Received: by 2002:a05:6358:700f:b0:131:369:b2a3 with SMTP id 15csp3339717rwo; Fri, 4 Aug 2023 03:26:34 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGSm37t+WHIIXBLccMgNOQazKjT/qaGbTm7nbRGAN0utuECFl+okmUwCj+OoLYnFSE5gJUW X-Received: by 2002:a17:907:760d:b0:998:de72:4c89 with SMTP id jx13-20020a170907760d00b00998de724c89mr1158787ejc.50.1691144794068; Fri, 04 Aug 2023 03:26:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691144794; cv=none; d=google.com; s=arc-20160816; b=Bn1rjX0TXK0NKEjMDqKeItJorRtybzMnxd8JEeKbEtAZLfNPR/9HXGf1HScJtkWc63 5OMAEhUOMtitW0H+m4AXt7NM8sWiHOYhIJzg+/z/xMaLGLLFm++E0U5mKS4t2x/M0hJw /nzZVL1kohE7Y8hitiBUhk61H9iZMqWNkjoa22AtUvUHzMK8PnHs4ZN2t/kWWT/s4Bb6 wlYlcgKHAIPswg1EYREbGE+EQvmP3Yio7R/MjCaWGMWKpnFdz9NCRDTL+9mc8lZyQoED 4yLkdhxj09XmZXLO/guI15grD3GzVkv+ipI283CVDOONplRveLF3EGnuEjVbRJGZ+Npi d6AQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=Rb+D1tkfFnHzypbYnjvIv6sF4eaWuzV9M3TT3Iv64nc=; fh=Os4rQwS3i7IUNY8Y8Ap1ByBsbDhataKm+i08ysRyOwg=; b=OGZixWFHLxp0WuF506s97Qy0aUBmTe87NvpJiE2AuSeXBm2e2+X2Ku2FuFBikXcjLX h0xmuNkYv7WLzia5hAb0G8xBy81uB/1+54ndLZ94GrtTReqqC74vO0V2m4hKZcAWAbWr z3hIYJeMkqoRBkTqmWBeVmCJLEgs0ZI/sSNdq8htpP09CytbPblIvMnmbtm6gSM8IQfu yaVnHzYwAFqtjO7jzLSQklWBJNiO7CIlbRZUvy46XQst61RDiScipMykLtLqgaPBtDgx VTkmFnSx6qSQqQufzSHqMu0fSiAdL3FWINal3XGWSY/xR7ZzMWzSW+/IQO5MF5vQJJAZ 0J6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id lo8-20020a170906fa0800b0099bc0888138si720022ejb.1009.2023.08.04.03.26.08; Fri, 04 Aug 2023 03:26:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231146AbjHDJjB (ORCPT + 99 others); Fri, 4 Aug 2023 05:39:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46230 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231145AbjHDJis (ORCPT ); Fri, 4 Aug 2023 05:38:48 -0400 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::221]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74B5249F0; Fri, 4 Aug 2023 02:38:41 -0700 (PDT) Received: by mail.gandi.net (Postfix) with ESMTPSA id DC33724000B; Fri, 4 Aug 2023 09:38:36 +0000 (UTC) From: Remi Pommarel To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , Sven Eckelmann Cc: "David S. Miller" , Eric Dumazet , b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Remi Pommarel , stable@vger.kernel.org Subject: [PATCH net] batman-adv: Fix TT global entry leak when client roamed back Date: Fri, 4 Aug 2023 11:39:36 +0200 Message-Id: <20230804093936.22257-1-repk@triplefau.lt> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-GND-Sasl: repk@triplefau.lt X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When a client roamed back to a node before it got time to destroy the pending local entry (i.e. within the same originator interval) the old global one is directly removed from hash table and left as such. But because this entry had an extra reference taken at lookup (i.e using batadv_tt_global_hash_find) there is no way its memory will be reclaimed at any time causing the following memory leak: unreferenced object 0xffff0000073c8000 (size 18560): comm "softirq", pid 0, jiffies 4294907738 (age 228.644s) hex dump (first 32 bytes): 06 31 ac 12 c7 7a 05 00 01 00 00 00 00 00 00 00 .1...z.......... 2c ad be 08 00 80 ff ff 6c b6 be 08 00 80 ff ff ,.......l....... backtrace: [<00000000ee6e0ffa>] kmem_cache_alloc+0x1b4/0x300 [<000000000ff2fdbc>] batadv_tt_global_add+0x700/0xe20 [<00000000443897c7>] _batadv_tt_update_changes+0x21c/0x790 [<000000005dd90463>] batadv_tt_update_changes+0x3c/0x110 [<00000000a2d7fc57>] batadv_tt_tvlv_unicast_handler_v1+0xafc/0xe10 [<0000000011793f2a>] batadv_tvlv_containers_process+0x168/0x2b0 [<00000000b7cbe2ef>] batadv_recv_unicast_tvlv+0xec/0x1f4 [<0000000042aef1d8>] batadv_batman_skb_recv+0x25c/0x3a0 [<00000000bbd8b0a2>] __netif_receive_skb_core.isra.0+0x7a8/0xe90 [<000000004033d428>] __netif_receive_skb_one_core+0x64/0x74 [<000000000f39a009>] __netif_receive_skb+0x48/0xe0 [<00000000f2cd8888>] process_backlog+0x174/0x344 [<00000000507d6564>] __napi_poll+0x58/0x1f4 [<00000000b64ef9eb>] net_rx_action+0x504/0x590 [<00000000056fa5e4>] _stext+0x1b8/0x418 [<00000000878879d6>] run_ksoftirqd+0x74/0xa4 unreferenced object 0xffff00000bae1a80 (size 56): comm "softirq", pid 0, jiffies 4294910888 (age 216.092s) hex dump (first 32 bytes): 00 78 b1 0b 00 00 ff ff 0d 50 00 00 00 00 00 00 .x.......P...... 00 00 00 00 00 00 00 00 50 c8 3c 07 00 00 ff ff ........P.<..... backtrace: [<00000000ee6e0ffa>] kmem_cache_alloc+0x1b4/0x300 [<00000000d9aaa49e>] batadv_tt_global_add+0x53c/0xe20 [<00000000443897c7>] _batadv_tt_update_changes+0x21c/0x790 [<000000005dd90463>] batadv_tt_update_changes+0x3c/0x110 [<00000000a2d7fc57>] batadv_tt_tvlv_unicast_handler_v1+0xafc/0xe10 [<0000000011793f2a>] batadv_tvlv_containers_process+0x168/0x2b0 [<00000000b7cbe2ef>] batadv_recv_unicast_tvlv+0xec/0x1f4 [<0000000042aef1d8>] batadv_batman_skb_recv+0x25c/0x3a0 [<00000000bbd8b0a2>] __netif_receive_skb_core.isra.0+0x7a8/0xe90 [<000000004033d428>] __netif_receive_skb_one_core+0x64/0x74 [<000000000f39a009>] __netif_receive_skb+0x48/0xe0 [<00000000f2cd8888>] process_backlog+0x174/0x344 [<00000000507d6564>] __napi_poll+0x58/0x1f4 [<00000000b64ef9eb>] net_rx_action+0x504/0x590 [<00000000056fa5e4>] _stext+0x1b8/0x418 [<00000000878879d6>] run_ksoftirqd+0x74/0xa4 Releasing the extra reference from batadv_tt_global_hash_find even at roam back when batadv_tt_global_free is called fixes this memory leak. Cc: stable@vger.kernel.org Fixes: 068ee6e204e1 ("batman-adv: roaming handling mechanism redesign") Signed-off-by: Remi Pommarel --- net/batman-adv/translation-table.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index 36ca31252a73..b95c36765d04 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -774,7 +774,6 @@ bool batadv_tt_local_add(struct net_device *soft_iface, const u8 *addr, if (roamed_back) { batadv_tt_global_free(bat_priv, tt_global, "Roaming canceled"); - tt_global = NULL; } else { /* The global entry has to be marked as ROAMING and * has to be kept for consistency purpose -- 2.40.0