[PATCH net 1/1] net/rose: hold listener socket during call request handling

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net 1/1] net/rose: hold listener socket during call request handling
       [not found] <cover.1776327338.git.tonanli66@gmail.com>
@ 2026-04-17 11:01 ` Ren Wei
  2026-04-20 16:26   ` Simon Horman
  2026-04-21 11:23   ` Paolo Abeni
  0 siblings, 2 replies; 4+ messages in thread
From: Ren Wei @ 2026-04-17 11:01 UTC (permalink / raw)
  To: linux-hams, netdev
  Cc: davem, edumazet, kuba, pabeni, horms, kees, takamitz, kuniyu,
	jiayuan.chen, mingo, stanksal, jlayton, yifanwucs, tomapufckgml,
	bird, yuantan098, tonanli66, n05ec

From: Nan Li <tonanli66@gmail.com>

The call request receive path keeps using the listener socket after the
lookup lock has been dropped. Keep the listener alive across the
remaining validation and child socket setup by taking a reference in the
lookup path and releasing it once request handling is finished.

This makes listener lifetime handling explicit and avoids races with
concurrent socket teardown.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Nan Li <tonanli66@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 net/rose/af_rose.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index d5032840ee48..c96325e54a86 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -277,8 +277,10 @@ static struct sock *rose_find_listener(rose_address *addr, ax25_address *call)
 
 		if (!rosecmp(&rose->source_addr, addr) &&
 		    !ax25cmp(&rose->source_call, call) &&
-		    !rose->source_ndigis && s->sk_state == TCP_LISTEN)
+		    !rose->source_ndigis && s->sk_state == TCP_LISTEN) {
+			sock_hold(s);
 			goto found;
+		}
 	}
 
 	sk_for_each(s, &rose_list) {
@@ -286,8 +288,10 @@ static struct sock *rose_find_listener(rose_address *addr, ax25_address *call)
 
 		if (!rosecmp(&rose->source_addr, addr) &&
 		    !ax25cmp(&rose->source_call, &null_ax25_address) &&
-		    s->sk_state == TCP_LISTEN)
+		    s->sk_state == TCP_LISTEN) {
+			sock_hold(s);
 			goto found;
+		}
 	}
 	s = NULL;
 found:
@@ -1056,10 +1060,13 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
 	/*
 	 * We can't accept the Call Request.
 	 */
-	if (sk == NULL || sk_acceptq_is_full(sk) ||
+	if (sk == NULL)
+		goto out_clear_request;
+
+	if (sk_acceptq_is_full(sk) ||
 	    (make = rose_make_new(sk)) == NULL) {
-		rose_transmit_clear_request(neigh, lci, ROSE_NETWORK_CONGESTION, 120);
-		return 0;
+		sock_put(sk);
+		goto out_clear_request;
 	}
 
 	skb->sk     = make;
@@ -1110,7 +1117,14 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
 	if (!sock_flag(sk, SOCK_DEAD))
 		sk->sk_data_ready(sk);
 
+	sock_put(sk);
+
 	return 1;
+
+out_clear_request:
+	rose_transmit_clear_request(neigh, lci, ROSE_NETWORK_CONGESTION, 120);
+
+	return 0;
 }
 
 static int rose_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net 1/1] net/rose: hold listener socket during call request handling
  2026-04-17 11:01 ` [PATCH net 1/1] net/rose: hold listener socket during call request handling Ren Wei
@ 2026-04-20 16:26   ` Simon Horman
  2026-04-20 19:11     ` Yuan Tan
  2026-04-21 11:23   ` Paolo Abeni
  1 sibling, 1 reply; 4+ messages in thread
From: Simon Horman @ 2026-04-20 16:26 UTC (permalink / raw)
  To: Ren Wei
  Cc: linux-hams, netdev, davem, edumazet, kuba, pabeni, kees, takamitz,
	kuniyu, jiayuan.chen, mingo, stanksal, jlayton, yifanwucs,
	tomapufckgml, bird, yuantan098, tonanli66

On Fri, Apr 17, 2026 at 07:01:51PM +0800, Ren Wei wrote:
> From: Nan Li <tonanli66@gmail.com>
> 
> The call request receive path keeps using the listener socket after the
> lookup lock has been dropped. Keep the listener alive across the
> remaining validation and child socket setup by taking a reference in the
> lookup path and releasing it once request handling is finished.
> 
> This makes listener lifetime handling explicit and avoids races with
> concurrent socket teardown.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@kernel.org
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Co-developed-by: Yuan Tan <yuantan098@gmail.com>
> Signed-off-by: Yuan Tan <yuantan098@gmail.com>
> Signed-off-by: Nan Li <tonanli66@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
>  net/rose/af_rose.c | 24 +++++++++++++++++++-----
>  1 file changed, 19 insertions(+), 5 deletions(-)

Reviewed-by: Simon Horman <horms@kernel.org>

Sachiko has provided some feedback on this patch.
I do not believe they relate to shortcomings in this patch,
and I do not believe they should block progress of this patch.
You may want to look over them for areas to investigate as follow-up
(maybe you already did :)

...

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net 1/1] net/rose: hold listener socket during call request handling
  2026-04-20 16:26   ` Simon Horman
@ 2026-04-20 19:11     ` Yuan Tan
  0 siblings, 0 replies; 4+ messages in thread
From: Yuan Tan @ 2026-04-20 19:11 UTC (permalink / raw)
  To: Simon Horman, Ren Wei
  Cc: yuantan098, linux-hams, netdev, davem, edumazet, kuba, pabeni,
	kees, takamitz, kuniyu, jiayuan.chen, mingo, stanksal, jlayton,
	yifanwucs, tomapufckgml, bird, tonanli66


On 4/20/2026 9:26 AM, Simon Horman wrote:
> On Fri, Apr 17, 2026 at 07:01:51PM +0800, Ren Wei wrote:
>> From: Nan Li <tonanli66@gmail.com>
>>
>> The call request receive path keeps using the listener socket after the
>> lookup lock has been dropped. Keep the listener alive across the
>> remaining validation and child socket setup by taking a reference in the
>> lookup path and releasing it once request handling is finished.
>>
>> This makes listener lifetime handling explicit and avoids races with
>> concurrent socket teardown.
>>
>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>> Cc: stable@kernel.org
>> Reported-by: Yifan Wu <yifanwucs@gmail.com>
>> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
>> Reported-by: Xin Liu <bird@lzu.edu.cn>
>> Co-developed-by: Yuan Tan <yuantan098@gmail.com>
>> Signed-off-by: Yuan Tan <yuantan098@gmail.com>
>> Signed-off-by: Nan Li <tonanli66@gmail.com>
>> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
>> ---
>>  net/rose/af_rose.c | 24 +++++++++++++++++++-----
>>  1 file changed, 19 insertions(+), 5 deletions(-)
> Reviewed-by: Simon Horman <horms@kernel.org>
>
> Sachiko has provided some feedback on this patch.
> I do not believe they relate to shortcomings in this patch,
> and I do not believe they should block progress of this patch.
> You may want to look over them for areas to investigate as follow-up
> (maybe you already did :)
>
> ...


Thanks for your review! Yes this module still has other issues that
haven't been fixed. We'll finish what we're currently working on and
then take a look :)


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net 1/1] net/rose: hold listener socket during call request handling
  2026-04-17 11:01 ` [PATCH net 1/1] net/rose: hold listener socket during call request handling Ren Wei
  2026-04-20 16:26   ` Simon Horman
@ 2026-04-21 11:23   ` Paolo Abeni
  1 sibling, 0 replies; 4+ messages in thread
From: Paolo Abeni @ 2026-04-21 11:23 UTC (permalink / raw)
  To: Ren Wei, linux-hams, netdev
  Cc: davem, edumazet, kuba, horms, kees, takamitz, kuniyu,
	jiayuan.chen, mingo, stanksal, jlayton, yifanwucs, tomapufckgml,
	bird, yuantan098, tonanli66

On 4/17/26 1:01 PM, Ren Wei wrote:
> From: Nan Li <tonanli66@gmail.com>
> 
> The call request receive path keeps using the listener socket after the
> lookup lock has been dropped. Keep the listener alive across the
> remaining validation and child socket setup by taking a reference in the
> lookup path and releasing it once request handling is finished.
> 
> This makes listener lifetime handling explicit and avoids races with
> concurrent socket teardown.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@kernel.org
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Co-developed-by: Yuan Tan <yuantan098@gmail.com>
> Signed-off-by: Yuan Tan <yuantan098@gmail.com>
> Signed-off-by: Nan Li <tonanli66@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>

we are moving rose out of tree:

https://lore.kernel.org/netdev/20260421021824.1293976-1-kuba@kernel.org/

please hold off until Thursday (after that our net PR will land into
mainline), and eventually resend if the code still exists in Linus's
tree at that point.

Thanks,

Paolo


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-21 11:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <cover.1776327338.git.tonanli66@gmail.com>
2026-04-17 11:01 ` [PATCH net 1/1] net/rose: hold listener socket during call request handling Ren Wei
2026-04-20 16:26   ` Simon Horman
2026-04-20 19:11     ` Yuan Tan
2026-04-21 11:23   ` Paolo Abeni

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox