diff options
| author | Sven Eckelmann <sven@narfation.org> | 2026-05-14 20:22:02 +0300 |
|---|---|---|
| committer | Sven Eckelmann <sven@narfation.org> | 2026-05-19 09:44:24 +0300 |
| commit | 20c2d6a20ca936f5aaa6dd40f73f262ac45c87cc (patch) | |
| tree | 5d7430910bf353030cbeb4e5e0c5bed382b36370 | |
| parent | ff24f2ecfd94c07a2b89bac497433e3b23271cac (diff) | |
| download | linux-20c2d6a20ca936f5aaa6dd40f73f262ac45c87cc.tar.xz | |
batman-adv: mcast: fix use-after-free in orig_node RCU release
batadv_mcast_purge_orig() removes entries from RCU-protected hlists but
does not wait for an RCU grace period before returning. Concurrent RCU
readers may still accesses references to those entries at the point of
removal. RCU-protected readers trying to operate on entries like
orig->mcast_want_all_ipv6_node will then access already freed memory.
Fix this by moving batadv_mcast_purge_orig() to batadv_orig_node_release(),
just before the call_rcu() invocation. This ensures RCU readers that were
active at purge time have drained before the orig_node memory is reclaimed.
Cc: stable@kernel.org
Fixes: ab49886e3da7 ("batman-adv: Add IPv4 link-local/IPv6-ll-all-nodes multicast support")
Acked-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
| -rw-r--r-- | net/batman-adv/originator.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c index b3468ccab535..ad4921b659d9 100644 --- a/net/batman-adv/originator.c +++ b/net/batman-adv/originator.c @@ -835,8 +835,6 @@ static void batadv_orig_node_free_rcu(struct rcu_head *rcu) orig_node = container_of(rcu, struct batadv_orig_node, rcu); - batadv_mcast_purge_orig(orig_node); - batadv_frag_purge_orig(orig_node, NULL); kfree(orig_node->tt_buff); @@ -887,6 +885,8 @@ void batadv_orig_node_release(struct kref *ref) } spin_unlock_bh(&orig_node->vlan_list_lock); + batadv_mcast_purge_orig(orig_node); + call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu); } |