batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface

Without rtnl_lock held, a hardif might be retrieved as primary interface of
a meshif, but then (while operating on this interface) getting decoupled
from the mesh interface. In this case, the meshif still exists but the
pointer from the primary hardif to the meshif is set to NULL.

The mesh_iface must be checked first to be non-NULL before continuing to
send an ARP request using meshif.

Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Reported-by: Ido Schimmel <idosch@nvidia.com>
Reported-by: syzbot+9fdcc9f05a98a540b816@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9fdcc9f05a98a540b816
Signed-off-by: Sven Eckelmann <sven@narfation.org>

diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 1bef12e659cb2be4adaccc9868a0754100e53a9d..ffe854018bd3a528ed64a6e284ba79bc6900d10a 100644 (file)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -356,12 +356,14 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, const u8 *mac,
               sizeof(local_claim_dest));
        local_claim_dest.type = claimtype;
 
-       mesh_iface = primary_if->mesh_iface;
+       mesh_iface = READ_ONCE(primary_if->mesh_iface);
+       if (!mesh_iface)
+               goto out;
 
        skb = arp_create(ARPOP_REPLY, ETH_P_ARP,
                         /* IP DST: 0.0.0.0 */
                         zeroip,
-                        primary_if->mesh_iface,
+                        mesh_iface,
                         /* IP SRC: 0.0.0.0 */
                         zeroip,
                         /* Ethernet DST: Broadcast */