diff --git a/batman-adv/Makefile b/batman-adv/Makefile index 253f7c7df..e5cf7b466 100644 --- a/batman-adv/Makefile +++ b/batman-adv/Makefile @@ -4,7 +4,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=batman-adv PKG_VERSION:=2023.1 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://downloads.open-mesh.org/batman/releases/batman-adv-$(PKG_VERSION) diff --git a/batman-adv/patches/0011-batman-adv-Avoid-infinite-loop-trying-to-resize-loca.patch b/batman-adv/patches/0011-batman-adv-Avoid-infinite-loop-trying-to-resize-loca.patch new file mode 100644 index 000000000..7d4f071e1 --- /dev/null +++ b/batman-adv/patches/0011-batman-adv-Avoid-infinite-loop-trying-to-resize-loca.patch @@ -0,0 +1,59 @@ +From: Sven Eckelmann +Date: Mon, 12 Feb 2024 14:32:13 +0100 +Subject: batman-adv: Avoid infinite loop trying to resize local TT + +If the MTU of one of an attached interface becomes too small to transmit +the local translation table then it must be resized to fit inside all +fragments (when enabled) or a single packet. + +But if the MTU becomes too low to transmit even the header + the VLAN +specific part then the resizing of the local TT will never succeed. This +can for example happen when the usable space is 110 bytes and 11 VLANs are +on top of batman-adv. In this case, at least 116 byte would be needed. +There will just be an endless spam of + + batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110) + +in the log but the function will never finish. Problem here is that the +timeout will be halved all the time and will then stagnate at 0 and +therefore never be able to reduce the table even more. + +There are other scenarios possible with a similar result. The number of +BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too +high to fit inside a packet. Such a scenario can therefore happen also with +only a single VLAN + 7 non-purgable addresses - requiring at least 120 +bytes. + +While this should be handled proactively when: + +* interface with too low MTU is added +* VLAN is added +* non-purgeable local mac is added +* MTU of an attached interface is reduced +* fragmentation setting gets disabled (which most likely requires dropping + attached interfaces) + +not all of these scenarios can be prevented because batman-adv is only +consuming events without the the possibility to prevent these actions +(non-purgable MAC address added, MTU of an attached interface is reduced). +It is therefore necessary to also make sure that the code is able to handle +also the situations when there were already incompatible system +configuration are present. + +Cc: stable@vger.kernel.org +Fixes: f7f2fe494388 ("batman-adv: limit local translation table max size") +Reported-by: syzbot+a6a4b5bb3da165594cff@syzkaller.appspotmail.com +Signed-off-by: Sven Eckelmann +Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/05f6eadbbddc834669249ae204026c383445b571 + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -3948,7 +3948,7 @@ void batadv_tt_local_resize_to_mtu(struc + + spin_lock_bh(&bat_priv->tt.commit_lock); + +- while (true) { ++ while (timeout) { + table_size = batadv_tt_local_table_transmit_size(bat_priv); + if (packet_size_max >= table_size) + break;