From: Simon Horman <horms@kernel.org>
To: w15303746062@163.com
Cc: Manivannan Sadhasivam <mani@kernel.org>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Luca Weiss <luca@lucaweiss.eu>,
Bjorn Andersson <andersson@kernel.org>,
linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
Mingyu Wang <25181214217@stu.xidian.edu.cn>
Subject: Re: [PATCH v2] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
Date: Mon, 8 Jun 2026 14:15:49 +0100 [thread overview]
Message-ID: <20260608131549.GI3920875@horms.kernel.org> (raw)
In-Reply-To: <20260604064801.1180388-1-w15303746062@163.com>
On Thu, Jun 04, 2026 at 02:48:01PM +0800, w15303746062@163.com wrote:
> From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
>
> In qrtr_port_remove(), the socket reference count is decremented via
> __sock_put() before the port is removed from the qrtr_ports XArray and
> before the RCU grace period elapses.
>
> This breaks the fundamental RCU update paradigm. It exposes a race
> window where a concurrent RCU reader (such as qrtr_reset_ports() or
> qrtr_port_lookup()) can obtain a pointer to the socket from the XArray,
> and attempt to call sock_hold() on a socket whose reference count has
> already dropped to zero.
>
> This exact race condition was hit during syzkaller fuzzing, leading to
> the following refcount saturation warning and a potential Use-After-Free:
>
> refcount_t: saturated; leaking memory.
> WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0
> Modules linked in: qrtr(+) bochs drm_shmem_helper ...
> Call Trace:
> <TASK>
> qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr]
> __qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr]
> qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr]
> kernel_bind+0xe4/0x120 net/socket.c:3592
> qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr]
> qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr]
> do_one_initcall+0xf5/0x5e0 init/main.c:1283
> ...
> </TASK>
>
> Fix this by deferring the reference count decrement until after the
> xa_erase() and the synchronize_rcu() complete.
>
> (Note: The v1 of this patch incorrectly replaced __sock_put() with
> sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove()
> still hold a reference to the socket, so freeing the socket memory here
> would lead to a subsequent UAF in the caller. Thus, the __sock_put() is
> kept, but only repositioned to close the RCU race.)
>
> Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
> Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
> ---
> v1: https://lore.kernel.org/netdev/20260530082243.1123402-1-w15303746062@163.com/
>
> Changes in v2:
> - Reverted the change from __sock_put() to sock_put() to avoid UAF
> in callers like qrtr_release(), as suggested by Simon Horman.
> - Removed misleading "memory leak" wording from commit message.
> - Corrected the Fixes tag to point to the initial commit introducing
> the race (bdabad3e363d).
Thanks for the updates.
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2026-06-08 13:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 6:48 [PATCH v2] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove w15303746062
2026-06-08 13:15 ` Simon Horman [this message]
2026-06-09 2:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608131549.GI3920875@horms.kernel.org \
--to=horms@kernel.org \
--cc=25181214217@stu.xidian.edu.cn \
--cc=andersson@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luca@lucaweiss.eu \
--cc=mani@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=w15303746062@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.