++---------------
net/batman-adv/bat_v.c | 30 ++++------
net/batman-adv/bat_v_elp.c | 9 +--
net/batman-adv/bat_v_ogm.c | 39 ++++--------
net/batman-adv/bridge_loop_avoidance.c | 33 +++++------
net/batman-adv/distributed-arp-table.c | 24 ++++----
net/batman-adv/fragmentation.c | 6 +-
net/batman-adv/gateway_client.c | 57 +++++-------------
net/batman-adv/gateway_client.h | 16 ++++-
net/batman-adv/gateway_common.c | 2 +-
net/batman-adv/hard-interface.c | 21 +++----
net/batman-adv/hard-interface.h | 3 +
net/batman-adv/main.h | 2 +-
net/batman-adv/multicast.c | 2 +-
net/batman-adv/netlink.c | 6 +-
net/batman-adv/network-coding.c | 24 ++++----
net/batman-adv/originator.c | 102 +++++---------------------------
net/batman-adv/originator.h | 96 +++++++++++++++++++++++++++---
net/batman-adv/routing.c | 39 ++++--------
net/batman-adv/send.c | 33 ++++++-----
net/batman-adv/soft-interface.c | 27 ++-------
net/batman-adv/soft-interface.h | 16 ++++-
net/batman-adv/tp_meter.c | 27 ++++-----
net/batman-adv/translation-table.c | 100 +++++++++++--------------------
net/batman-adv/translation-table.h | 18 +++++-
net/batman-adv/tvlv.c | 9 ++-
28 files changed, 364 insertions(+), 456 deletions(-)
10 months, 2 weeks
[PATCH 0/6] pull request for net-next: batman-adv 2021-08-19
by Simon Wunderlich
Hi Jakub, hi David,
here is a little cleanup pull request of batman-adv to go into net-next.
Please pull or let me know of any problem!
Thank you,
Simon
The following changes since commit b37a466837393af72fe8bcb8f1436410f3f173f3:
netdevice: add the case if dev is NULL (2021-08-05 13:29:26 +0100)
are available in the Git repository at:
git://git.open-mesh.org/linux-merge.git tags/batadv-next-pullrequest-20210819
for you to fetch changes up to 808cfdfad57999c85f9ab13499a38d136d032232:
batman-adv: bcast: remove remaining skb-copy calls (2021-08-18 18:39:00 +0200)
----------------------------------------------------------------
This cleanup patchset includes the following patches:
- bump version strings, by Simon Wunderlich
- update docs about move IRC channel away from freenode,
by Sven Eckelmann
- Switch to kstrtox.h for kstrtou64, by Sven Eckelmann
- Update NULL checks, by Sven Eckelmann (2 patches)
- remove remaining skb-copy calls for broadcast packets,
by Linus Lüssing
----------------------------------------------------------------
Linus Lüssing (1):
batman-adv: bcast: remove remaining skb-copy calls
Simon Wunderlich (1):
batman-adv: Start new development cycle
Sven Eckelmann (4):
batman-adv: Move IRC channel to hackint.org
batman-adv: Switch to kstrtox.h for kstrtou64
batman-adv: Check ptr for NULL before reducing its refcnt
batman-adv: Drop NULL check before dropping references
Documentation/networking/batman-adv.rst | 2 +-
MAINTAINERS | 2 +-
net/batman-adv/bat_iv_ogm.c | 75 ++++++++---------------
net/batman-adv/bat_v.c | 30 ++++------
net/batman-adv/bat_v_elp.c | 9 +--
net/batman-adv/bat_v_ogm.c | 39 ++++--------
net/batman-adv/bridge_loop_avoidance.c | 33 +++++------
net/batman-adv/distributed-arp-table.c | 24 ++++----
net/batman-adv/fragmentation.c | 6 +-
net/batman-adv/gateway_client.c | 57 +++++-------------
net/batman-adv/gateway_client.h | 16 ++++-
net/batman-adv/gateway_common.c | 2 +-
net/batman-adv/hard-interface.c | 21 +++----
net/batman-adv/hard-interface.h | 3 +
net/batman-adv/main.h | 2 +-
net/batman-adv/multicast.c | 2 +-
net/batman-adv/netlink.c | 6 +-
net/batman-adv/network-coding.c | 24 ++++----
net/batman-adv/originator.c | 102 +++++---------------------------
net/batman-adv/originator.h | 96 +++++++++++++++++++++++++++---
net/batman-adv/routing.c | 39 ++++--------
net/batman-adv/send.c | 33 ++++++-----
net/batman-adv/soft-interface.c | 27 ++-------
net/batman-adv/soft-interface.h | 16 ++++-
net/batman-adv/tp_meter.c | 27 ++++-----
net/batman-adv/translation-table.c | 100 +++++++++++--------------------
net/batman-adv/translation-table.h | 18 +++++-
net/batman-adv/tvlv.c | 9 ++-
28 files changed, 364 insertions(+), 456 deletions(-)
10 months, 2 weeks
[PATCH v4] batman-adv: bcast: remove remaining skb-copy calls
by Sven Eckelmann
From: Linus Lüssing <linus.luessing(a)c0d3.blue>
We currently have two code paths for broadcast packets:
A) self-generated, via batadv_interface_tx()->
batadv_send_bcast_packet().
