From: Kuniyuki Iwashima <kuniyu@google.com>
To: lizhi.xu@windriver.com
Cc: davem@davemloft.net, edumazet@google.com, horms@kernel.org,
jreuter@yaina.de, kuba@kernel.org, linux-hams@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com,
syzbot+caa052a0958a9146870d@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com, kuniyu@google.com
Subject: Re: [PATCH] net: rose: Prevent the use of freed digipeat
Date: Fri, 24 Oct 2025 03:17:06 +0000 [thread overview]
Message-ID: <20251024031801.35583-1-kuniyu@google.com> (raw)
In-Reply-To: <20251024013153.2811796-1-lizhi.xu@windriver.com>
From: Lizhi Xu <lizhi.xu@windriver.com>
Date: Fri, 24 Oct 2025 09:31:53 +0800
> There is no synchronization between the two timers, rose_t0timer_expiry
> and rose_timer_expiry.
> rose_timer_expiry() puts the neighbor when the rose state is ROSE_STATE_2.
> However, rose_t0timer_expiry() does initiate a restart request on the
> neighbor.
> When rose_t0timer_expiry() accesses the released neighbor member digipeat,
> a UAF is triggered.
>
> To avoid this uaf, when rose_timer_expiry() puts the neighbor, the base
> member digipeat is set to NULL.
>
> syzbot reported a slab-use-after-free Read in ax25_find_cb.
> BUG: KASAN: slab-use-after-free in ax25_find_cb+0x3b8/0x3f0 net/ax25/af_ax25.c:237
> Read of size 1 at addr ffff888059c704c0 by task syz.6.2733/17200
>
> Call Trace:
> ax25_find_cb+0x3b8/0x3f0 net/ax25/af_ax25.c:237
> ax25_send_frame+0x157/0xb60 net/ax25/ax25_out.c:55
> rose_send_frame+0xcc/0x2c0 net/rose/rose_link.c:106
> rose_transmit_restart_request+0x1b8/0x240 net/rose/rose_link.c:198
> rose_t0timer_expiry+0x1d/0x150 net/rose/rose_link.c:83
>
> Freed by task 17183:
> kfree+0x2b8/0x6d0 mm/slub.c:6826
> rose_neigh_put include/net/rose.h:165 [inline]
> rose_timer_expiry+0x537/0x630 net/rose/rose_timer.c:183
> call_timer_fn+0x19a/0x620 kernel/time/timer.c:1747
>
> Fixes: dcb34659028f ("net: rose: split remove and free operations in rose_remove_neigh()")
> Reported-by: syzbot+caa052a0958a9146870d@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
> ---
> include/net/rose.h | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/include/net/rose.h b/include/net/rose.h
> index 2b5491bbf39a..9b0dc81a9589 100644
> --- a/include/net/rose.h
> +++ b/include/net/rose.h
> @@ -163,6 +163,7 @@ static inline void rose_neigh_put(struct rose_neigh *rose_neigh)
> if (rose_neigh->ax25)
> ax25_cb_put(rose_neigh->ax25);
> kfree(rose_neigh->digipeat);
> + rose_neigh->digipeat = NULL;
How does this synchronise with the timer which is going to
touch rose_neigh being freed below ?
> kfree(rose_neigh);
Isn't the problem that we reach here without stopping all timers
or that a timer does not hold refcnt ?
Also, please post a patch in a separate thread so that patchwork
will not be confused.
https://www.kernel.org/doc/html/latest/process/maintainer-netdev.html#resending-after-review
---8<---
The new version of patches should be posted as a separate
thread, not as a reply to the previous posting.
---8<---
next prev parent reply other threads:[~2025-10-24 3:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-23 12:13 [syzbot] [hams?] KASAN: slab-use-after-free Read in ax25_find_cb syzbot
2025-10-24 1:31 ` [PATCH] net: rose: Prevent the use of freed digipeat Lizhi Xu
2025-10-24 3:17 ` Kuniyuki Iwashima [this message]
2025-10-24 9:05 ` Lizhi Xu
2025-10-24 23:58 ` Jakub Kicinski
2025-12-09 10:34 ` [syzbot] [hams?] KASAN: slab-use-after-free Read in ax25_find_cb syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251024031801.35583-1-kuniyu@google.com \
--to=kuniyu@google.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jreuter@yaina.de \
--cc=kuba@kernel.org \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizhi.xu@windriver.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+caa052a0958a9146870d@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.