Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-7.0.y 2026-05-17T15:16:33+00:00 2026-05-17T15:16:33+00:00 Sven Eckelmann sven@narfation.org 2026-05-06T20:20:52+00:00 urn:sha1:7cccf4eb4f96d3c3af91a00b7a9caa652439542e commit ba9d20ee9076dac32c371116bacbe72480eb356c upstream. When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object. Cc: stable@kernel.org Fixes: 3db0decf1185 ("batman-adv: Fix non-atomic bla_claim::backbone_gw access") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-17T15:16:33+00:00 Sven Eckelmann sven@narfation.org 2026-05-06T20:20:51+00:00 urn:sha1:ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d commit cf6b604011591865ae39ac82de8978c1120d17af upstream. When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence. To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of. Cc: stable@kernel.org Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-17T15:16:33+00:00 Sven Eckelmann sven@narfation.org 2026-05-06T20:20:50+00:00 urn:sha1:0cc9847c64cb6e61118bc78c9187c8209a7197fa commit 4ae1709a314060a196981b344610d023ea841e57 upstream. When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped. Cc: stable@kernel.org Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-09T01:50:27+00:00 Jakub Kicinski kuba@kernel.org 2026-04-09T01:50:27+00:00 urn:sha1:d614e0186bf37bb46a76d92e474c11f6a5cbc547 Simon Wunderlich says: ==================== Here are two batman-adv bugfixes: - reject oversized global TT response buffers, by Ruide Cao - hold claim backbone gateways by reference, by Haoze Xie * tag 'batadv-net-pullrequest-20260408' of https://git.open-mesh.org/linux-merge: batman-adv: hold claim backbone gateways by reference batman-adv: reject oversized global TT response buffers ==================== Link: https://patch.msgid.link/20260408110255.976389-1-sw@simonwunderlich.de Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2026-04-06T13:42:29+00:00 Haoze Xie royenheart@gmail.com 2026-04-06T13:17:28+00:00 urn:sha1:82d8701b2c930d0e96b0dbc9115a218d791cb0d2 batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers. Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Fixes: 04f3f5bf1883 ("batman-adv: add B.A.T.M.A.N. Dump BLA claims via netlink") Cc: stable@vger.kernel.org Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Co-developed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Yuan Tan <yuantan098@gmail.com> Suggested-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Haoze Xie <royenheart@gmail.com> Signed-off-by: Ao Zhou <n05ec@lzu.edu.cn> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 2025-10-17T14:30:43+00:00 Sven Eckelmann sven@narfation.org 2025-09-28T08:29:32+00:00 urn:sha1:ed5730f3f733659a4a023a5f1e767365fe341648 Make batadv_bla_check_duplist() just use the new function skb_crc32c(), instead of calling skb_seq_read() with crc32c(). This is faster and simpler. Suggested-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2025-09-05T13:11:02+00:00 Sven Eckelmann sven@narfation.org 2025-08-28T15:58:59+00:00 urn:sha1:d5d80ac74f80fab4e2647c1030053d71d8c81bc9 The batadv_skb_crc32() helper was shared between Bridge Loop Avoidance and Network Coding. With the removal of the network coding feature, it is possible to just move this helper directly to Bridge Loop Avoidance. Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2025-02-22T10:36:22+00:00 Sven Eckelmann sven@narfation.org 2025-02-02T12:39:32+00:00 urn:sha1:94433355027db60005551310975de94978549783 The way how the virtual interface is called inside the batman-adv source code is not consistent. The genl headers call it meshif and the rest of the code calls is (mostly) softif. The genl definitions cannot be touched because they are part of the UAPI. But the rest of the batman-adv code can be touched to have a consistent name again. The bulk of the renaming was done using sed -i -e 's/soft\(-\|\_\| \|\)i\([nf]\)/mesh\1i\2/g' \ -e 's/SOFT\(-\|\_\| \|\)I\([NF]\)/MESH\1I\2/g' and then it was adjusted slightly when proofreading the changes. Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2025-01-17T12:36:01+00:00 Linus Lüssing linus.luessing@c0d3.blue 2025-01-13T19:31:39+00:00 urn:sha1:6ecc4fd6c2f43862c5e3b280cf419f0131e45c97 Reduce duplicate code by using netlink helpers which return the soft/hard interface directly. Instead of returning an interface index which we are typically not interested in. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>