batadv_mesh_free() schedules some RCU callbacks which need the bat_priv struct to do their jobs, while free_netdev(), which is called immediately after, is destroying the private data.
Put an rcu_barrier() in the middle so that free_netdev() is invoked only after all the callbacks returned.
This bug has been introduced by ab8f433dd39be94e8617cff2dfe9f7eca162eb15 ("batman-adv: Move deinitialization of soft-interface to destructor")
Signed-off-by: Antonio Quartulli ordex@autistici.org ---
soft-interface.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/soft-interface.c b/soft-interface.c index 403b8c4..6f20d33 100644 --- a/soft-interface.c +++ b/soft-interface.c @@ -582,6 +582,13 @@ static void batadv_softif_free(struct net_device *dev) { batadv_debugfs_del_meshif(dev); batadv_mesh_free(dev); + + /* some scheduled RCU callbacks need the bat_priv struct to accomplish + * their tasks. Wait for them all to be finished before freeing the + * netdev and its private data (bat_priv) + */ + rcu_barrier(); + free_netdev(dev); }