B) received/forwarded, via batadv_recv_bcast_packet()->
batadv_forw_bcast_packet().
For A), self-generated broadcast packets:
the only modifications to the skb data is the ethernet header which is
added/pushed to the skb in
batadv_send_broadcast_skb()->batadv_send_skb_packet(). However before
doing so, batadv_skb_head_push() is called which calls skb_cow_head() to
unshare the space for the to be pushed ethernet header. So for this
case, it is safe to use skb clones.
For B), received/forwarded packets:
the same applies as in A) for the to be forwarded packets. Only the
ethernet header is added. However after (queueing for) forwarding the
packet in batadv_recv_bcast_packet()->batadv_forw_bcast_packet(), a
packet is additionally decapsulated and is sent up the stack through
batadv_recv_bcast_packet()->batadv_interface_rx().
Protocols higher up the stack are already required to check if the
packet is shared and create a copy for further modifications. When the
next (protocol) layer works correctly, it cannot happen that ot tries to
operate on the data behind the skb clone which is still queued up for
forwarding.
Signed-off-by: Linus Lüssing <linus.luessing(a)c0d3.blue>
Co-authored-by: Sven Eckelmann <sven(a)narfation.org>
Signed-off-by: Sven Eckelmann <sven(a)narfation.org>
---
v3:
* newly added this patch, to move skb_copy()->skb_clone() changes from
PATCH 01/03 to a separate patch with its own explanation
v4:
* dropped skb_cow call in __batadv_forw_bcast_packet and adjusted the
text for B) to explain the reasoning behind it
net/batman-adv/send.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c
index 0b9dd29d..b1cb9eb3 100644
--- a/net/batman-adv/send.c
+++ b/net/batman-adv/send.c
@@ -748,6 +748,10 @@ void batadv_forw_packet_ogmv1_queue(struct batadv_priv *bat_priv,
* Adds a broadcast packet to the queue and sets up timers. Broadcast packets
* are sent multiple times to increase probability for being received.
*
+ * This call clones the given skb, hence the caller needs to take into
+ * account that the data segment of the original skb might not be
+ * modifiable anymore.
+ *
* Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors.
*/
static int batadv_forw_bcast_packet_to_list(struct batadv_priv *bat_priv,
@@ -761,7 +765,7 @@ static int batadv_forw_bcast_packet_to_list(struct batadv_priv *bat_priv,
unsigned long send_time = jiffies;
struct sk_buff *newskb;
- newskb = skb_copy(skb, GFP_ATOMIC);
+ newskb = skb_clone(skb, GFP_ATOMIC);
if (!newskb)
goto err;
@@ -800,6 +804,10 @@ static int batadv_forw_bcast_packet_to_list(struct batadv_priv *bat_priv,
* or if a delay is given after that. Furthermore, queues additional
* retransmissions if this interface is a wireless one.
*
+ * This call clones the given skb, hence the caller needs to take into
+ * account that the data segment of the original skb might not be
+ * modifiable anymore.
+ *
* Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors.
*/
static int batadv_forw_bcast_packet_if(struct batadv_priv *bat_priv,
@@ -814,7 +822,7 @@ static int batadv_forw_bcast_packet_if(struct batadv_priv *bat_priv,
int ret = NETDEV_TX_OK;
if (!delay) {
- newskb = skb_copy(skb, GFP_ATOMIC);
+ newskb = skb_clone(skb, GFP_ATOMIC);
if (!newskb)
return NETDEV_TX_BUSY;
--
2.30.2
10 months, 2 weeks
[PATCH v3 1/3] batman-adv: bcast: queue per interface, if needed
by Linus Lüssing
Currently we schedule a broadcast packet like:
3x: [ [(re-)queue] --> for(hard-if): maybe-transmit ]
The intention of queueing a broadcast packet multiple times is to
increase robustness for wireless interfaces. However on interfaces
which we only broadcast on once the queueing induces an unnecessary
penalty. This patch restructures the queueing to be performed on a per
interface basis:
for(hard-if):
- transmit
- if wireless: [queue] --> transmit --> [requeue] --> transmit
Next to the performance benefits on non-wireless interfaces this
should also make it easier to apply alternative strategies for
transmissions on wireless interfaces in the future (for instance sending
via unicast transmissions on wireless interfaces, without queueing in
batman-adv, if appropriate).
Signed-off-by: Linus Lüssing <linus.luessing(a)c0d3.blue>
---
Changelog v3:
* changed all skb_clone() calls to skb_copy(), to move the
skb_copy()->skb_clone() changes to extra commits with their own
explanation
Changelog v2:
* fixed spelling of "unnecessary" in commit message (thanks Sven)
* removed now superflous kerneldoc for hard_iface in
batadv_forw_packet_bcasts_left() (thanks Sven)
* removed delay check for queued (re)broadcasts in
batadv_forw_bcast_packet_if(): the only case where a delay is set
for this function is for a delayed, DAT fallback ARP Request from
this node, then however num_bcasts will be >=1, too, and the fallback
ARP Request will be scheduled anyway
---
net/batman-adv/main.h | 1 -
net/batman-adv/routing.c | 9 +-
net/batman-adv/send.c | 374 +++++++++++++++++++++-----------
net/batman-adv/send.h | 12 +-
net/batman-adv/soft-interface.c | 12 +-
5 files changed, 270 insertions(+), 138 deletions(-)
diff --git a/net/batman-adv/main.h b/net/batman-adv/main.h
index 8f0102b7..baa9fcbe 100644
--- a/net/batman-adv/main.h
+++ b/net/batman-adv/main.h
@@ -88,7 +88,6 @@
/* number of packets to send for broadcasts on different interface types */
#define BATADV_NUM_BCASTS_DEFAULT 1
#define BATADV_NUM_BCASTS_WIRELESS 3
-#define BATADV_NUM_BCASTS_MAX 3
/* length of the single packet used by the TP meter */
#define BATADV_TP_PACKET_LEN ETH_DATA_LEN
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 40f5cffd..bb9e93e3 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -1182,9 +1182,9 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
struct batadv_bcast_packet *bcast_packet;
struct ethhdr *ethhdr;
int hdr_size = sizeof(*bcast_packet);
- int ret = NET_RX_DROP;
s32 seq_diff;
u32 seqno;
+ int ret;
/* drop packet if it has not necessary minimum size */
if (unlikely(!pskb_may_pull(skb, hdr_size)))
@@ -1210,7 +1210,7 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
if (batadv_is_my_mac(bat_priv, bcast_packet->orig))
goto free_skb;
- if (bcast_packet->ttl < 2)
+ if (bcast_packet->ttl-- < 2)
goto free_skb;
orig_node = batadv_orig_hash_find(bat_priv, bcast_packet->orig);
@@ -1249,7 +1249,9 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
batadv_skb_set_priority(skb, sizeof(struct batadv_bcast_packet));
/* rebroadcast packet */
- batadv_add_bcast_packet_to_list(bat_priv, skb, 1, false);
+ ret = batadv_forw_bcast_packet(bat_priv, skb, 0, false);
+ if (ret == NETDEV_TX_BUSY)
+ goto free_skb;
/* don't hand the broadcast up if it is from an originator
* from the same backbone.
@@ -1275,6 +1277,7 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
spin_unlock_bh(&orig_node->bcast_seqno_lock);
free_skb:
kfree_skb(skb);
+ ret = NET_RX_DROP;
out:
if (orig_node)
batadv_orig_node_put(orig_node);
diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c
index 157abe92..07b0ba26 100644
--- a/net/batman-adv/send.c
+++ b/net/batman-adv/send.c
@@ -737,57 +737,48 @@ void batadv_forw_packet_ogmv1_queue(struct batadv_priv *bat_priv,
}
/**
- * batadv_add_bcast_packet_to_list() - queue broadcast packet for multiple sends
+ * batadv_forw_bcast_packet_to_list() - queue broadcast packet for transmissions
* @bat_priv: the bat priv with all the soft interface information
* @skb: broadcast packet to add
* @delay: number of jiffies to wait before sending
* @own_packet: true if it is a self-generated broadcast packet
+ * @if_in: the interface where the packet was received on
+ * @if_out: the outgoing interface to queue on
*
- * add a broadcast packet to the queue and setup timers. broadcast packets
+ * Adds a broadcast packet to the queue and sets up timers. Broadcast packets
* are sent multiple times to increase probability for being received.
*
- * The skb is not consumed, so the caller should make sure that the
- * skb is freed.
- *
* Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors.
*/
-int batadv_add_bcast_packet_to_list(struct batadv_priv *bat_priv,
- const struct sk_buff *skb,
- unsigned long delay,
- bool own_packet)
+static int batadv_forw_bcast_packet_to_list(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
+ unsigned long delay,
+ bool own_packet,
+ struct batadv_hard_iface *if_in,
+ struct batadv_hard_iface *if_out)
{
- struct batadv_hard_iface *primary_if;
struct batadv_forw_packet *forw_packet;
- struct batadv_bcast_packet *bcast_packet;
+ unsigned long send_time = jiffies;
struct sk_buff *newskb;
- primary_if = batadv_primary_if_get_selected(bat_priv);
- if (!primary_if)
- goto err;
-
newskb = skb_copy(skb, GFP_ATOMIC);
- if (!newskb) {
- batadv_hardif_put(primary_if);
+ if (!newskb)
goto err;
- }
- forw_packet = batadv_forw_packet_alloc(primary_if, NULL,
+ forw_packet = batadv_forw_packet_alloc(if_in, if_out,
&bat_priv->bcast_queue_left,
bat_priv, newskb);
- batadv_hardif_put(primary_if);
if (!forw_packet)
goto err_packet_free;
- /* as we have a copy now, it is safe to decrease the TTL */
- bcast_packet = (struct batadv_bcast_packet *)newskb->data;
- bcast_packet->ttl--;
-
forw_packet->own = own_packet;
INIT_DELAYED_WORK(&forw_packet->delayed_work,
batadv_send_outstanding_bcast_packet);
- batadv_forw_packet_bcast_queue(bat_priv, forw_packet, jiffies + delay);
+ send_time += delay ? delay : msecs_to_jiffies(5);
+
+ batadv_forw_packet_bcast_queue(bat_priv, forw_packet, send_time);
return NETDEV_TX_OK;
err_packet_free:
@@ -796,10 +787,220 @@ int batadv_add_bcast_packet_to_list(struct batadv_priv *bat_priv,
return NETDEV_TX_BUSY;
}
+/**
+ * batadv_forw_bcast_packet_if() - forward and queue a broadcast packet
+ * @bat_priv: the bat priv with all the soft interface information
+ * @skb: broadcast packet to add
+ * @delay: number of jiffies to wait before sending
+ * @own_packet: true if it is a self-generated broadcast packet
+ * @if_in: the interface where the packet was received on
+ * @if_out: the outgoing interface to forward to
+ *
+ * Transmits a broadcast packet on the specified interface either immediately
+ * or if a delay is given after that. Furthermore, queues additional
+ * retransmissions if this interface is a wireless one.
+ *
+ * Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors.
+ */
+static int batadv_forw_bcast_packet_if(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
+ unsigned long delay,
+ bool own_packet,
+ struct batadv_hard_iface *if_in,
+ struct batadv_hard_iface *if_out)
+{
+ unsigned int num_bcasts = if_out->num_bcasts;
+ struct sk_buff *newskb;
+ int ret = NETDEV_TX_OK;
+
+ if (!delay) {
+ newskb = skb_copy(skb, GFP_ATOMIC);
+ if (!newskb)
+ return NETDEV_TX_BUSY;
+
+ batadv_send_broadcast_skb(newskb, if_out);
+ num_bcasts--;
+ }
+
+ /* delayed broadcast or rebroadcasts? */
+ if (num_bcasts >= 1) {
+ BATADV_SKB_CB(skb)->num_bcasts = num_bcasts;
+
+ ret = batadv_forw_bcast_packet_to_list(bat_priv, skb, delay,
+ own_packet, if_in,
+ if_out);
+ }
+
+ return ret;
+}
+
+/**
+ * batadv_send_no_broadcast() - check whether (re)broadcast is necessary
+ * @bat_priv: the bat priv with all the soft interface information
+ * @skb: broadcast packet to check
+ * @own_packet: true if it is a self-generated broadcast packet
+ * @if_out: the outgoing interface checked and considered for (re)broadcast
+ *
+ * Return: False if a packet needs to be (re)broadcasted on the given interface,
+ * true otherwise.
+ */
+static bool batadv_send_no_broadcast(struct batadv_priv *bat_priv,
+ struct sk_buff *skb, bool own_packet,
+ struct batadv_hard_iface *if_out)
+{
+ struct batadv_hardif_neigh_node *neigh_node = NULL;
+ struct batadv_bcast_packet *bcast_packet;
+ u8 *orig_neigh;
+ u8 *neigh_addr;
+ char *type;
+ int ret;
+
+ if (!own_packet) {
+ neigh_addr = eth_hdr(skb)->h_source;
+ neigh_node = batadv_hardif_neigh_get(if_out,
+ neigh_addr);
+ }
+
+ bcast_packet = (struct batadv_bcast_packet *)skb->data;
+ orig_neigh = neigh_node ? neigh_node->orig : NULL;
+
+ ret = batadv_hardif_no_broadcast(if_out, bcast_packet->orig,
+ orig_neigh);
+
+ if (neigh_node)
+ batadv_hardif_neigh_put(neigh_node);
+
+ /* ok, may broadcast */
+ if (!ret)
+ return false;
+
+ /* no broadcast */
+ switch (ret) {
+ case BATADV_HARDIF_BCAST_NORECIPIENT:
+ type = "no neighbor";
+ break;
+ case BATADV_HARDIF_BCAST_DUPFWD:
+ type = "single neighbor is source";
+ break;
+ case BATADV_HARDIF_BCAST_DUPORIG:
+ type = "single neighbor is originator";
+ break;
+ default:
+ type = "unknown";
+ }
+
+ batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
+ "BCAST packet from orig %pM on %s suppressed: %s\n",
+ bcast_packet->orig,
+ if_out->net_dev->name, type);
+
+ return true;
+}
+
+/**
+ * __batadv_forw_bcast_packet() - forward and queue a broadcast packet
+ * @bat_priv: the bat priv with all the soft interface information
+ * @skb: broadcast packet to add
+ * @delay: number of jiffies to wait before sending
+ * @own_packet: true if it is a self-generated broadcast packet
+ *
+ * Transmits a broadcast packet either immediately or if a delay is given
+ * after that. Furthermore, queues additional retransmissions on wireless
+ * interfaces.
+ *
+ * This call clones the given skb, hence the caller needs to take into
+ * account that the data segment of the given skb might not be
+ * modifiable anymore.
+ *
+ * Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors.
+ */
+static int __batadv_forw_bcast_packet(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
+ unsigned long delay,
+ bool own_packet)
+{
+ struct batadv_hard_iface *hard_iface;
+ struct batadv_hard_iface *primary_if;
+ int ret = NETDEV_TX_OK;
+
+ primary_if = batadv_primary_if_get_selected(bat_priv);
+ if (!primary_if)
+ return NETDEV_TX_BUSY;
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(hard_iface, &batadv_hardif_list, list) {
+ if (hard_iface->soft_iface != bat_priv->soft_iface)
+ continue;
+
+ if (!kref_get_unless_zero(&hard_iface->refcount))
+ continue;
+
+ if (batadv_send_no_broadcast(bat_priv, skb, own_packet,
+ hard_iface)) {
+ batadv_hardif_put(hard_iface);
+ continue;
+ }
+
+ ret = batadv_forw_bcast_packet_if(bat_priv, skb, delay,
+ own_packet, primary_if,
+ hard_iface);
+ batadv_hardif_put(hard_iface);
+
+ if (ret == NETDEV_TX_BUSY)
+ break;
+ }
+ rcu_read_unlock();
+
+ batadv_hardif_put(primary_if);
+ return ret;
+}
+
+/**
+ * batadv_forw_bcast_packet() - forward and queue a broadcast packet
+ * @bat_priv: the bat priv with all the soft interface information
+ * @skb: broadcast packet to add
+ * @delay: number of jiffies to wait before sending
+ * @own_packet: true if it is a self-generated broadcast packet
+ *
+ * Transmits a broadcast packet either immediately or if a delay is given
+ * after that. Furthermore, queues additional retransmissions on wireless
+ * interfaces.
+ *
+ * Return: NETDEV_TX_OK on success and NETDEV_TX_BUSY on errors.
+ */
+int batadv_forw_bcast_packet(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
+ unsigned long delay,
+ bool own_packet)
+{
+ return __batadv_forw_bcast_packet(bat_priv, skb, delay, own_packet);
+}
+
+/**
+ * batadv_send_bcast_packet() - send and queue a broadcast packet
+ * @bat_priv: the bat priv with all the soft interface information
+ * @skb: broadcast packet to add
+ * @delay: number of jiffies to wait before sending
+ * @own_packet: true if it is a self-generated broadcast packet
+ *
+ * Transmits a broadcast packet either immediately or if a delay is given
+ * after that. Furthermore, queues additional retransmissions on wireless
+ * interfaces.
+ *
+ * Consumes the provided skb.
+ */
+void batadv_send_bcast_packet(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
+ unsigned long delay,
+ bool own_packet)
+{
+ __batadv_forw_bcast_packet(bat_priv, skb, delay, own_packet);
+ consume_skb(skb);
+}
+
/**
* batadv_forw_packet_bcasts_left() - check if a retransmission is necessary
* @forw_packet: the forwarding packet to check
- * @hard_iface: the interface to check on
*
* Checks whether a given packet has any (re)transmissions left on the provided
* interface.
@@ -811,28 +1012,20 @@ int batadv_add_bcast_packet_to_list(struct batadv_priv *bat_priv,
* Return: True if (re)transmissions are left, false otherwise.
*/
static bool
-batadv_forw_packet_bcasts_left(struct batadv_forw_packet *forw_packet,
- struct batadv_hard_iface *hard_iface)
+batadv_forw_packet_bcasts_left(struct batadv_forw_packet *forw_packet)
{
- unsigned int max;
-
- if (hard_iface)
- max = hard_iface->num_bcasts;
- else
- max = BATADV_NUM_BCASTS_MAX;
-
- return BATADV_SKB_CB(forw_packet->skb)->num_bcasts < max;
+ return BATADV_SKB_CB(forw_packet->skb)->num_bcasts;
}
/**
- * batadv_forw_packet_bcasts_inc() - increment retransmission counter of a
+ * batadv_forw_packet_bcasts_dec() - decrement retransmission counter of a
* packet
- * @forw_packet: the packet to increase the counter for
+ * @forw_packet: the packet to decrease the counter for
*/
static void
-batadv_forw_packet_bcasts_inc(struct batadv_forw_packet *forw_packet)
+batadv_forw_packet_bcasts_dec(struct batadv_forw_packet *forw_packet)
{
- BATADV_SKB_CB(forw_packet->skb)->num_bcasts++;
+ BATADV_SKB_CB(forw_packet->skb)->num_bcasts--;
}
/**
@@ -843,30 +1036,30 @@ batadv_forw_packet_bcasts_inc(struct batadv_forw_packet *forw_packet)
*/
bool batadv_forw_packet_is_rebroadcast(struct batadv_forw_packet *forw_packet)
{
- return BATADV_SKB_CB(forw_packet->skb)->num_bcasts > 0;
+ unsigned char num_bcasts = BATADV_SKB_CB(forw_packet->skb)->num_bcasts;
+
+ return num_bcasts != forw_packet->if_outgoing->num_bcasts;
}
+/**
+ * batadv_send_outstanding_bcast_packet() - transmit a queued broadcast packet
+ * @work: work queue item
+ *
+ * Transmits a queued broadcast packet and if necessary reschedules it.
