Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.174 2025-09-09T16:54:18+00:00 2025-09-09T16:54:18+00:00 Stanislav Fort stanislav.fort@aisle.com 2025-08-31T14:56:23+00:00 urn:sha1:dce6c2aa70e94c04c523b375dfcc664d7a0a560a commit d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 upstream. batadv_nc_skb_decode_packet() trusts coded_len and checks only against skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing payload headroom, and the source skb length is not verified, allowing an out-of-bounds read and a small out-of-bounds write. Validate that coded_len fits within the payload area of both destination and source sk_buffs before XORing. Fixes: 2df5278b0267 ("batman-adv: network coding - receive coded packets and decode them") Cc: stable@vger.kernel.org Reported-by: Stanislav Fort <disclosure@aisle.com> Signed-off-by: Stanislav Fort <stanislav.fort@aisle.com> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-03-02T08:00:13+00:00 Sven Eckelmann sven@narfation.org 2022-01-21T16:14:44+00:00 urn:sha1:eb7da4f17dfcee649767f89e17842f664a459549 The commit d2a8ebbf8192 ("kernel.h: split out container_of() and typeof_member() macros") introduced a new header for the container_of related macros from (previously) linux/kernel.h. Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2021-12-10T07:52:52+00:00 Minghao Chi chi.minghao@zte.com.cn 2021-12-10T02:19:17+00:00 urn:sha1:cde3fac565a7df8805a4e0e28d84a0f90177099a Return status directly from function called. Reported-by: Zeal Robot <zealci@zte.com.cn> Signed-off-by: Minghao Chi <chi.minghao@zte.com.cn> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2021-10-26T13:47:12+00:00 Pavel Skripkin paskripkin@gmail.com 2021-10-24T13:13:56+00:00 urn:sha1:6f68cd634856f8ca93bafd623ba5357e0f648c68 Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was in wrong error handling in batadv_mesh_init(). Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case of any batadv_*_init() calls failure. This approach may work well, when there is some kind of indicator, which can tell which parts of batadv are initialized; but there isn't any. All written above lead to cleaning up uninitialized fields. Even if we hide ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1] To fix these bugs we can unwind batadv_*_init() calls one by one. It is good approach for 2 reasons: 1) It fixes bugs on error handling path 2) It improves the performance, since we won't call unneeded batadv_*_free() functions. So, this patch makes all batadv_*_init() clean up all allocated memory before returning with an error to no call correspoing batadv_*_free() and open-codes batadv_mesh_free() with proper order to avoid touching uninitialized fields. Link: https://lore.kernel.org/netdev/000000000000c87fbd05cef6bcb0@google.com/ [1] Reported-and-tested-by: syzbot+28b0702ada0bf7381f58@syzkaller.appspotmail.com Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Acked-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2021-08-08T18:21:40+00:00 Sven Eckelmann sven@narfation.org 2021-08-08T17:11:08+00:00 urn:sha1:79a0bffb835a094e523c448295d27ccbe6ac6a9b The check if a batman-adv related object is NULL or not is now directly in the batadv_*_put functions. It is not needed anymore to perform this check outside these function: The changes were generated using a coccinelle semantic patch: @@ expression E; @@ - if (likely(E != NULL)) ( batadv_backbone_gw_put | batadv_claim_put | batadv_dat_entry_put | batadv_gw_node_put | batadv_hardif_neigh_put | batadv_hardif_put | batadv_nc_node_put | batadv_nc_path_put | batadv_neigh_ifinfo_put | batadv_neigh_node_put | batadv_orig_ifinfo_put | batadv_orig_node_put | batadv_orig_node_vlan_put | batadv_softif_vlan_put | batadv_tp_vars_put | batadv_tt_global_entry_put | batadv_tt_local_entry_put | batadv_tt_orig_list_entry_put | batadv_tt_req_node_put | batadv_tvlv_container_put | batadv_tvlv_handler_put )(E); Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2021-08-08T18:21:40+00:00 Sven Eckelmann sven@narfation.org 2021-08-08T17:56:17+00:00 urn:sha1:6340dcbd619450c1bb55eb999e554e4f0e6dab0a The commit b37a46683739 ("netdevice: add the case if dev is NULL") changed the way how the NULL check for net_devices have to be handled when trying to reduce its reference counter. Before this commit, it was the responsibility of the caller to check whether the object is NULL or not. But it was changed to behave more like kfree. Now the callee has to handle the NULL-case. The batman-adv code was scanned via cocinelle for similar places. These were changed to use the paradigm @@ identifier E, T, R, C; identifier put; @@ void put(struct T *E) { + if (!E) + return; kref_put(&E->C, R); } Functions which were used in other sources files were moved to the header to allow the compiler to inline the NULL check and the kref_put call. Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2021-02-06T08:22:10+00:00 Sven Eckelmann sven@narfation.org 2020-12-31T23:00:01+00:00 urn:sha1:cfa55c6d47b1e75ccc4b950616e881f3fd07712e The batman-adv source code was using the year of publication (to net-next) as "last" year for the copyright statement. The whole source code mentioned in the MAINTAINERS "BATMAN ADVANCED" section was handled as a single entity regarding the publishing year. This avoided having outdated (in sense of year information - not copyright holder) publishing information inside several files. But since the simple "update copyright year" commit (without other changes) in the file was not well received in the upstream kernel, the option to not have a copyright year (for initial and last publication) in the files are chosen instead. More detailed information about the years can still be retrieved from the SCM system. Signed-off-by: Sven Eckelmann <sven@narfation.org> Acked-by: Marek Lindner <mareklindner@neomailbox.ch> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2020-12-04T07:40:52+00:00 Sven Eckelmann sven@narfation.org 2020-08-17T11:42:29+00:00 urn:sha1:aff6f5a68b921aa8d49c9a50e0115a5b099732ef The debugfs support in batman-adv was marked as deprecated by the commit 00caf6a2b318 ("batman-adv: Mark debugfs functionality as deprecated") and scheduled for removal in 2021. Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> 2020-08-18T17:39:54+00:00 Sven Eckelmann sven@narfation.org 2020-08-17T06:09:48+00:00 urn:sha1:0093870aa891594d170e1dc9aa192a30d530d755 The commit c0842fbc1b18 ("random32: move the pseudo-random 32-bit definitions to prandom.h") introduced a new header for the pseudo random functions from (previously) linux/random.h. One future goal of the prandom.h change is to make code to switch just the new header file and to avoid the implicit include. This would allow the removal of the implicit include from random.h Signed-off-by: Sven Eckelmann <sven@narfation.org> 2020-08-18T17:39:54+00:00 Sven Eckelmann sven@narfation.org 2020-07-31T18:33:00+00:00 urn:sha1:21ba5ab2aa8adecef4addf8f481c33f204da93d2 checkpatch found various instances of "Possible repeated word" in various comments. Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>