Actions
Bug #438
opentp_meter: last_recv_time accessed without initialization
Start date:
06/04/2026
Due date:
% Done:
0%
Estimated time:
Description
In batadv_tp_init_recv(), tp_vars is allocated with kmalloc_obj() using GFP_ATOMIC which does not zero memory. The timer is armed immediately:
kref_get(&tp_vars->refcount);
timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
batadv_tp_reset_receiver_timer(tp_vars);
But tp_vars->last_recv_time is left uninitialized. It is only set later in batadv_tp_recv_msg():
tp_vars->last_recv_time = jiffies;
If execution is delayed before setting last_recv_time, could the timer fire and evaluate garbage memory for batadv_has_timed_out()?
See: https://sashiko.dev/#/patchset/20260603072527.174487-1-sw@simonwunderlich.de?part=3
Updated by Sven Eckelmann 14 days ago
- Status changed from New to In Progress
- Assignee changed from Antonio Quartulli to Sven Eckelmann
Potential fix would be:
diff --git c/net/batman-adv/tp_meter.c w/net/batman-adv/tp_meter.c
index 978e32d9..e2368d4c 100644
--- c/net/batman-adv/tp_meter.c
+++ w/net/batman-adv/tp_meter.c
@@ -1539,6 +1539,8 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
kref_get(&tp_vars->common.refcount);
timer_setup(&tp_vars->common.timer, batadv_tp_receiver_shutdown, 0);
+ tp_vars->last_recv_time = jiffies;
+
kref_get(&tp_vars->common.refcount);
hlist_add_head_rcu(&tp_vars->common.list, &bat_priv->tp_receiver_list);
@@ -1587,9 +1589,9 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
icmp->orig);
goto out;
}
- }
- tp_vars->last_recv_time = jiffies;
+ tp_vars->last_recv_time = jiffies;
+ }
/* if the packet is a duplicate, it may be the case that an ACK has been
* lost. Resend the ACK
Updated by Sven Eckelmann 7 days ago
- Status changed from In Progress to Resolved
- Target version set to 2026.2
Actions