batman-adv: mcast: fix use-after-free in orig_node RCU release

batadv_mcast_purge_orig() removes entries from RCU-protected hlists but
does not wait for an RCU grace period before returning. Concurrent RCU
readers may still accesses references to those entries at the point of
removal. RCU-protected readers trying to operate on entries like
orig->mcast_want_all_ipv6_node will then access already freed memory.

Fix this by moving batadv_mcast_purge_orig() to batadv_orig_node_release(),
just before the call_rcu() invocation. This ensures RCU readers that were
active at purge time have drained before the orig_node memory is reclaimed.

Cc: stable@kernel.org
Fixes: ab49886e3da7 ("batman-adv: Add IPv4 link-local/IPv6-ll-all-nodes multicast support")
Acked-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>

diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c
index b3468ccab53541eccb4e22023cceadf3a7ca1b5b..ad4921b659d9d81f29c01e857c4976ef24011228 100644 (file)
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -835,8 +835,6 @@ static void batadv_orig_node_free_rcu(struct rcu_head *rcu)
 
        orig_node = container_of(rcu, struct batadv_orig_node, rcu);
 
-       batadv_mcast_purge_orig(orig_node);
-
        batadv_frag_purge_orig(orig_node, NULL);
 
        kfree(orig_node->tt_buff);
@@ -887,6 +885,8 @@ void batadv_orig_node_release(struct kref *ref)
        }
        spin_unlock_bh(&orig_node->vlan_list_lock);
 
+       batadv_mcast_purge_orig(orig_node);
+
        call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu);
 }