CVE-2025-21781

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> batman-adv: fix panic during interface removal<br /> <br /> Reference counting is used to ensure that<br /> batadv_hardif_neigh_node and batadv_hard_iface<br /> are not freed before/during<br /> batadv_v_elp_throughput_metric_update work is<br /> finished.<br /> <br /> But there isn&amp;#39;t a guarantee that the hard if will<br /> remain associated with a soft interface up until<br /> the work is finished.<br /> <br /> This fixes a crash triggered by reboot that looks<br /> like this:<br /> <br /> Call trace:<br /> batadv_v_mesh_free+0xd0/0x4dc [batman_adv]<br /> batadv_v_elp_throughput_metric_update+0x1c/0xa4<br /> process_one_work+0x178/0x398<br /> worker_thread+0x2e8/0x4d0<br /> kthread+0xd8/0xdc<br /> ret_from_fork+0x10/0x20<br /> <br /> (the batadv_v_mesh_free call is misleading,<br /> and does not actually happen)<br /> <br /> I was able to make the issue happen more reliably<br /> by changing hardif_neigh-&gt;bat_v.metric_work work<br /> to be delayed work. This allowed me to track down<br /> and confirm the fix.<br /> <br /> [sven@narfation.org: prevent entering batadv_v_elp_get_throughput without<br /> soft_iface]