12577be7ed
* Broken sync while rescheduling delayed work * compat: Use native kstrtox.h for 5.10.185 * Do not get eth header before batadv_check_management_packet * Trigger events for auto adjusted MTU * Don't increase MTU when set by user * Fix TT global entry leak when client roamed back * Fix batadv_v_ogm_aggr_send memory leak Signed-off-by: Sven Eckelmann <sven@narfation.org>
111 lines
4.6 KiB
Diff
111 lines
4.6 KiB
Diff
From: Remi Pommarel <repk@triplefau.lt>
|
|
Date: Fri, 28 Jul 2023 15:38:50 +0200
|
|
Subject: batman-adv: Do not get eth header before batadv_check_management_packet
|
|
|
|
If received skb in batadv_v_elp_packet_recv or batadv_v_ogm_packet_recv
|
|
is either cloned or non linearized then its data buffer will be
|
|
reallocated by batadv_check_management_packet when skb_cow or
|
|
skb_linearize get called. Thus geting ethernet header address inside
|
|
skb data buffer before batadv_check_management_packet had any chance to
|
|
reallocate it could lead to the following kernel panic:
|
|
|
|
Unable to handle kernel paging request at virtual address ffffff8020ab069a
|
|
Mem abort info:
|
|
ESR = 0x96000007
|
|
EC = 0x25: DABT (current EL), IL = 32 bits
|
|
SET = 0, FnV = 0
|
|
EA = 0, S1PTW = 0
|
|
FSC = 0x07: level 3 translation fault
|
|
Data abort info:
|
|
ISV = 0, ISS = 0x00000007
|
|
CM = 0, WnR = 0
|
|
swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000040f45000
|
|
[ffffff8020ab069a] pgd=180000007fffa003, p4d=180000007fffa003, pud=180000007fffa003, pmd=180000007fefe003, pte=0068000020ab0706
|
|
Internal error: Oops: 96000007 [#1] SMP
|
|
Modules linked in: ahci_mvebu libahci_platform libahci dvb_usb_af9035 dvb_usb_dib0700 dib0070 dib7000m dibx000_common ath11k_pci ath10k_pci ath10k_core mwl8k_new nf_nat_sip nf_conntrack_sip xhci_plat_hcd xhci_hcd nf_nat_pptp nf_conntrack_pptp at24 sbsa_gwdt
|
|
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.15.42-00066-g3242268d425c-dirty #550
|
|
Hardware name: A8k (DT)
|
|
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
|
|
pc : batadv_is_my_mac+0x60/0xc0
|
|
lr : batadv_v_ogm_packet_recv+0x98/0x5d0
|
|
sp : ffffff8000183820
|
|
x29: ffffff8000183820 x28: 0000000000000001 x27: ffffff8014f9af00
|
|
x26: 0000000000000000 x25: 0000000000000543 x24: 0000000000000003
|
|
x23: ffffff8020ab0580 x22: 0000000000000110 x21: ffffff80168ae880
|
|
x20: 0000000000000000 x19: ffffff800b561000 x18: 0000000000000000
|
|
x17: 0000000000000000 x16: 0000000000000000 x15: 00dc098924ae0032
|
|
x14: 0f0405433e0054b0 x13: ffffffff00000080 x12: 0000004000000001
|
|
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
|
|
x8 : 0000000000000000 x7 : ffffffc076dae000 x6 : ffffff8000183700
|
|
x5 : ffffffc00955e698 x4 : ffffff80168ae000 x3 : ffffff80059cf000
|
|
x2 : ffffff800b561000 x1 : ffffff8020ab0696 x0 : ffffff80168ae880
|
|
Call trace:
|
|
batadv_is_my_mac+0x60/0xc0
|
|
batadv_v_ogm_packet_recv+0x98/0x5d0
|
|
batadv_batman_skb_recv+0x1b8/0x244
|
|
__netif_receive_skb_core.isra.0+0x440/0xc74
|
|
__netif_receive_skb_one_core+0x14/0x20
|
|
netif_receive_skb+0x68/0x140
|
|
br_pass_frame_up+0x70/0x80
|
|
br_handle_frame_finish+0x108/0x284
|
|
br_handle_frame+0x190/0x250
|
|
__netif_receive_skb_core.isra.0+0x240/0xc74
|
|
__netif_receive_skb_list_core+0x6c/0x90
|
|
netif_receive_skb_list_internal+0x1f4/0x310
|
|
napi_complete_done+0x64/0x1d0
|
|
gro_cell_poll+0x7c/0xa0
|
|
__napi_poll+0x34/0x174
|
|
net_rx_action+0xf8/0x2a0
|
|
_stext+0x12c/0x2ac
|
|
run_ksoftirqd+0x4c/0x7c
|
|
smpboot_thread_fn+0x120/0x210
|
|
kthread+0x140/0x150
|
|
ret_from_fork+0x10/0x20
|
|
Code: f9403844 eb03009f 54fffee1 f94
|
|
|
|
Thus ethernet header address should only be fetched after
|
|
batadv_check_management_packet has been called.
|
|
|
|
Fixes: 632835348e65 ("batman-adv: OGMv2 - add basic infrastructure")
|
|
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
|
|
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
|
Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/670971ac7e9a47ee952848e0ea9128180e8fb991
|
|
|
|
--- a/net/batman-adv/bat_v_elp.c
|
|
+++ b/net/batman-adv/bat_v_elp.c
|
|
@@ -506,7 +506,7 @@ int batadv_v_elp_packet_recv(struct sk_b
|
|
struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
|
|
struct batadv_elp_packet *elp_packet;
|
|
struct batadv_hard_iface *primary_if;
|
|
- struct ethhdr *ethhdr = (struct ethhdr *)skb_mac_header(skb);
|
|
+ struct ethhdr *ethhdr;
|
|
bool res;
|
|
int ret = NET_RX_DROP;
|
|
|
|
@@ -514,6 +514,7 @@ int batadv_v_elp_packet_recv(struct sk_b
|
|
if (!res)
|
|
goto free_skb;
|
|
|
|
+ ethhdr = eth_hdr(skb);
|
|
if (batadv_is_my_mac(bat_priv, ethhdr->h_source))
|
|
goto free_skb;
|
|
|
|
--- a/net/batman-adv/bat_v_ogm.c
|
|
+++ b/net/batman-adv/bat_v_ogm.c
|
|
@@ -985,7 +985,7 @@ int batadv_v_ogm_packet_recv(struct sk_b
|
|
{
|
|
struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
|
|
struct batadv_ogm2_packet *ogm_packet;
|
|
- struct ethhdr *ethhdr = eth_hdr(skb);
|
|
+ struct ethhdr *ethhdr;
|
|
int ogm_offset;
|
|
u8 *packet_pos;
|
|
int ret = NET_RX_DROP;
|
|
@@ -999,6 +999,7 @@ int batadv_v_ogm_packet_recv(struct sk_b
|
|
if (!batadv_check_management_packet(skb, if_incoming, BATADV_OGM2_HLEN))
|
|
goto free_skb;
|
|
|
|
+ ethhdr = eth_hdr(skb);
|
|
if (batadv_is_my_mac(bat_priv, ethhdr->h_source))
|
|
goto free_skb;
|
|
|