Linux Kernel batman-adv Unmanaged ELP Metric Worker Vulnerability

A vulnerability exists in the Linux kernel's batman-adv module, specifically within the ELP metric worker functionality. This issue arises because the ELP worker must calculate new metric values for neighbors 'reachable' over an interface, but some metric sources require locks that can sleep. This sleeping behavior conflicts with the RCU list iterator used for recorded neighbors. The initial workaround involved queuing a separate work item for each neighbor, but this approach could lead to invalid memory accesses if, for example, a related interface was removed or the batman-adv module was unloaded. Additionally, directly canceling the metric worker presents challenges, such as potential deadlocks when trying to use the rtnl_lock with an interface that is being deactivated. A more effective solution involves eliminating the per-interface neighbor metric worker and managing everything through the interface worker, thereby avoiding these complications.

Impact

The vulnerability could lead to invalid memory accesses, potentially causing memory corruption or other unintended behavior in the kernel.