[PATCH batadv 2/8] batman-adv: bla: prevent use-after-free when deleting claims

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Sven Eckelmann <sven@narfation.org>
To: Marek Lindner <marek.lindner@mailbox.org>,
	 Simon Wunderlich <sw@simonwunderlich.de>,
	 Antonio Quartulli <antonio@mandelbit.com>,
	 "David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	 Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,  Simon Horman <horms@kernel.org>
Cc: b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org,
	 linux-kernel@vger.kernel.org, Ao Zhou <n05ec@lzu.edu.cn>,
	 Haoze Xie <royenheart@gmail.com>,
	Jiexun Wang <wangjiexun2025@gmail.com>,
	 Juefei Pu <tomapufckgml@gmail.com>,
	Luxing Yin <tr0jan@lzu.edu.cn>,  Ren Wei <n05ec@lzu.edu.cn>,
	Ruide Cao <caoruide123@gmail.com>,  Xin Liu <bird@lzu.edu.cn>,
	Yifan Wu <yifanwucs@gmail.com>,  Yuan Tan <yuantan098@gmail.com>,
	Sven Eckelmann <sven@narfation.org>,
	 stable@kernel.org
Subject: [PATCH batadv 2/8] batman-adv: bla: prevent use-after-free when deleting claims
Date: Sun, 03 May 2026 14:22:35 +0200	[thread overview]
Message-ID: <20260503-fixes-followup-v1-2-4313278918d3@narfation.org> (raw)
In-Reply-To: <20260503-fixes-followup-v1-0-4313278918d3@narfation.org>

When batadv_bla_del_backbone_claims() removes all claims for a backbone, it
does this by dropping the link entry in the hash list. This list entry
itself was one of the references which need to be dropped at the same time
via batadv_claim_put().

But the batadv_claim_put() must not be done before the last access to the
claim object in this function. Otherwise the claim might be freed already
by the batadv_claim_release() function before the list entry was dropped.

Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
 net/batman-adv/bridge_loop_avoidance.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 51fe028b9088..8b77dd2ecfa4 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw)
 			if (claim->backbone_gw != backbone_gw)
 				continue;
 
-			batadv_claim_put(claim);
 			hlist_del_rcu(&claim->hash_entry);
+			batadv_claim_put(claim);
 		}
 		spin_unlock_bh(list_lock);
 	}

-- 
2.47.3

next prev parent reply	other threads:[~2026-05-03 12:23 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-03 12:22 [PATCH batadv 0/8] batman-adv: follow up fixes Sven Eckelmann
2026-05-03 12:22 ` [PATCH batadv 1/8] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Sven Eckelmann
2026-05-03 12:22 ` Sven Eckelmann [this message]
2026-05-03 12:22 ` [PATCH batadv 3/8] batman-adv: bla: only purge non-released claims Sven Eckelmann
2026-05-03 12:22 ` [PATCH batadv 4/8] batman-adv: tt: fix negative tt_buff_len Sven Eckelmann
2026-05-03 12:22 ` [PATCH batadv 5/8] batman-adv: tt: reject oversized local TVLV buffers Sven Eckelmann
2026-05-03 12:22 ` [PATCH batadv 6/8] batman-adv: tt: fix TOCTOU race for reported vlans Sven Eckelmann
2026-05-03 12:22 ` [PATCH batadv 7/8] batman-adv: tt: avoid empty VLAN responses Sven Eckelmann
2026-05-03 12:22 ` [PATCH batadv 8/8] batman-adv: tt: prevent TVLV entry number overflow Sven Eckelmann
2026-05-05  0:10 ` [PATCH batadv 0/8] batman-adv: follow up fixes Jakub Kicinski
2026-05-05  4:46   ` Sven Eckelmann
2026-05-05  5:00     ` Sven Eckelmann
2026-05-05  5:21       ` Matthieu Baerts
2026-05-05  7:20         ` Sven Eckelmann
2026-05-05 23:02           ` Yuan Tan
2026-05-06  0:20     ` Jakub Kicinski

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:51fe028b908 dfblob:8b77dd2ecfa )
 OR (
bs:"[PATCH batadv 2/8] batman-adv: bla: prevent use-after-free when deleting claims" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260503-fixes-followup-v1-2-4313278918d3@narfation.org \
    --to=sven@narfation.org \
    --cc=antonio@mandelbit.com \
    --cc=b.a.t.m.a.n@lists.open-mesh.org \
    --cc=bird@lzu.edu.cn \
    --cc=caoruide123@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marek.lindner@mailbox.org \
    --cc=n05ec@lzu.edu.cn \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=royenheart@gmail.com \
    --cc=stable@kernel.org \
    --cc=sw@simonwunderlich.de \
    --cc=tomapufckgml@gmail.com \
    --cc=tr0jan@lzu.edu.cn \
    --cc=wangjiexun2025@gmail.com \
    --cc=yifanwucs@gmail.com \
    --cc=yuantan098@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox