From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 15D4135A3AD; Mon, 4 May 2026 14:09:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777903758; cv=none; b=ALXNnxWCW4cDeEkWRUFsv6xbKemy2DCgdb94OGLeJvVAiLyx/NJowWHr3xoyHhRYW2L47wIjzINOzox4wpDPq8TOXB0FaEWtTn4RPMV38sCgOztRaTbhFeVahNuqGCwabE4c2YyeosmbX4WKaEqxlBLj/b5BT//mIFpTdABN8L0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777903758; c=relaxed/simple; bh=3SwAWJXLidYO2x76g5TrNV7iGroDrBqhLGTBOFySX5o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jNGUZd2hgEtkovarqTx9B0u+qe+hvlFIkrHyznM2q4kChGa2yhohPWylTgYcY0FrgZciFu9L6+1YAyTZ9jLQSJE8aybzTHVLxMEIOV0gVM8OIH9gZqKuoyZz2TLYW/JjRLw5cm6UBh0WrHiiAat58LIttDl8kbZOahfHaDFMGCQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=HwoJiVOQ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="HwoJiVOQ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9ECD6C2BCB8; Mon, 4 May 2026 14:09:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1777903758; bh=3SwAWJXLidYO2x76g5TrNV7iGroDrBqhLGTBOFySX5o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HwoJiVOQq9KQPI0beaCkjj8YW2HUbdT66wJDFXEvCOdMe6s3dXoziGcvqi0Ad9Gxs ZF5pJqv7OSzo9eU1Ej1FR5BcK3zvUWyniQijIBc1NwjJ0laS8T8dARBX5Nffj4pM9t VEK1e8LFtKCJqKxomjPIq+Ytp+yzeqL/RUUIL+cI= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable@kernel.org, Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ren Wei , Zhengchuan Liang , Ren Wei , Paolo Abeni Subject: [PATCH 6.18 049/275] net: caif: clear client service pointer on teardown Date: Mon, 4 May 2026 15:49:49 +0200 Message-ID: <20260504135144.758833829@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260504135142.929052779@linuxfoundation.org> References: <20260504135142.929052779@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Zhengchuan Liang commit f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 upstream. `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless. Fixes: 43e369210108 ("caif: Move refcount from service layer to sock and dev.") Cc: stable@kernel.org Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Tested-by: Ren Wei Signed-off-by: Zhengchuan Liang Signed-off-by: Ren Wei Link: https://patch.msgid.link/9f3d37847c0037568aae698ca23cd47c6691acb0.1775897577.git.zcliangcn@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman --- net/caif/cfsrvl.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) --- a/net/caif/cfsrvl.c +++ b/net/caif/cfsrvl.c @@ -191,10 +191,20 @@ bool cfsrvl_phyid_match(struct cflayer * void caif_free_client(struct cflayer *adap_layer) { + struct cflayer *serv_layer; struct cfsrvl *servl; - if (adap_layer == NULL || adap_layer->dn == NULL) + + if (!adap_layer) + return; + + serv_layer = adap_layer->dn; + if (!serv_layer) return; - servl = container_obj(adap_layer->dn); + + layer_set_dn(adap_layer, NULL); + layer_set_up(serv_layer, NULL); + + servl = container_obj(serv_layer); servl->release(&servl->layer); } EXPORT_SYMBOL(caif_free_client);