* [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs
@ 2026-04-03 16:06 Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 1/5] net: qrtr: ns: Limit the maximum server registration per node Manivannan Sadhasivam via B4 Relay
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Manivannan Sadhasivam via B4 Relay @ 2026-04-03 16:06 UTC (permalink / raw)
To: Manivannan Sadhasivam, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman
Cc: linux-arm-msm, netdev, linux-kernel, stable, Yiming Qian,
Manivannan Sadhasivam
Hi,
This series fixes a bunch of possible memory exhaustion issues in the QRTR
nameserver.
Manivannan Sadhasivam (2):
net: qrtr: ns: Limit the maximum server registration per node
net: qrtr: ns: Limit the maximum lookups per socket
net/qrtr/ns.c | 38 ++++++++++++++++++++++++++++++++++----
1 file changed, 34 insertions(+), 4 deletions(-)
--
2.51.0
---
Manivannan Sadhasivam (5):
net: qrtr: ns: Limit the maximum server registration per node
net: qrtr: ns: Limit the maximum number of lookups
net: qrtr: ns: Free the node during ctrl_cmd_bye()
net: qrtr: ns: Limit the total number of nodes
net: qrtr: ns: Fix use-after-free in driver remove()
net/qrtr/ns.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 61 insertions(+), 10 deletions(-)
---
base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
change-id: 20260331-qrtr-fix-b502c26e5f46
Best regards,
--
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v2 1/5] net: qrtr: ns: Limit the maximum server registration per node
2026-04-03 16:06 [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs Manivannan Sadhasivam via B4 Relay
@ 2026-04-03 16:06 ` Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 2/5] net: qrtr: ns: Limit the maximum number of lookups Manivannan Sadhasivam via B4 Relay
` (4 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Manivannan Sadhasivam via B4 Relay @ 2026-04-03 16:06 UTC (permalink / raw)
To: Manivannan Sadhasivam, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman
Cc: linux-arm-msm, netdev, linux-kernel, stable, Yiming Qian,
Manivannan Sadhasivam
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Current code does no bound checking on the number of servers added per
node. A malicious client can flood NEW_SERVER messages and exhaust memory.
Fix this issue by limiting the maximum number of server registrations to
256 per node. If the NEW_SERVER message is received for an old port, then
don't restrict it as it will get replaced. While at it, also rate limit
the error messages in the failure path of qrtr_ns_worker().
Note that the limit of 256 is chosen based on the current platform
requirements. If requirement changes in the future, this limit can be
increased.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
---
net/qrtr/ns.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 3203b2220860..63cb5861d87a 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -67,8 +67,14 @@ struct qrtr_server {
struct qrtr_node {
unsigned int id;
struct xarray servers;
+ u32 server_count;
};
+/* Max server limit is chosen based on the current platform requirements. If the
+ * requirement changes in the future, this value can be increased.
+ */
+#define QRTR_NS_MAX_SERVERS 256
+
static struct qrtr_node *node_get(unsigned int node_id)
{
struct qrtr_node *node;
@@ -229,6 +235,17 @@ static struct qrtr_server *server_add(unsigned int service,
if (!service || !port)
return NULL;
+ node = node_get(node_id);
+ if (!node)
+ return NULL;
+
+ /* Make sure the new servers per port are capped at the maximum value */
+ old = xa_load(&node->servers, port);
+ if (!old && node->server_count >= QRTR_NS_MAX_SERVERS) {
+ pr_err_ratelimited("QRTR client node %u exceeds max server limit!\n", node_id);
+ return NULL;
+ }
+
srv = kzalloc_obj(*srv);
if (!srv)
return NULL;
@@ -238,10 +255,6 @@ static struct qrtr_server *server_add(unsigned int service,
srv->node = node_id;
srv->port = port;
- node = node_get(node_id);
- if (!node)
- goto err;
-
/* Delete the old server on the same port */
old = xa_store(&node->servers, port, srv, GFP_KERNEL);
if (old) {
@@ -252,6 +265,8 @@ static struct qrtr_server *server_add(unsigned int service,
} else {
kfree(old);
}
+ } else {
+ node->server_count++;
}
trace_qrtr_ns_server_add(srv->service, srv->instance,
@@ -292,6 +307,7 @@ static int server_del(struct qrtr_node *node, unsigned int port, bool bcast)
}
kfree(srv);
+ node->server_count--;
return 0;
}
@@ -670,7 +686,7 @@ static void qrtr_ns_worker(struct work_struct *work)
}
if (ret < 0)
- pr_err("failed while handling packet from %d:%d",
+ pr_err_ratelimited("failed while handling packet from %d:%d",
sq.sq_node, sq.sq_port);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v2 2/5] net: qrtr: ns: Limit the maximum number of lookups
2026-04-03 16:06 [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 1/5] net: qrtr: ns: Limit the maximum server registration per node Manivannan Sadhasivam via B4 Relay
@ 2026-04-03 16:06 ` Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 3/5] net: qrtr: ns: Free the node during ctrl_cmd_bye() Manivannan Sadhasivam via B4 Relay
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Manivannan Sadhasivam via B4 Relay @ 2026-04-03 16:06 UTC (permalink / raw)
To: Manivannan Sadhasivam, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman
Cc: linux-arm-msm, netdev, linux-kernel, stable,
Manivannan Sadhasivam
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Current code does no bound checking on the number of lookups a client can
perform. Though the code restricts the lookups to local clients, there is
still a possibility of a malicious local client sending a flood of
NEW_LOOKUP messages over the same socket.
Fix this issue by limiting the maximum number of lookups to 64 globally.
Since the nameserver allows only atmost one local observer, this global
lookup count will ensure that the lookups stay within the limit.
Note that, limit of 64 is chosen based on the current platform
requirements. If requirement changes in the future, this limit can be
increased.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
---
net/qrtr/ns.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 63cb5861d87a..5b08d4d4840a 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -22,6 +22,7 @@ static struct {
struct socket *sock;
struct sockaddr_qrtr bcast_sq;
struct list_head lookups;
+ u32 lookup_count;
struct workqueue_struct *workqueue;
struct work_struct work;
int local_node;
@@ -70,10 +71,11 @@ struct qrtr_node {
u32 server_count;
};
-/* Max server limit is chosen based on the current platform requirements. If the
- * requirement changes in the future, this value can be increased.
+/* Max server, lookup limits are chosen based on the current platform requirements.
+ * If the requirement changes in the future, these values can be increased.
*/
#define QRTR_NS_MAX_SERVERS 256
+#define QRTR_NS_MAX_LOOKUPS 64
static struct qrtr_node *node_get(unsigned int node_id)
{
@@ -433,6 +435,7 @@ static int ctrl_cmd_del_client(struct sockaddr_qrtr *from,
list_del(&lookup->li);
kfree(lookup);
+ qrtr_ns.lookup_count--;
}
/* Remove the server belonging to this port but don't broadcast
@@ -550,6 +553,11 @@ static int ctrl_cmd_new_lookup(struct sockaddr_qrtr *from,
if (from->sq_node != qrtr_ns.local_node)
return -EINVAL;
+ if (qrtr_ns.lookup_count >= QRTR_NS_MAX_LOOKUPS) {
+ pr_err_ratelimited("QRTR client node exceeds max lookup limit!\n");
+ return -ENOSPC;
+ }
+
lookup = kzalloc_obj(*lookup);
if (!lookup)
return -ENOMEM;
@@ -558,6 +566,7 @@ static int ctrl_cmd_new_lookup(struct sockaddr_qrtr *from,
lookup->service = service;
lookup->instance = instance;
list_add_tail(&lookup->li, &qrtr_ns.lookups);
+ qrtr_ns.lookup_count++;
memset(&filter, 0, sizeof(filter));
filter.service = service;
@@ -598,6 +607,7 @@ static void ctrl_cmd_del_lookup(struct sockaddr_qrtr *from,
list_del(&lookup->li);
kfree(lookup);
+ qrtr_ns.lookup_count--;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v2 3/5] net: qrtr: ns: Free the node during ctrl_cmd_bye()
2026-04-03 16:06 [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 1/5] net: qrtr: ns: Limit the maximum server registration per node Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 2/5] net: qrtr: ns: Limit the maximum number of lookups Manivannan Sadhasivam via B4 Relay
@ 2026-04-03 16:06 ` Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 4/5] net: qrtr: ns: Limit the total number of nodes Manivannan Sadhasivam via B4 Relay
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Manivannan Sadhasivam via B4 Relay @ 2026-04-03 16:06 UTC (permalink / raw)
To: Manivannan Sadhasivam, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman
Cc: linux-arm-msm, netdev, linux-kernel, stable,
Manivannan Sadhasivam
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
A node sends the BYE packet when it is about to go down. So the nameserver
should advertise the removal of the node to all remote and local observers
and free the node finally. But currently, the nameserver doesn't free the
node memory even after processing the BYE packet. This causes the node
memory to leak.
