Hello:
This patch was applied to netdev/net.git (main)
by Simon Wunderlich <sw(a)simonwunderlich.de>:
On Wed, 7 Jun 2023 17:55:15 +0200 you wrote:
> From: Vladislav Efanov <VEfanov(a)ispras.ru>
>
> Syzkaller got a lot of crashes like:
> KASAN: use-after-free Write in *_timers*
>
> All of these crashes point to the same memory area:
>
> [...]
Here is the summary with links:
- [1/1] batman-adv: Broken sync while rescheduling delayed work
https://git.kernel.org/netdev/net/c/abac3ac97fe8
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Hi David, hi Jakub,
here is a bugfix for batman-adv which we would like to have integrated into net.
Please pull or let me know of any problem!
Thank you,
Simon
The following changes since commit 44c026a73be8038f03dbdeef028b642880cf1511:
Linux 6.4-rc3 (2023-05-21 14:05:48 -0700)
are available in the Git repository at:
git://git.open-mesh.org/linux-merge.git tags/batadv-net-pullrequest-20230607
for you to fetch changes up to abac3ac97fe8734b620e7322a116450d7f90aa43:
batman-adv: Broken sync while rescheduling delayed work (2023-05-26 23:14:49 +0200)
----------------------------------------------------------------
Here is a batman-adv bugfix:
- fix a broken sync while rescheduling delayed work, by
Vladislav Efanov
----------------------------------------------------------------
Vladislav Efanov (1):
batman-adv: Broken sync while rescheduling delayed work
net/batman-adv/distributed-arp-table.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Hello batman maintainers/developers,
This is a 31-day syzbot report for the batman subsystem.
All related reports/information can be found at:
https://syzkaller.appspot.com/upstream/s/batman
During the period, 0 new issues were detected and 0 were fixed.
In total, 9 issues are still open and 20 have been fixed so far.
Some of the still happening issues:
Ref Crashes Repro Title
<1> 5426 Yes WARNING: ODEBUG bug in netdev_run_todo
https://syzkaller.appspot.com/bug?extid=f9484b345f41843fc9a9
<2> 1375 Yes WARNING: ODEBUG bug in netdev_freemem (2)
https://syzkaller.appspot.com/bug?extid=c4521ac872a4ccc3afec
<3> 128 Yes INFO: rcu detected stall in batadv_nc_worker (3)
https://syzkaller.appspot.com/bug?extid=69904c3b4a09e8fa2e1b
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
To disable reminders for individual bugs, reply with the following command:
#syz set <Ref> no-reminders
To change bug's subsystems, reply with:
#syz set <Ref> subsystems: new-subsystem
You may send multiple commands in a single email message.
Syzkaller got a lot of crashes like:
KASAN: use-after-free Write in *_timers*
All of these crashes point to the same memory area:
The buggy address belongs to the object at ffff88801f870000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 5320 bytes inside of
8192-byte region [ffff88801f870000, ffff88801f872000)
This area belongs to :
batadv_priv->batadv_priv_dat->delayed_work->timer_list
The reason for these issues is the lack of synchronization. Delayed
work (batadv_dat_purge) schedules new timer/work while the device
is being deleted. As the result new timer/delayed work is set after
cancel_delayed_work_sync() was called. So after the device is freed
the timer list contains pointer to already freed memory.
Found by Linux Verification Center (linuxtesting.org) with syzkaller.
Fixes: 2f1dfbe18507 ("batman-adv: Distributed ARP Table - implement local storage")
Signed-off-by: Vladislav Efanov <VEfanov(a)ispras.ru>
---
net/batman-adv/distributed-arp-table.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index 6968e55eb971..28a939d56090 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -101,7 +101,6 @@ static void batadv_dat_purge(struct work_struct *work);
*/
static void batadv_dat_start_timer(struct batadv_priv *bat_priv)
{
- INIT_DELAYED_WORK(&bat_priv->dat.work, batadv_dat_purge);
queue_delayed_work(batadv_event_workqueue, &bat_priv->dat.work,
msecs_to_jiffies(10000));
}
@@ -819,6 +818,7 @@ int batadv_dat_init(struct batadv_priv *bat_priv)
if (!bat_priv->dat.hash)
return -ENOMEM;
+ INIT_DELAYED_WORK(&bat_priv->dat.work, batadv_dat_purge);
batadv_dat_start_timer(bat_priv);
batadv_tvlv_handler_register(bat_priv, batadv_dat_tvlv_ogm_handler_v1,
--
2.34.1
Hello batman maintainers/developers,
This is a 31-day syzbot report for the batman subsystem.
All related reports/information can be found at:
https://syzkaller.appspot.com/upstream/s/batman
During the period, 0 new issues were detected and 0 were fixed.
In total, 7 issues are still open and 20 have been fixed so far.
Some of the still happening issues:
Ref Crashes Repro Title
<1> 5238 Yes WARNING: ODEBUG bug in netdev_run_todo
https://syzkaller.appspot.com/bug?extid=f9484b345f41843fc9a9
<2> 1372 Yes WARNING: ODEBUG bug in netdev_freemem (2)
https://syzkaller.appspot.com/bug?extid=c4521ac872a4ccc3afec
<3> 121 Yes INFO: rcu detected stall in batadv_nc_worker (3)
https://syzkaller.appspot.com/bug?extid=69904c3b4a09e8fa2e1b
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
To disable reminders for individual bugs, reply with the following command:
#syz set <Ref> no-reminders
To change bug's subsystems, reply with:
#syz set <Ref> subsystems: new-subsystem
You may send multiple commands in a single email message.
Hi Jakub, hi David,
here is a feature/cleanup pull request of batman-adv to go into net-next.
Please pull or let me know of any problem!
Thank you,
Simon
The following changes since commit 88603b6dc419445847923fcb7fe5080067a30f98:
Linux 6.2-rc2 (2023-01-01 13:53:16 -0800)
are available in the Git repository at:
git://git.open-mesh.org/linux-merge.git tags/batadv-next-pullrequest-20230127
for you to fetch changes up to 0c4061c0d0e2c381ffe4d8b7c62ea69ad8132071:
batman-adv: tvlv: prepare for tvlv enabled multicast packet type (2023-01-21 19:01:59 +0100)
----------------------------------------------------------------
This feature/cleanup patchset includes the following patches:
- bump version strings, by Simon Wunderlich
- drop prandom.h includes, by Sven Eckelmann
- fix mailing list address, by Sven Eckelmann
- multicast feature preparation, by Linus Lüssing (2 patches)
----------------------------------------------------------------
Linus Lüssing (2):
batman-adv: mcast: remove now redundant single ucast forwarding
batman-adv: tvlv: prepare for tvlv enabled multicast packet type
Simon Wunderlich (1):
batman-adv: Start new development cycle
Sven Eckelmann (2):
batman-adv: Drop prandom.h includes
batman-adv: Fix mailing list address
Documentation/networking/batman-adv.rst | 2 +-
include/uapi/linux/batadv_packet.h | 2 +
net/batman-adv/bat_iv_ogm.c | 1 -
net/batman-adv/bat_v_elp.c | 1 -
net/batman-adv/bat_v_ogm.c | 5 +-
net/batman-adv/distributed-arp-table.c | 2 +-
net/batman-adv/gateway_common.c | 2 +-
net/batman-adv/main.h | 2 +-
net/batman-adv/multicast.c | 251 ++------------------------------
net/batman-adv/multicast.h | 38 +----
net/batman-adv/network-coding.c | 4 +-
net/batman-adv/routing.c | 7 +-
net/batman-adv/soft-interface.c | 26 ++--
net/batman-adv/translation-table.c | 4 +-
net/batman-adv/tvlv.c | 71 ++++++---
net/batman-adv/tvlv.h | 9 +-
net/batman-adv/types.h | 6 +
17 files changed, 110 insertions(+), 323 deletions(-)
Hi,
The following patchset implements a stateless, TVLV capable batman-adv
multicast packet type.
The new batman-adv multicast packet type allows to contain several
originator destination MAC addresses within a TVLV. Routers on the way will
potentially split the batman-adv multicast packet and adjust its tracker
TVLV contents.
Routing decisions are still based on the selected BATMAN IV or BATMAN V
routing algorithm. So this new batman-adv multicast packet type retains
the same loop-free properties.
The purpose of this new packet type is to allow to forward an IP
multicast packet with less transmissions / overhead than the
multicast-via-multiple-unicasts approach. Or to reach a lot more
destinations (currently up to 196, depending on the payload size, see
Wiki documentation for details) than with the default multicast fanout
for the via-unicasts approach.
This will allow using applications like mDNS again in several Freifunk
communities. And with less transmissions will also make more bulky
multicast applications, like media streaming (to an assessable amount of
receivers) a lot more feasible.
This approach is way simpler than the original multicast (tracker) packet
approach we envisioned years ago. As it involves no maintenance of an
extra, state based multicast routing table. However the TVLV capability
should allow to extend things later, to split control and data plane a bit
more for instance, to further increase the number of destinations, to
further reduce overhead.
A compact overview can be found in the Wiki here, including limitations:
https://www.open-mesh.org/projects/batman-adv/wiki/Multicast-Packet-Type
Regards, Linus
___
Changelog v4:
* PATCH 4/5:
* add missing include for linux/types.h in multicast.h
* add missing kerneldoc for @bat_priv in batadv_mcast_forw_push_dest()
and batadv_mcast_forw_push_tvlvs()
* use sizeof_field(type, field) instead of sizeof(((type *)0)->field)
in batadv_mcast_forw_push_dest()
* PATCH 5/5:
* rename num_dests_remove to num_dests_reduce in
batadv_mcast_forw_shrink_align_offse() to fix kerneldocs and for
consistency
* fix typo in kerneldoc in batadv_mcast_forw_shrink_update_headers()
-> @num_dest_reduce -> @num_dests_reduce
* use sizeof_field(type, field) instead of sizeof(((type *)0)->field)
in batadv_mcast_forw_shrink_align_offset()
Changelog v3:
* PATCH 1/5:
* remove now obsolete includes
* PATCH 2/5:
* fix batadv_tvlv_handler_register() in network-coding.c
* add missing include for linux/skbuff.h
* move variable declarations out of the switch case
in batadv_tvlv_call_handler()
* PATCH 3/5:
* remove unnecessary include of multicast.h in routing.c
* add a few missing includes to multicast_forw.c
(linux/byteorder/generic.h, linux/errno.h, linux/gfp.h, linux/stddef.h
uapi/linux/batadv_packet.h, multicast.h)
* PATCH 4/5:
* add missing rcu_read_unlock() in error case before returning in
batadv_mcast_forw_push_dests_list()
* remove unnecessary include of soft-interface.h in multicast_forw.c
* add a few missing includes to multicast_forw.c
(linux/bug.h, linux/build_bug.h, linux/limits.h, linux/rculist.h,
linux/rcupdate.h, linux/string.h)
* make batadv_mcast_forw_mode_by_count() static
* fix return types in the declaration of
batadv_mcast_forw_packet_hdrlen() and batadv_mcast_forw_push()
in multicast.h
* fix typo in commit message: "that the are capable of"
-> "that the*y* are capable of"
* PATCH 5/5:
* make batadv_mcast_forw_shrink_pack_dests() adhere to 80 characters
per line for consistency
* add a "continue" statement after the jump label in
batadv_mcast_forw_shrink_pack_dests() to silence the sparse error
"error: label at end of compound statement"
Changelog v2:
* Add "[PATCH v2 0/5]" prefix to title of cover letter, so that
Patchwork can hopefully find it - no other changes