+ */
static void batadv_send_outstanding_bcast_packet(struct work_struct *work)
{
- struct batadv_hard_iface *hard_iface;
- struct batadv_hardif_neigh_node *neigh_node;
+ unsigned long send_time = jiffies + msecs_to_jiffies(5);
+ struct batadv_forw_packet *forw_packet;
struct delayed_work *delayed_work;
- struct batadv_forw_packet *forw_packet;
- struct batadv_bcast_packet *bcast_packet;
+ struct batadv_priv *bat_priv;
struct sk_buff *skb1;
- struct net_device *soft_iface;
- struct batadv_priv *bat_priv;
- unsigned long send_time = jiffies + msecs_to_jiffies(5);
bool dropped = false;
- u8 *neigh_addr;
- u8 *orig_neigh;
- int ret = 0;
delayed_work = to_delayed_work(work);
forw_packet = container_of(delayed_work, struct batadv_forw_packet,
delayed_work);
- soft_iface = forw_packet->if_incoming->soft_iface;
- bat_priv = netdev_priv(soft_iface);
+ bat_priv = netdev_priv(forw_packet->if_incoming->soft_iface);
if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_DEACTIVATING) {
dropped = true;
@@ -878,76 +1071,15 @@ static void batadv_send_outstanding_bcast_packet(struct work_struct *work)
goto out;
}
- bcast_packet = (struct batadv_bcast_packet *)forw_packet->skb->data;
+ /* send a copy of the saved skb */
+ skb1 = skb_copy(forw_packet->skb, GFP_ATOMIC);
+ if (!skb1)
+ goto out;
- /* rebroadcast packet */
- rcu_read_lock();
- list_for_each_entry_rcu(hard_iface, &batadv_hardif_list, list) {
- if (hard_iface->soft_iface != soft_iface)
- continue;
+ batadv_send_broadcast_skb(skb1, forw_packet->if_outgoing);
+ batadv_forw_packet_bcasts_dec(forw_packet);
- if (!batadv_forw_packet_bcasts_left(forw_packet, hard_iface))
- continue;
-
- if (forw_packet->own) {
- neigh_node = NULL;
- } else {
- neigh_addr = eth_hdr(forw_packet->skb)->h_source;
- neigh_node = batadv_hardif_neigh_get(hard_iface,
- neigh_addr);
- }
-
- orig_neigh = neigh_node ? neigh_node->orig : NULL;
-
- ret = batadv_hardif_no_broadcast(hard_iface, bcast_packet->orig,
- orig_neigh);
-
- if (ret) {
- char *type;
-
- switch (ret) {
- case BATADV_HARDIF_BCAST_NORECIPIENT:
- type = "no neighbor";
- break;
- case BATADV_HARDIF_BCAST_DUPFWD:
- type = "single neighbor is source";
- break;
- case BATADV_HARDIF_BCAST_DUPORIG:
- type = "single neighbor is originator";
- break;
- default:
- type = "unknown";
- }
-
- batadv_dbg(BATADV_DBG_BATMAN, bat_priv, "BCAST packet from orig %pM on %s suppressed: %s\n",
- bcast_packet->orig,
- hard_iface->net_dev->name, type);
-
- if (neigh_node)
- batadv_hardif_neigh_put(neigh_node);
-
- continue;
- }
-
- if (neigh_node)
- batadv_hardif_neigh_put(neigh_node);
-
- if (!kref_get_unless_zero(&hard_iface->refcount))
- continue;
-
- /* send a copy of the saved skb */
- skb1 = skb_clone(forw_packet->skb, GFP_ATOMIC);
- if (skb1)
- batadv_send_broadcast_skb(skb1, hard_iface);
-
- batadv_hardif_put(hard_iface);
- }
- rcu_read_unlock();
-
- batadv_forw_packet_bcasts_inc(forw_packet);
-
- /* if we still have some more bcasts to send */
- if (batadv_forw_packet_bcasts_left(forw_packet, NULL)) {
+ if (batadv_forw_packet_bcasts_left(forw_packet)) {
batadv_forw_packet_bcast_queue(bat_priv, forw_packet,
send_time);
return;
diff --git a/net/batman-adv/send.h b/net/batman-adv/send.h
index 2b0daf8b..08af251b 100644
--- a/net/batman-adv/send.h
+++ b/net/batman-adv/send.h
@@ -39,10 +39,14 @@ int batadv_send_broadcast_skb(struct sk_buff *skb,
struct batadv_hard_iface *hard_iface);
int batadv_send_unicast_skb(struct sk_buff *skb,
struct batadv_neigh_node *neigh_node);
-int batadv_add_bcast_packet_to_list(struct batadv_priv *bat_priv,
- const struct sk_buff *skb,
- unsigned long delay,
- bool own_packet);
+int batadv_forw_bcast_packet(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
+ unsigned long delay,
+ bool own_packet);
+void batadv_send_bcast_packet(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
+ unsigned long delay,
+ bool own_packet);
void
batadv_purge_outstanding_packets(struct batadv_priv *bat_priv,
const struct batadv_hard_iface *hard_iface);
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 6b8181bc..a21884c0 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -191,7 +191,7 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb,
struct vlan_ethhdr *vhdr;
unsigned int header_len = 0;
int data_len = skb->len, ret;
- unsigned long brd_delay = 1;
+ unsigned long brd_delay = 0;
bool do_bcast = false, client_added;
unsigned short vid;
u32 seqno;
@@ -330,7 +330,7 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb,
bcast_packet = (struct batadv_bcast_packet *)skb->data;
bcast_packet->version = BATADV_COMPAT_VERSION;
- bcast_packet->ttl = BATADV_TTL;
+ bcast_packet->ttl = BATADV_TTL - 1;
/* batman packet type: broadcast */
bcast_packet->packet_type = BATADV_BCAST;
@@ -346,13 +346,7 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb,
seqno = atomic_inc_return(&bat_priv->bcast_seqno);
bcast_packet->seqno = htonl(seqno);
- batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay, true);
-
- /* a copy is stored in the bcast list, therefore removing
- * the original skb.
- */
- consume_skb(skb);
-
+ batadv_send_bcast_packet(bat_priv, skb, brd_delay, true);
/* unicast packet */
} else {
/* DHCP packets going to a server will use the GW feature */
--
2.31.0
10 months, 2 weeks
[syzbot] WARNING in __v9fs_get_acl
by syzbot
Hello,
syzbot found the following issue on:
HEAD commit: 761c6d7ec820 Merge tag 'arc-5.14-rc6' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11d87ca1300000
kernel config: https://syzkaller.appspot.com/x/.config?x=730106bfb5bf8ace
dashboard link: https://syzkaller.appspot.com/bug?extid=56fdf7f6291d819b9b19
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ca6029300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13bf42a1300000
The issue was bisected to:
commit 0ac1077e3a549bf8d35971613e2be05bdbb41a00
Author: Xin Long <lucien.xin(a)gmail.com>
Date: Tue Oct 16 07:52:02 2018 +0000
sctp: get pr_assoc and pr_stream all status with SCTP_PR_SCTP_ALL instead
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16f311fa300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=15f311fa300000
console output: https://syzkaller.appspot.com/x/log.txt?x=11f311fa300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+56fdf7f6291d819b9b19(a)syzkaller.appspotmail.com
Fixes: 0ac1077e3a54 ("sctp: get pr_assoc and pr_stream all status with SCTP_PR_SCTP_ALL instead")
------------[ cut here ]------------
WARNING: CPU: 1 PID: 8426 at mm/page_alloc.c:5366 __alloc_pages+0x588/0x5f0 mm/page_alloc.c:5413
Modules linked in:
CPU: 1 PID: 8426 Comm: syz-executor477 Not tainted 5.14.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__alloc_pages+0x588/0x5f0 mm/page_alloc.c:5413
Code: 00 48 ba 00 00 00 00 00 fc ff df e9 5e fd ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 6d fd ff ff e8 bd 62 0a 00 e9 63 fd ff ff <0f> 0b 45 31 e4 e9 7a fd ff ff 48 8d 4c 24 50 80 e1 07 80 c1 03 38
RSP: 0018:ffffc90000fff9a0 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000014 RCX: 0000000000000000
RDX: 0000000000000028 RSI: 0000000000000000 RDI: ffffc90000fffa28
RBP: ffffc90000fffaa8 R08: dffffc0000000000 R09: ffffc90000fffa00
R10: fffff520001fff45 R11: 0000000000000000 R12: 0000000000040d40
R13: ffffc90000fffa00 R14: 1ffff920001fff3c R15: 1ffff920001fff38
FS: 000000000148e300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa1e9a97740 CR3: 000000003406e000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kmalloc_order+0x41/0x170 mm/slab_common.c:955
kmalloc_order_trace+0x15/0x70 mm/slab_common.c:971
kmalloc_large include/linux/slab.h:520 [inline]
__kmalloc+0x292/0x390 mm/slub.c:4101
kmalloc include/linux/slab.h:596 [inline]
kzalloc include/linux/slab.h:721 [inline]
__v9fs_get_acl+0x40/0x110 fs/9p/acl.c:36
v9fs_get_acl+0xa5/0x290 fs/9p/acl.c:71
v9fs_mount+0x6ea/0x870 fs/9p/vfs_super.c:182
legacy_get_tree+0xea/0x180 fs/fs_context.c:610
vfs_get_tree+0x86/0x270 fs/super.c:1498
do_new_mount fs/namespace.c:2919 [inline]
path_mount+0x196f/0x2be0 fs/namespace.c:3249
do_mount fs/namespace.c:3262 [inline]
__do_sys_mount fs/namespace.c:3470 [inline]
__se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3447
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43f2e9
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc30ccf58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f2e9
RDX: 0000000020000200 RSI: 0000000020000000 RDI: 0000000000000000
RBP: 0000000000403040 R08: 0000000020004440 R09: 0000000000400488
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030d0
R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
10 months, 2 weeks