From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+942297eecf7d2d61d1f1@syzkaller.appspotmail.com,
Takamitsu Iwai <takamitz@amazon.co.jp>,
Kuniyuki Iwashima <kuniyu@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 61/95] net: rose: include node references in rose_neigh refcount
Date: Tue, 2 Sep 2025 15:20:37 +0200 [thread overview]
Message-ID: <20250902131941.946022064@linuxfoundation.org> (raw)
In-Reply-To: <20250902131939.601201881@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takamitsu Iwai <takamitz@amazon.co.jp>
[ Upstream commit da9c9c877597170b929a6121a68dcd3dd9a80f45 ]
Current implementation maintains two separate reference counting
mechanisms: the 'count' field in struct rose_neigh tracks references from
rose_node structures, while the 'use' field (now refcount_t) tracks
references from rose_sock.
This patch merges these two reference counting systems using 'use' field
for proper reference management. Specifically, this patch adds incrementing
and decrementing of rose_neigh->use when rose_neigh->count is incremented
or decremented.
This patch also modifies rose_rt_free(), rose_rt_device_down() and
rose_clear_route() to properly release references to rose_neigh objects
before freeing a rose_node through rose_remove_node().
These changes ensure rose_neigh structures are properly freed only when
all references, including those from rose_node structures, are released.
As a result, this resolves a slab-use-after-free issue reported by Syzbot.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+942297eecf7d2d61d1f1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=942297eecf7d2d61d1f1
Signed-off-by: Takamitsu Iwai <takamitz@amazon.co.jp>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250823085857.47674-4-takamitz@amazon.co.jp
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rose/rose_route.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 42460da0854d5..6acbb795c506d 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -178,6 +178,7 @@ static int __must_check rose_add_node(struct rose_route_struct *rose_route,
}
}
rose_neigh->count++;
+ rose_neigh_hold(rose_neigh);
goto out;
}
@@ -187,6 +188,7 @@ static int __must_check rose_add_node(struct rose_route_struct *rose_route,
rose_node->neighbour[rose_node->count] = rose_neigh;
rose_node->count++;
rose_neigh->count++;
+ rose_neigh_hold(rose_neigh);
}
out:
@@ -322,6 +324,7 @@ static int rose_del_node(struct rose_route_struct *rose_route,
for (i = 0; i < rose_node->count; i++) {
if (rose_node->neighbour[i] == rose_neigh) {
rose_neigh->count--;
+ rose_neigh_put(rose_neigh);
if (rose_neigh->count == 0) {
rose_remove_neigh(rose_neigh);
@@ -430,6 +433,7 @@ int rose_add_loopback_node(const rose_address *address)
rose_node_list = rose_node;
rose_loopback_neigh->count++;
+ rose_neigh_hold(rose_loopback_neigh);
out:
spin_unlock_bh(&rose_node_list_lock);
@@ -461,6 +465,7 @@ void rose_del_loopback_node(const rose_address *address)
rose_remove_node(rose_node);
rose_loopback_neigh->count--;
+ rose_neigh_put(rose_loopback_neigh);
out:
spin_unlock_bh(&rose_node_list_lock);
@@ -500,6 +505,7 @@ void rose_rt_device_down(struct net_device *dev)
memmove(&t->neighbour[i], &t->neighbour[i + 1],
sizeof(t->neighbour[0]) *
(t->count - i));
+ rose_neigh_put(s);
}
if (t->count <= 0)
@@ -543,6 +549,7 @@ static int rose_clear_routes(void)
{
struct rose_neigh *s, *rose_neigh;
struct rose_node *t, *rose_node;
+ int i;
spin_lock_bh(&rose_node_list_lock);
spin_lock_bh(&rose_neigh_list_lock);
@@ -553,8 +560,12 @@ static int rose_clear_routes(void)
while (rose_node != NULL) {
t = rose_node;
rose_node = rose_node->next;
- if (!t->loopback)
+
+ if (!t->loopback) {
+ for (i = 0; i < rose_node->count; i++)
+ rose_neigh_put(t->neighbour[i]);
rose_remove_node(t);
+ }
}
while (rose_neigh != NULL) {
@@ -1189,7 +1200,7 @@ static int rose_neigh_show(struct seq_file *seq, void *v)
(rose_neigh->loopback) ? "RSLOOP-0" : ax2asc(buf, &rose_neigh->callsign),
rose_neigh->dev ? rose_neigh->dev->name : "???",
rose_neigh->count,
- refcount_read(&rose_neigh->use) - 1,
+ refcount_read(&rose_neigh->use) - rose_neigh->count - 1,
(rose_neigh->dce_mode) ? "DCE" : "DTE",
(rose_neigh->restarted) ? "yes" : "no",
ax25_display_timer(&rose_neigh->t0timer) / HZ,
@@ -1294,6 +1305,7 @@ void __exit rose_rt_free(void)
struct rose_neigh *s, *rose_neigh = rose_neigh_list;
struct rose_node *t, *rose_node = rose_node_list;
struct rose_route *u, *rose_route = rose_route_list;
+ int i;
while (rose_neigh != NULL) {
s = rose_neigh;
@@ -1307,6 +1319,8 @@ void __exit rose_rt_free(void)
t = rose_node;
rose_node = rose_node->next;
+ for (i = 0; i < t->count; i++)
+ rose_neigh_put(t->neighbour[i]);
rose_remove_node(t);
}
--
2.50.1
next prev parent reply other threads:[~2025-09-02 13:35 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-02 13:19 [PATCH 6.12 00/95] 6.12.45-rc1 review Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 01/95] tools/latency-collector: Check pkg-config install Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 02/95] rtla: " Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 03/95] trace/fgraph: Fix the warning caused by missing unregister notifier Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 04/95] of: dynamic: Fix memleak when of_pci_add_properties() failed Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 05/95] pinctrl: STMFX: add missing HAS_IOMEM dependency Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 06/95] mips: dts: lantiq: danube: add missing burst length property Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 07/95] mips: lantiq: xway: sysctrl: rename the etop node Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 08/95] of: dynamic: Fix use after free in of_changeset_add_prop_helper() Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 09/95] ftrace: Fix potential warning in trace_printk_seq during ftrace_dump Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 10/95] perf symbol-minimal: Fix ehdr reading in filename__read_build_id Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 11/95] vhost: Fix ioctl # for VHOST_[GS]ET_FORK_FROM_OWNER Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 12/95] scsi: core: sysfs: Correct sysfs attributes access rights Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 13/95] smb: client: fix race with concurrent opens in unlink(2) Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 14/95] smb: client: fix race with concurrent opens in rename(2) Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 15/95] ASoC: codecs: tx-macro: correct tx_macro_component_drv name Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 16/95] erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 17/95] ACPI: EC: Add device to acpi_ec_no_wakeup[] qurik list Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 18/95] vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 19/95] net: ipv4: fix regression in local-broadcast routes Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 20/95] drm/msm: Defer fd_install in SUBMIT ioctl Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 21/95] of: reserved_mem: Restructure call site for dma_contiguous_early_fixup() Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 22/95] drm/msm/kms: move snapshot init earlier in KMS init Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 23/95] drm/msm: update the high bitfield of certain DSI registers Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 24/95] drm/mediatek: Add error handling for old state CRTC in atomic_disable Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 25/95] powerpc/kvm: Fix ifdef to remove build warning Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 26/95] HID: input: rename hidinput_set_battery_charge_status() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 27/95] HID: input: report battery status changes immediately Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 28/95] net: macb: fix unregister_netdev call order in macb_remove() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 29/95] Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 30/95] Bluetooth: hci_event: Mark connection as closed during suspend disconnect Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 31/95] Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 32/95] Bluetooth: hci_sync: fix set_local_name race condition Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 33/95] atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 34/95] drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 35/95] drm/nouveau: remove unused memory target test Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 36/95] ice: dont leave device non-functional if Tx scheduler config fails Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 37/95] ice: use fixed adapter index for E825C embedded devices Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 38/95] ice: fix incorrect counter for buffer allocation failures Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 39/95] dt-bindings: display/msm: qcom,mdp5: drop lut clock Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 40/95] net: dlink: fix multicast stats being counted incorrectly Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 41/95] efi: stmm: Fix incorrect buffer allocation method Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 42/95] drm/xe/xe_sync: avoid race during ufence signaling Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 43/95] drm/xe: Dont trigger rebind on initial dma-buf validation Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 44/95] phy: mscc: Fix when PTP clock is register and unregister Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 45/95] bnxt_en: Fix memory corruption when FW resources change during ifdown Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 46/95] bnxt_en: Adjust TX rings if reservation is less than requested Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 47/95] bnxt_en: Fix stats context reservation logic Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 48/95] net/mlx5: Reload auxiliary drivers on fw_activate Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 49/95] net/mlx5: Fix lockdep assertion on sync reset unload event Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 50/95] net/mlx5: Nack sync reset when SFs are present Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 51/95] net/mlx5e: Update and set Xon/Xoff upon MTU set Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 52/95] net/mlx5e: Update and set Xon/Xoff upon port speed set Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 53/95] net/mlx5e: Set local Xoff after FW update Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 54/95] net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 55/95] net: stmmac: xgmac: Correct supported speed modes Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 56/95] net: stmmac: Set CIC bit only for TX queues with COE Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 57/95] hv_netvsc: Link queues to NAPIs Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 58/95] net: hv_netvsc: fix loss of early receive events from host during channel open Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 59/95] net: rose: split remove and free operations in rose_remove_neigh() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 60/95] net: rose: convert use field to refcount_t Greg Kroah-Hartman
2025-09-02 13:20 ` Greg Kroah-Hartman [this message]
2025-09-02 13:20 ` [PATCH 6.12 62/95] sctp: initialize more fields in sctp_v6_from_sk() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 63/95] l2tp: do not use sock_hold() in pppol2tp_session_get_sock() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 64/95] fbnic: Move phylink resume out of service_task and into open/close Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 65/95] efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 66/95] net: macb: Disable clocks once Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 67/95] KVM: x86: use array_index_nospec with indices that come from guest Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 68/95] RISC-V: KVM: fix stack overrun when loading vlenb Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 69/95] x86/microcode/AMD: Handle the case of no BIOS microcode Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 70/95] x86/cpu/topology: Use initial APIC ID from XTOPOLOGY leaf on AMD/HYGON Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 71/95] HID: asus: fix UAF via HID_CLAIMED_INPUT validation Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 72/95] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 73/95] HID: quirks: add support for Legion Go dual dinput modes Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 74/95] HID: logitech: Add ids for G PRO 2 LIGHTSPEED Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 75/95] HID: wacom: Add a new Art Pen 2 Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 76/95] HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 77/95] Revert "drm/amdgpu: fix incorrect vm flags to map bo" Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 78/95] blk-zoned: Fix a lockdep complaint about recursive locking Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 79/95] dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 80/95] fs/smb: Fix inconsistent refcnt update Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 81/95] net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 82/95] smb3 client: fix return code mapping of remap_file_range Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 83/95] xfs: do not propagate ENODATA disk errors into xattr code Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 84/95] drm/xe/vm: Clear the scratch_pt pointer on error Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 85/95] drm/nouveau/disp: Always accept linear modifier Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 86/95] drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 87/95] drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 88/95] drm/amd/amdgpu: disable hwmon power1_cap* for gfx 11.0.3 on vf mode Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 89/95] net: rose: fix a typo in rose_clear_routes() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 90/95] PCI: Rename PCIE_RESET_CONFIG_DEVICE_WAIT_MS to PCIE_RESET_CONFIG_WAIT_MS Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 91/95] PCI: dwc: Ensure that dw_pcie_wait_for_link() waits 100 ms after link up Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 92/95] Revert "drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 93/95] thermal/drivers/mediatek/lvts_thermal: Change lvts commands array to static const Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 94/95] thermal/drivers/mediatek/lvts_thermal: Add lvts commands and their sizes to driver data Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 95/95] thermal/drivers/mediatek/lvts_thermal: Add mt7988 lvts commands Greg Kroah-Hartman
2025-09-02 16:29 ` 6.12.45-rc1 review Brett A C Sheffield
2025-09-02 18:03 ` [PATCH 6.12 00/95] " Jon Hunter
2025-09-02 19:30 ` Florian Fainelli
2025-09-03 7:43 ` Pavel Machek
2025-09-03 8:16 ` Naresh Kamboju
2025-09-03 8:56 ` Ron Economos
2025-09-03 10:47 ` Mark Brown
2025-09-03 13:12 ` Jules Maselbas
2025-09-03 13:28 ` Brett Mastbergen
2025-09-03 13:34 ` Jules Maselbas
2025-09-03 13:58 ` Peter Schneider
2025-09-03 14:17 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250902131941.946022064@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+942297eecf7d2d61d1f1@syzkaller.appspotmail.com \
--cc=takamitz@amazon.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).