[PATCH net] net: phonet: free phonet_device after RCU grace period

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH net] net: phonet: free phonet_device after RCU grace period
@ 2026-06-04  0:08 Santosh Kalluri
  2026-06-08 13:13 ` Simon Horman
  2026-06-09  0:40 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 3+ messages in thread
From: Santosh Kalluri @ 2026-06-04  0:08 UTC (permalink / raw)
  To: netdev
  Cc: Remi Denis-Courmont, Rémi Denis-Courmont, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
	linux-kernel

phonet_device_destroy() removes a phonet_device from the per-net device
list with list_del_rcu(), but frees it immediately. RCU readers walking
the same list can still hold a pointer to the object after it has been
removed, leading to a slab-use-after-free.

Use kfree_rcu(), matching the lifetime rule already used by
phonet_address_del() for the same object type.

Fixes: eeb74a9d45f7 ("Phonet: convert devices list to RCU")
Cc: stable@vger.kernel.org
Signed-off-by: Santosh Kalluri <santosh.kalluri129@gmail.com>
Acked-by: Rémi Denis-Courmont <remi@remlab.net>
---
 net/phonet/pn_dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/phonet/pn_dev.c b/net/phonet/pn_dev.c
index 86325b7fc1b6..ad44831d6745 100644
--- a/net/phonet/pn_dev.c
+++ b/net/phonet/pn_dev.c
@@ -108,7 +108,7 @@ static void phonet_device_destroy(struct net_device *dev)
 		for_each_set_bit(addr, pnd->addrs, 64)
 			phonet_address_notify(net, RTM_DELADDR, ifindex, addr);
 
-		kfree(pnd);
+		kfree_rcu(pnd, rcu);
 	}
 }
 

base-commit: f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net] net: phonet: free phonet_device after RCU grace period
  2026-06-04  0:08 [PATCH net] net: phonet: free phonet_device after RCU grace period Santosh Kalluri
@ 2026-06-08 13:13 ` Simon Horman
  2026-06-09  0:40 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: Simon Horman @ 2026-06-08 13:13 UTC (permalink / raw)
  To: Santosh Kalluri
  Cc: netdev, Remi Denis-Courmont, Rémi Denis-Courmont,
	David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	linux-kernel

On Wed, Jun 03, 2026 at 05:08:43PM -0700, Santosh Kalluri wrote:
> phonet_device_destroy() removes a phonet_device from the per-net device
> list with list_del_rcu(), but frees it immediately. RCU readers walking
> the same list can still hold a pointer to the object after it has been
> removed, leading to a slab-use-after-free.
> 
> Use kfree_rcu(), matching the lifetime rule already used by
> phonet_address_del() for the same object type.
> 
> Fixes: eeb74a9d45f7 ("Phonet: convert devices list to RCU")
> Cc: stable@vger.kernel.org
> Signed-off-by: Santosh Kalluri <santosh.kalluri129@gmail.com>
> Acked-by: Rémi Denis-Courmont <remi@remlab.net>

Reviewed-by: Simon Horman <horms@kernel.org>


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net] net: phonet: free phonet_device after RCU grace period
  2026-06-04  0:08 [PATCH net] net: phonet: free phonet_device after RCU grace period Santosh Kalluri
  2026-06-08 13:13 ` Simon Horman
@ 2026-06-09  0:40 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-06-09  0:40 UTC (permalink / raw)
  To: Santosh Kalluri
  Cc: netdev, courmisch, remi, davem, edumazet, kuba, pabeni, horms,
	linux-kernel

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed,  3 Jun 2026 17:08:43 -0700 you wrote:
> phonet_device_destroy() removes a phonet_device from the per-net device
> list with list_del_rcu(), but frees it immediately. RCU readers walking
> the same list can still hold a pointer to the object after it has been
> removed, leading to a slab-use-after-free.
> 
> Use kfree_rcu(), matching the lifetime rule already used by
> phonet_address_del() for the same object type.
> 
> [...]

Here is the summary with links:
  - [net] net: phonet: free phonet_device after RCU grace period
    https://git.kernel.org/netdev/net/c/71de0177b28d

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-09  0:40 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-04  0:08 [PATCH net] net: phonet: free phonet_device after RCU grace period Santosh Kalluri
2026-06-08 13:13 ` Simon Horman
2026-06-09  0:40 ` patchwork-bot+netdevbpf

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.