60 lines
2.5 KiB
Diff
60 lines
2.5 KiB
Diff
From: Sven Eckelmann <sven@narfation.org>
|
|
Date: Mon, 12 Feb 2024 14:32:13 +0100
|
|
Subject: batman-adv: Avoid infinite loop trying to resize local TT
|
|
|
|
If the MTU of one of an attached interface becomes too small to transmit
|
|
the local translation table then it must be resized to fit inside all
|
|
fragments (when enabled) or a single packet.
|
|
|
|
But if the MTU becomes too low to transmit even the header + the VLAN
|
|
specific part then the resizing of the local TT will never succeed. This
|
|
can for example happen when the usable space is 110 bytes and 11 VLANs are
|
|
on top of batman-adv. In this case, at least 116 byte would be needed.
|
|
There will just be an endless spam of
|
|
|
|
batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)
|
|
|
|
in the log but the function will never finish. Problem here is that the
|
|
timeout will be halved all the time and will then stagnate at 0 and
|
|
therefore never be able to reduce the table even more.
|
|
|
|
There are other scenarios possible with a similar result. The number of
|
|
BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too
|
|
high to fit inside a packet. Such a scenario can therefore happen also with
|
|
only a single VLAN + 7 non-purgable addresses - requiring at least 120
|
|
bytes.
|
|
|
|
While this should be handled proactively when:
|
|
|
|
* interface with too low MTU is added
|
|
* VLAN is added
|
|
* non-purgeable local mac is added
|
|
* MTU of an attached interface is reduced
|
|
* fragmentation setting gets disabled (which most likely requires dropping
|
|
attached interfaces)
|
|
|
|
not all of these scenarios can be prevented because batman-adv is only
|
|
consuming events without the the possibility to prevent these actions
|
|
(non-purgable MAC address added, MTU of an attached interface is reduced).
|
|
It is therefore necessary to also make sure that the code is able to handle
|
|
also the situations when there were already incompatible system
|
|
configuration are present.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Fixes: f7f2fe494388 ("batman-adv: limit local translation table max size")
|
|
Reported-by: syzbot+a6a4b5bb3da165594cff@syzkaller.appspotmail.com
|
|
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
|
Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/05f6eadbbddc834669249ae204026c383445b571
|
|
|
|
--- a/net/batman-adv/translation-table.c
|
|
+++ b/net/batman-adv/translation-table.c
|
|
@@ -3948,7 +3948,7 @@ void batadv_tt_local_resize_to_mtu(struc
|
|
|
|
spin_lock_bh(&bat_priv->tt.commit_lock);
|
|
|
|
- while (true) {
|
|
+ while (timeout) {
|
|
table_size = batadv_tt_local_table_transmit_size(bat_priv);
|
|
if (packet_size_max >= table_size)
|
|
break;
|