From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: netdev@vger.kernel.org
Cc: Jiayuan Chen <jiayuan.chen@shopee.com>,
syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com,
Jiayuan Chen <jiayuan.chen@linux.dev>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>, Kees Cook <kees@kernel.org>,
Takamitsu Iwai <takamitz@amazon.co.jp>,
Pwnverse <stanksal@purdue.edu>, Ingo Molnar <mingo@kernel.org>,
linux-hams@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH net v1] net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
Date: Tue, 10 Mar 2026 18:13:40 +0800 [thread overview]
Message-ID: <20260310101349.50993-1-jiayuan.chen@linux.dev> (raw)
From: Jiayuan Chen <jiayuan.chen@shopee.com>
syzkaller reported a bug [1], and the reproducer is available at [2].
When rose_connect() is called a second time on an already-connecting
socket, it overwrites rose->neighbour with the result of rose_get_neigh()
without releasing the previous reference. If rose_get_neigh() returns
NULL, the socket is left in an inconsistent state: rose->state remains
ROSE_STATE_1 from the first connect while rose->neighbour is NULL.
When the socket is subsequently closed, rose_release() sees ROSE_STATE_1
and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing
a NULL pointer dereference when accessing neigh->loopback.
Fix this by:
1. Releasing the old neighbour reference before attempting a reconnect
2. Resetting rose->state to ROSE_STATE_0 before the new connect attempt,
so a failure leaves the socket in a clean state
3. Setting rose->neighbour to NULL in all error paths after
rose_neigh_put() to prevent use-after-free on subsequent reconnects
[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271
[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/
Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
---
net/rose/af_rose.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 841d62481048..d9bf32ac3df3 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -814,6 +814,14 @@ static int rose_connect(struct socket *sock, struct sockaddr_unsized *uaddr, int
sk->sk_state = TCP_CLOSE;
sock->state = SS_UNCONNECTED;
+ /* Release previous neighbour ref if reconnecting */
+ if (rose->neighbour) {
+ rose_neigh_put(rose->neighbour);
+ rose->neighbour = NULL;
+ }
+
+ rose->state = ROSE_STATE_0;
+
rose->neighbour = rose_get_neigh(&addr->srose_addr, &cause,
&diagnostic, 0);
if (!rose->neighbour) {
@@ -825,6 +833,7 @@ static int rose_connect(struct socket *sock, struct sockaddr_unsized *uaddr, int
if (!rose->lci) {
err = -ENETUNREACH;
rose_neigh_put(rose->neighbour);
+ rose->neighbour = NULL;
goto out_release;
}
@@ -837,6 +846,7 @@ static int rose_connect(struct socket *sock, struct sockaddr_unsized *uaddr, int
if (!dev) {
err = -ENETUNREACH;
rose_neigh_put(rose->neighbour);
+ rose->neighbour = NULL;
goto out_release;
}
@@ -844,6 +854,7 @@ static int rose_connect(struct socket *sock, struct sockaddr_unsized *uaddr, int
if (!user) {
err = -EINVAL;
rose_neigh_put(rose->neighbour);
+ rose->neighbour = NULL;
dev_put(dev);
goto out_release;
}
--
2.43.0
next reply other threads:[~2026-03-10 10:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-10 10:13 Jiayuan Chen [this message]
2026-03-10 10:24 ` [PATCH net v1] net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect Eric Dumazet
2026-03-10 11:28 ` Jiayuan Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260310101349.50993-1-jiayuan.chen@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jiayuan.chen@shopee.com \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stanksal@purdue.edu \
--cc=syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com \
--cc=takamitz@amazon.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.