From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40C3236604F for ; Sun, 26 Apr 2026 14:43:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777214591; cv=none; b=sNy7X4AW3jzX2tgRZ2t99MvaShuW+Uc181B0rmN9WPJNstQ++kUzV7BN9Ew9/uAtJ0DL9pO3njfd8SBIItOX16hhz1RE90xH71Ab0bPpkFbDdJmysnz0N4Sj9cQ40jrElWTz9CDcTeYN5wMVN0mECRst44wceoDJfI89uuWei0s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777214591; c=relaxed/simple; bh=GTNaJU5rfiK/7CNFGset7McFd/fW6p7Tcwie3dvvoTM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ImoBt2epjuJKZgTOOgbgpU9s9OMa3WNMFuDkUgrDMEwSIP+AhNPG25aadJr8YRYVL8rTCD2qCNQ54o10TxFvTEnuYvkvEMKMb/2MDenWrs1p3c5v8lomDU/w4YR46jQO703IixXdWmJUomKuqKnKWUlrxWHWIOqEI++0Y2rTZ6M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=D3AqaEBx; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="D3AqaEBx" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-488ab2db91aso131925445e9.3 for ; Sun, 26 Apr 2026 07:43:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777214589; x=1777819389; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2KpsmARPAtRSvoDa9ymJ5i0W11MeQfCElgcBQa+2W2k=; b=D3AqaEBxrIgQBPDf2orZ4mLmKmnzyer1H6/PBz8GoahCZHrkm9i201Fe/gpunZ7Gf5 suqIcZwmT07Z5Jg5pH/VpelOrgnw51964yiXFNV2jNBBxAUtm2iYms4uigklXOG5fgVX 11Aar0tIoMAkyl0+cKCRQr/e/BumPBEsEhbq2o7fpF3dGJnglcojHONwzsW26BHl2bMo qSkEJdAPBqrdxh3UmjMcNzZpNvRokXQ8fSUsTR3D6P1jiFN7VKAzAeJNG+kAu6SzdJ/W NqmjfmcpZnJjaW53FYtN4q+F2GB0S9SJ7SIDDpCphRJzMlPg4bUu4vy8hETUKaLpx+Yk mQiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777214589; x=1777819389; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=2KpsmARPAtRSvoDa9ymJ5i0W11MeQfCElgcBQa+2W2k=; b=k3OKR+2cqNW6L0eiXAmA/wdsTfJA/QJUzRIDJacJJMtp8E1XuOVUdYQ5e1g8mHglmx YHNrImoUCHrheq8iLjXBH/zmRXR7pO4N4Sva334CAFRi5DigaQCwPQE6xywAK83t3nQ1 qTFv771BKJxk4S71uhEzV/UnsH7jM4+pOFBuK/LpSEfysrNMKqJvUMD12zTK7cxwRBow IsXSrEKu2Mvofmf0lqOIAWYj/UIrGEhW9FIfB70CbvFWOOi4UPl3p+o4h6NT0+X9Pavi B4zhG2xb3+UeqkaoHe06Q60kw5ap7vGsx7RE6jd16KMCeXks4gl5g7sL+ZBRpFcRZVUb kQkw== X-Forwarded-Encrypted: i=1; AFNElJ8rhFgZTo32I0UDa86xQ1rSA6ZC+4uNwkw8GPfoQbpdzHDvQs4mg1UPKZ45Bw+Dqmd0M/OcqiM8ySQdWMk=@vger.kernel.org X-Gm-Message-State: AOJu0YwfWGiHQlBYPtWFntCxt2iwqAo44S9H8N46iJ/OlEoXuKok4dHE M0hc/+3t00xgqed/94Yt5JPhAaGG0okv8x4mzC3zMW442AL11LYo0TZT X-Gm-Gg: AeBDievN7wyIHy4AzZ5LPJjz7iikpIwoeFa+LuZwG01n8P2p5LNgYyW5iDDZ/x+DV5S 7FSmCaD+Pv6OG9uji+JNyq6vnDbKEeORZmoZ2g0HxM/3CtChakD7n1sXFtdRS//MnqDQxKP5scD LqLsKtuK7GnK+t+IqEhWU0/6OIo05eB+z7Et2oEbLZdkPy4aAncPPVfXR6llsUoJokXf4bt0KvR SERYs0SoijcpmShzdI2kOfCtcR+stqkZQ/ZXCt82z+u027lQH58QRSXI6go0XrI8dv3wlPprzJZ eNU4YcnzX9kUBvTwTjZM2qtDF8UCLZ9EvISPAksJ5l1IRbBNE58tuS5m4oUbOKEknTSkzFI8TJ4 MZOb90qP4Ku8pD6seBe0/wsx8qSTRyfacYUWBT9Pbc6skQ7CzcvFM7GiZ9J7Dut+owvemw63ZwQ wNQkuTV/1manmUYmMAWEwsrezCw6c8rQiQ5A/1rDVy1BQC2Y61nPmEhS1VDbk+q5wq49biEG73C wfZIR+PMDIbx44= X-Received: by 2002:a05:600c:3515:b0:488:8b99:54a1 with SMTP id 5b1f17b1804b1-488fb78e7c5mr542589465e9.28.1777214588545; Sun, 26 Apr 2026 07:43:08 -0700 (PDT) Received: from ubuntu-f6bvp (lfbn-idf1-1-366-193.w86-195.abo.wanadoo.fr. [86.195.82.193]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fc18bccfsm658230335e9.8.2026.04.26.07.43.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Apr 2026 07:43:08 -0700 (PDT) From: Bernard Pidoux To: netdev@vger.kernel.org Cc: linux-hams@vger.kernel.org, linux-kernel@vger.kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, Bernard Pidoux Subject: [PATCH net 2/5] rose: hold loopback neighbour reference across timer callback Date: Sun, 26 Apr 2026 16:43:02 +0200 Message-ID: <20260426144305.984349-3-bernard.f6bvp@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260426144305.984349-1-bernard.f6bvp@gmail.com> References: <20260426144305.984349-1-bernard.f6bvp@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit rose_loopback_timer() dereferences rose_loopback_neigh throughout its body but holds no reference on it. A concurrent rose_loopback_clear() followed by rose_add_loopback_neigh() could free and reallocate the neighbour while the timer body is running, causing a use-after-free. Take a reference with rose_neigh_hold() at the start of the callback (bailing out if the pointer is already NULL) and release it with rose_neigh_put() at the single exit point. The neigh cannot be freed while the callback holds a reference. Fixes: d860d1faa6b2 ("net: rose: convert 'use' field to refcount_t") Tested-by: Bernard Pidoux Signed-off-by: Bernard Pidoux --- net/rose/rose_loopback.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c index 914c8f453a1d..d66913df360d 100644 --- a/net/rose/rose_loopback.c +++ b/net/rose/rose_loopback.c @@ -66,10 +66,15 @@ static void rose_loopback_timer(struct timer_list *unused) unsigned int lci_i, lci_o; int count; + if (rose_loopback_neigh) + rose_neigh_hold(rose_loopback_neigh); + else + return; + for (count = 0; count < ROSE_LOOPBACK_LIMIT; count++) { skb = skb_dequeue(&loopback_queue); if (!skb) - return; + goto out; if (skb->len < ROSE_MIN_LEN) { kfree_skb(skb); continue; @@ -109,6 +114,10 @@ static void rose_loopback_timer(struct timer_list *unused) kfree_skb(skb); } } + +out: + rose_neigh_put(rose_loopback_neigh); + if (!skb_queue_empty(&loopback_queue)) mod_timer(&loopback_timer, jiffies + 1); } -- 2.51.0