| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-21823: batman-adv: Drop unmanaged ELP metric worker |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| batman-adv: Drop unmanaged ELP metric worker |
| |
| The ELP worker needs to calculate new metric values for all neighbors |
| "reachable" over an interface. Some of the used metric sources require |
| locks which might need to sleep. This sleep is incompatible with the RCU |
| list iterator used for the recorded neighbors. The initial approach to work |
| around of this problem was to queue another work item per neighbor and then |
| run this in a new context. |
| |
| Even when this solved the RCU vs might_sleep() conflict, it has a major |
| problems: Nothing was stopping the work item in case it is not needed |
| anymore - for example because one of the related interfaces was removed or |
| the batman-adv module was unloaded - resulting in potential invalid memory |
| accesses. |
| |
| Directly canceling the metric worker also has various problems: |
| |
| * cancel_work_sync for a to-be-deactivated interface is called with |
| rtnl_lock held. But the code in the ELP metric worker also tries to use |
| rtnl_lock() - which will never return in this case. This also means that |
| cancel_work_sync would never return because it is waiting for the worker |
| to finish. |
| * iterating over the neighbor list for the to-be-deactivated interface is |
| currently done using the RCU specific methods. Which means that it is |
| possible to miss items when iterating over it without the associated |
| spinlock - a behaviour which is acceptable for a periodic metric check |
| but not for a cleanup routine (which must "stop" all still running |
| workers) |
| |
| The better approch is to get rid of the per interface neighbor metric |
| worker and handle everything in the interface worker. The original problems |
| are solved by: |
| |
| * creating a list of neighbors which require new metric information inside |
| the RCU protected context, gathering the metric according to the new list |
| outside the RCU protected context |
| * only use rcu_trylock inside metric gathering code to avoid a deadlock |
| when the cancel_delayed_work_sync is called in the interface removal code |
| (which is called with the rtnl_lock held) |
| |
| The Linux kernel CVE team has assigned CVE-2025-21823 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 5.4.291 with commit 1c334629176c2d644befc31a20d4bf75542f7631 |
| Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 5.10.235 with commit a0019971f340ae02ba54cf1861f72da7e03e6b66 |
| Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 5.15.179 with commit 3c0e0aecb78cb2a2ca1dc701982d08fedb088dc6 |
| Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.1.129 with commit 781a06fd265a8151f7601122d9c2e985663828ff |
| Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.6.79 with commit a7aa2317285806640c844acd4cd2cd768e395264 |
| Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.12.16 with commit 0fdc3c166ac17b26014313fa2b93696354511b24 |
| Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.13.4 with commit af264c2a9adc37f4bdf88ca7f3affa15d8c7de9e |
| Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.14 with commit 8c8ecc98f5c65947b0070a24bac11e12e47cc65d |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-21823 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/batman-adv/bat_v.c |
| net/batman-adv/bat_v_elp.c |
| net/batman-adv/bat_v_elp.h |
| net/batman-adv/types.h |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/1c334629176c2d644befc31a20d4bf75542f7631 |
| https://git.kernel.org/stable/c/a0019971f340ae02ba54cf1861f72da7e03e6b66 |
| https://git.kernel.org/stable/c/3c0e0aecb78cb2a2ca1dc701982d08fedb088dc6 |
| https://git.kernel.org/stable/c/781a06fd265a8151f7601122d9c2e985663828ff |
| https://git.kernel.org/stable/c/a7aa2317285806640c844acd4cd2cd768e395264 |
| https://git.kernel.org/stable/c/0fdc3c166ac17b26014313fa2b93696354511b24 |
| https://git.kernel.org/stable/c/af264c2a9adc37f4bdf88ca7f3affa15d8c7de9e |
| https://git.kernel.org/stable/c/8c8ecc98f5c65947b0070a24bac11e12e47cc65d |
