From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 679751E633C; Thu, 25 Jun 2026 13:06:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782392764; cv=none; b=dbLjiO9wd5d3dFO2fJKxHOwLNMjLTtUe4a5uZSi+IeMGb2Xuxl39ryBubiuPGx+UvcUycn8T4XEXzuHQ+zrRgO+D9R3rsWcOa9pyst04mLSW3RDsfAVoKUo6cGqsM4xwkaoTmN4viH+qr+JXnOpq34tePdKkNh1r9aJLq9tSTbw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782392764; c=relaxed/simple; bh=Joj+S69w2yiOaiXgA7lAMi3YFiihcqcjGB/JC/K41Tc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TWdEJcz0tQSf5e1AhbgttjkUeK/7fGTG4ok1ldt6wyddn4Uc3vaFaPJdYp2MG7hKODk86mXNWKNhsbyAPLE0igxDvADY1z1HT5yPav4Wxr4LIaba76Cbf5SHSsuPKy7HT11dWCnnr3EcA8ECDUgmFUS5ScTup7y0RuLpvNeSdog= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=jxEwLdP/; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="jxEwLdP/" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AC7E61F00A3A; Thu, 25 Jun 2026 13:06:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1782392763; bh=JuXLVqJN3vxA9HxBGXsZbHrpvLy8XXS3koLmoxEj9ys=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=jxEwLdP/QYDhMak1MJBWGoLynE5TZSdpq3nZvOSY119zVvmal8pgHuM521HP8Xzo1 /8W4XUzzGOy8kZ3deljVsDY1Xb5+MwUZwh25FmUOjl3m/gft1cUZci5vSAtAvsFkFH BN883H0JkIEMa8pGG+Y4+Yw8CtR+pTB2BN1twMkk= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Bernard Pidoux Subject: [PATCH 6.18 16/60] rose: fix race between loopback timer and module removal Date: Thu, 25 Jun 2026 14:03:01 +0100 Message-ID: <20260625125647.915331582@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260625125645.554579168@linuxfoundation.org> References: <20260625125645.554579168@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Bernard Pidoux commit 47dd6ec1a77d77895afb00aa2e68373a48289108 upstream. rose_loopback_clear() called timer_delete() which returns immediately without waiting for any running callback to complete. If the timer fired concurrently with module removal, rose_loopback_timer() could re-arm the timer after timer_delete() returned and then access rose_loopback_neigh after it was freed. Two complementary changes close the race: 1. Add a loopback_stopping atomic flag. rose_loopback_timer() checks it at entry (before acquiring a reference) and again inside the loop; when set it drains the queue and exits without re-arming the timer. 2. Switch rose_loopback_clear() to timer_delete_sync() so it blocks until any in-flight callback has returned before freeing resources. The smp_mb() between setting the flag and calling timer_delete_sync() ensures the flag is visible to any callback that is about to run. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Bernard Pidoux Signed-off-by: Greg Kroah-Hartman --- net/rose/rose_loopback.c | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) --- a/net/rose/rose_loopback.c +++ b/net/rose/rose_loopback.c @@ -12,13 +12,15 @@ #include #include -static struct sk_buff_head loopback_queue; #define ROSE_LOOPBACK_LIMIT 1000 -static struct timer_list loopback_timer; +static struct timer_list loopback_timer; +static struct sk_buff_head loopback_queue; static void rose_set_loopback_timer(void); static void rose_loopback_timer(struct timer_list *unused); +static atomic_t loopback_stopping = ATOMIC_INIT(0); + void rose_loopback_init(void) { skb_queue_head_init(&loopback_queue); @@ -66,6 +68,9 @@ static void rose_loopback_timer(struct t unsigned int lci_i, lci_o; int count; + if (atomic_read(&loopback_stopping)) + return; + if (rose_loopback_neigh) rose_neigh_hold(rose_loopback_neigh); else @@ -75,6 +80,13 @@ static void rose_loopback_timer(struct t skb = skb_dequeue(&loopback_queue); if (!skb) goto out; + + if (atomic_read(&loopback_stopping)) { + kfree_skb(skb); + skb_queue_purge(&loopback_queue); + goto out; + } + if (skb->len < ROSE_MIN_LEN) { kfree_skb(skb); continue; @@ -118,7 +130,7 @@ static void rose_loopback_timer(struct t out: rose_neigh_put(rose_loopback_neigh); - if (!skb_queue_empty(&loopback_queue)) + if (!atomic_read(&loopback_stopping) && !skb_queue_empty(&loopback_queue)) mod_timer(&loopback_timer, jiffies + 1); } @@ -126,10 +138,15 @@ void __exit rose_loopback_clear(void) { struct sk_buff *skb; - timer_delete(&loopback_timer); + atomic_set(&loopback_stopping, 1); + /* Pairs with atomic_read() in rose_loopback_timer(): ensure the + * stopping flag is visible before we cancel, so a concurrent + * callback aborts its loop early rather than re-arming the timer. + */ + smp_mb(); + + timer_delete_sync(&loopback_timer); - while ((skb = skb_dequeue(&loopback_queue)) != NULL) { - skb->sk = NULL; + while ((skb = skb_dequeue(&loopback_queue)) != NULL) kfree_skb(skb); - } }