Hence, remove the node from Xarray list and free the node memory during
both success and failure case of ctrl_cmd_bye().
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
---
net/qrtr/ns.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 5b08d4d4840a..c95014673135 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -359,7 +359,7 @@ static int ctrl_cmd_bye(struct sockaddr_qrtr *from)
struct qrtr_node *node;
unsigned long index;
struct kvec iv;
- int ret;
+ int ret = 0;
iv.iov_base = &pkt;
iv.iov_len = sizeof(pkt);
@@ -374,8 +374,10 @@ static int ctrl_cmd_bye(struct sockaddr_qrtr *from)
/* Advertise the removal of this client to all local servers */
local_node = node_get(qrtr_ns.local_node);
- if (!local_node)
- return 0;
+ if (!local_node) {
+ ret = 0;
+ goto delete_node;
+ }
memset(&pkt, 0, sizeof(pkt));
pkt.cmd = cpu_to_le32(QRTR_TYPE_BYE);
@@ -392,10 +394,15 @@ static int ctrl_cmd_bye(struct sockaddr_qrtr *from)
ret = kernel_sendmsg(qrtr_ns.sock, &msg, &iv, 1, sizeof(pkt));
if (ret < 0 && ret != -ENODEV) {
pr_err("failed to send bye cmd\n");
- return ret;
+ goto delete_node;
}
}
- return 0;
+
+delete_node:
+ xa_erase(&nodes, from->sq_node);
+ kfree(node);
+
+ return ret;
}
static int ctrl_cmd_del_client(struct sockaddr_qrtr *from,
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v2 4/5] net: qrtr: ns: Limit the total number of nodes
2026-04-03 16:06 [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs Manivannan Sadhasivam via B4 Relay
` (2 preceding siblings ...)
2026-04-03 16:06 ` [PATCH v2 3/5] net: qrtr: ns: Free the node during ctrl_cmd_bye() Manivannan Sadhasivam via B4 Relay
@ 2026-04-03 16:06 ` Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 5/5] net: qrtr: ns: Fix use-after-free in driver remove() Manivannan Sadhasivam via B4 Relay
2026-04-04 7:54 ` [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs Manivannan Sadhasivam
5 siblings, 0 replies; 8+ messages in thread
From: Manivannan Sadhasivam via B4 Relay @ 2026-04-03 16:06 UTC (permalink / raw)
To: Manivannan Sadhasivam, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman
Cc: linux-arm-msm, netdev, linux-kernel, stable,
Manivannan Sadhasivam
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Currently, the nameserver doesn't limit the number of nodes it handles.
This can be an attack vector if a malicious client starts registering
random nodes, leading to memory exhaustion.
Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is
chosen based on the current platform requirements. If requirement changes
in the future, this limit can be increased.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
---
net/qrtr/ns.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index c95014673135..dfb5dad9473c 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -71,12 +71,16 @@ struct qrtr_node {
u32 server_count;
};
-/* Max server, lookup limits are chosen based on the current platform requirements.
- * If the requirement changes in the future, these values can be increased.
+/* Max nodes, server, lookup limits are chosen based on the current platform
+ * requirements. If the requirement changes in the future, these values can be
+ * increased.
*/
+#define QRTR_NS_MAX_NODES 64
#define QRTR_NS_MAX_SERVERS 256
#define QRTR_NS_MAX_LOOKUPS 64
+static u8 node_count;
+
static struct qrtr_node *node_get(unsigned int node_id)
{
struct qrtr_node *node;
@@ -85,6 +89,11 @@ static struct qrtr_node *node_get(unsigned int node_id)
if (node)
return node;
+ if (node_count >= QRTR_NS_MAX_NODES) {
+ pr_err_ratelimited("QRTR clients exceed max node limit!\n");
+ return NULL;
+ }
+
/* If node didn't exist, allocate and insert it to the tree */
node = kzalloc_obj(*node);
if (!node)
@@ -98,6 +107,8 @@ static struct qrtr_node *node_get(unsigned int node_id)
return NULL;
}
+ node_count++;
+
return node;
}
@@ -401,6 +412,7 @@ static int ctrl_cmd_bye(struct sockaddr_qrtr *from)
delete_node:
xa_erase(&nodes, from->sq_node);
kfree(node);
+ node_count--;
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v2 5/5] net: qrtr: ns: Fix use-after-free in driver remove()
2026-04-03 16:06 [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs Manivannan Sadhasivam via B4 Relay
` (3 preceding siblings ...)
2026-04-03 16:06 ` [PATCH v2 4/5] net: qrtr: ns: Limit the total number of nodes Manivannan Sadhasivam via B4 Relay
@ 2026-04-03 16:06 ` Manivannan Sadhasivam via B4 Relay
2026-04-07 15:33 ` Paolo Abeni
2026-04-04 7:54 ` [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs Manivannan Sadhasivam
5 siblings, 1 reply; 8+ messages in thread
From: Manivannan Sadhasivam via B4 Relay @ 2026-04-03 16:06 UTC (permalink / raw)
To: Manivannan Sadhasivam, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman
Cc: linux-arm-msm, netdev, linux-kernel, stable,
Manivannan Sadhasivam
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
In the remove callback, if a packet arrives after destroy_workqueue() is
called, but before sock_release(), the qrtr_ns_data_ready() callback will
try to queue the work, causing use-after-free issue.
Fix this issue by saving the default 'sk_data_ready' callback during
qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at
the start of remove(). This ensures that even if a packet arrives after
destroy_workqueue(), the work struct will not be dereferenced.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
---
net/qrtr/ns.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index dfb5dad9473c..c62d79e03d64 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -25,6 +25,7 @@ static struct {
u32 lookup_count;
struct workqueue_struct *workqueue;
struct work_struct work;
+ void (*saved_data_ready)(struct sock *sk);
int local_node;
} qrtr_ns;
@@ -754,6 +755,7 @@ int qrtr_ns_init(void)
goto err_sock;
}
+ qrtr_ns.saved_data_ready = qrtr_ns.sock->sk->sk_data_ready;
qrtr_ns.sock->sk->sk_data_ready = qrtr_ns_data_ready;
sq.sq_port = QRTR_PORT_CTRL;
@@ -803,6 +805,10 @@ EXPORT_SYMBOL_GPL(qrtr_ns_init);
void qrtr_ns_remove(void)
{
+ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
+ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready;
+ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
+
cancel_work_sync(&qrtr_ns.work);
destroy_workqueue(qrtr_ns.workqueue);
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs
2026-04-03 16:06 [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs Manivannan Sadhasivam via B4 Relay
` (4 preceding siblings ...)
2026-04-03 16:06 ` [PATCH v2 5/5] net: qrtr: ns: Fix use-after-free in driver remove() Manivannan Sadhasivam via B4 Relay
@ 2026-04-04 7:54 ` Manivannan Sadhasivam
5 siblings, 0 replies; 8+ messages in thread
From: Manivannan Sadhasivam @ 2026-04-04 7:54 UTC (permalink / raw)
To: Manivannan Sadhasivam, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, linux-arm-msm, netdev,
linux-kernel, stable, Yiming Qian
On Fri, Apr 03, 2026 at 09:36:03PM +0530, Manivannan Sadhasivam via B4 Relay wrote:
> Hi,
>
> This series fixes a bunch of possible memory exhaustion issues in the QRTR
> nameserver.
>
Gosh. I messed up the cover letter. Please ignore the below:
> Manivannan Sadhasivam (2):
> net: qrtr: ns: Limit the maximum server registration per node
> net: qrtr: ns: Limit the maximum lookups per socket
>
> net/qrtr/ns.c | 38 ++++++++++++++++++++++++++++++++++----
> 1 file changed, 34 insertions(+), 4 deletions(-)
>
> --
> 2.51.0
>
Until here...
- Mani
> ---
> Manivannan Sadhasivam (5):
> net: qrtr: ns: Limit the maximum server registration per node
> net: qrtr: ns: Limit the maximum number of lookups
> net: qrtr: ns: Free the node during ctrl_cmd_bye()
> net: qrtr: ns: Limit the total number of nodes
> net: qrtr: ns: Fix use-after-free in driver remove()
>
> net/qrtr/ns.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++---------
> 1 file changed, 61 insertions(+), 10 deletions(-)
> ---
> base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
> change-id: 20260331-qrtr-fix-b502c26e5f46
>
> Best regards,
> --
> Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
>
>
--
மணிவண்ணன் சதாசிவம்
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2 5/5] net: qrtr: ns: Fix use-after-free in driver remove()
2026-04-03 16:06 ` [PATCH v2 5/5] net: qrtr: ns: Fix use-after-free in driver remove() Manivannan Sadhasivam via B4 Relay
@ 2026-04-07 15:33 ` Paolo Abeni
0 siblings, 0 replies; 8+ messages in thread
From: Paolo Abeni @ 2026-04-07 15:33 UTC (permalink / raw)
To: manivannan.sadhasivam, Manivannan Sadhasivam, David S. Miller,
Eric Dumazet, Jakub Kicinski, Simon Horman
Cc: linux-arm-msm, netdev, linux-kernel, stable
On 4/3/26 6:06 PM, Manivannan Sadhasivam via B4 Relay wrote:
> From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
>
> In the remove callback, if a packet arrives after destroy_workqueue() is
> called, but before sock_release(), the qrtr_ns_data_ready() callback will
> try to queue the work, causing use-after-free issue.
>
> Fix this issue by saving the default 'sk_data_ready' callback during
> qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at
> the start of remove(). This ensures that even if a packet arrives after
> destroy_workqueue(), the work struct will not be dereferenced.
>
> Cc: stable@vger.kernel.org
> Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
> ---
> net/qrtr/ns.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
> index dfb5dad9473c..c62d79e03d64 100644
> --- a/net/qrtr/ns.c
> +++ b/net/qrtr/ns.c
> @@ -25,6 +25,7 @@ static struct {
> u32 lookup_count;
> struct workqueue_struct *workqueue;
> struct work_struct work;
> + void (*saved_data_ready)(struct sock *sk);
> int local_node;
> } qrtr_ns;
>
> @@ -754,6 +755,7 @@ int qrtr_ns_init(void)
> goto err_sock;
> }
>
> + qrtr_ns.saved_data_ready = qrtr_ns.sock->sk->sk_data_ready;
> qrtr_ns.sock->sk->sk_data_ready = qrtr_ns_data_ready;
>
> sq.sq_port = QRTR_PORT_CTRL;
> @@ -803,6 +805,10 @@ EXPORT_SYMBOL_GPL(qrtr_ns_init);
>
> void qrtr_ns_remove(void)
> {
> + write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
> + qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready;
> + write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
Sashiko says:
---
Does this lock adequately protect against concurrent callback execution?
In the network receive path, __sock_queue_rcv_skb() typically evaluates
!sock_flag(sk, SOCK_DEAD) and invokes sk->sk_data_ready() locklessly,
without acquiring sk_callback_lock or being in an RCU read-side
critical section.
If a thread processing a packet fetches the qrtr_ns_data_ready pointer
and is preempted, could it resume and execute the callback after
qrtr_ns_remove() has already finished destroying the workqueue?
---
There are more remarks from sashiko:
https://sashiko.dev/#/patchset/20260403-qrtr-fix-v2-0-f88a14859c63%40oss.qualcomm.com
AFAICS they are pre-existing issues or false positive, but please have a
look.
/P
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2026-04-07 15:34 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-03 16:06 [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 1/5] net: qrtr: ns: Limit the maximum server registration per node Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 2/5] net: qrtr: ns: Limit the maximum number of lookups Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 3/5] net: qrtr: ns: Free the node during ctrl_cmd_bye() Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 4/5] net: qrtr: ns: Limit the total number of nodes Manivannan Sadhasivam via B4 Relay
2026-04-03 16:06 ` [PATCH v2 5/5] net: qrtr: ns: Fix use-after-free in driver remove() Manivannan Sadhasivam via B4 Relay
2026-04-07 15:33 ` Paolo Abeni
2026-04-04 7:54 ` [PATCH v2 0/5] net: qrtr: ns: A bunch of fixs Manivannan Sadhasivam
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox