* [BUG] rose/ax25: use-after-free in rose_transmit_restart_request()
@ 2026-05-13 16:27 capyenglishlite
0 siblings, 0 replies; only message in thread
From: capyenglishlite @ 2026-05-13 16:27 UTC (permalink / raw)
To: netdev
Hi all,
I am reporting a use-after-free in ROSE/AX.25 networking subsystem.
Bug:
In rose_transmit_restart_request() (net/rose/rose_link.c),
ax25_send_frame() accesses a rose_neigh object after it may be freed
by rose_neigh_put() in rose_t0timer_expiry().
Root cause:
Missing reference hold across timer vs transmit race.
Fix:
rose_neigh_hold(neigh);
ax25_send_frame(...);
rose_neigh_put(neigh);
Syzbot report:
https://syzkaller.appspot.com/bug?extid=9c8999af06ca7df15fc6
Best regards,
Afi0
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-13 16:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-13 16:27 [BUG] rose/ax25: use-after-free in rose_transmit_restart_request() capyenglishlite
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox