From nobody Mon Dec 1 22:36:59 2025 Received: from mail-qt1-f195.google.com (mail-qt1-f195.google.com [209.85.160.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4249679CD for ; Fri, 28 Nov 2025 16:40:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764348056; cv=none; b=fU6Hc3tv1cpg0kKKI5uGOeEeGEO2idaY2BM53HC5Ol/U4fy+C5QQ5pgMIpHlUzyzEmxD0vaJm40PgSVZuizVub1x65XS8dRmRWPKGqnavJA0V1iJ8flu3ZltRh14UJGJH996fkoz8OKPVtmnWfiPhY43LLSwI2R+ffkJQSL/TWE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764348056; c=relaxed/simple; bh=vHvVDEdM2K2I4BykKe/TFxqb2LmuIbiRETCjiNa2RPU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=r6/dOm1XjmOWF3KXWTjCOeHLCGoxE2FdiamKORkLoAIrIHrhY/+lwdWUZE4u4gKDwOQmoZmfKW9XDDUezOG8XkMeGEw73X71+gp3/2wopLJw47SRRKzINz9t934DTRZQOYBIiqo5uwIS45i4OwoHL8q5C22nCAqWZMCIW1BMewA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nKTZjOzN; arc=none smtp.client-ip=209.85.160.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nKTZjOzN" Received: by mail-qt1-f195.google.com with SMTP id d75a77b69052e-4ee4c64190cso16184411cf.0 for ; Fri, 28 Nov 2025 08:40:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764348053; x=1764952853; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=GOKwMGjDv0XrNHiF77X5v4nzjm8+nMtmh5+y8a/7+Rw=; b=nKTZjOzNDHr4tDJYxlja/xoFZZzkNOX73YbZ8PTW08S9m36DQ5OOzoM/Mm/8tJe3pO +Ros7ZfGxg1YRvM95yDekrEfPlvaSRRJFURf3n50fQYtcUoUie/71LjL14Xn+fhhfTAf F16vZQWQxrm0lVaIY3Xzk1zSE7fx88t7Xiu4UztJy6AY7qal+d2VuumhXd/f6eV4c2NK XWFXT+W9Hjl7RqgxWDIc6Fkr/PQIPeaaEPaAFtE5H6fyYDeAUbUXwwxbvwh8OcuCpdG7 NkUy/6HxZDQbD6XmbGSCqEFzuktvH45klq61k6hgq39eOze9cI1eiMUt3Xmu/C3L15ot Blrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764348053; x=1764952853; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=GOKwMGjDv0XrNHiF77X5v4nzjm8+nMtmh5+y8a/7+Rw=; b=r2AETEpmWyJMN9E/mSEG/svVDVwILQe7bN20QTy5UcD610q9ByodEPPy78YcWclBBZ 3LlkX1H25oyz2OdAZ/Q7joISkYwME335k0Edscr4u7txqYs/ZZTprz0+ZkR2SIp7XLhb M7SoCW3Pm3MnUvUrri15g0eTSZTHSqhJ8+z0z097iABJBe/r2N0hRUDO3ZVHMXqYrihC qrouc1gUILpE3SG36LY2ENO3PY3F9khmiY9eiUyJ1Rdd2QENJrO1iNJyOezsFp/Wq2cW Z7siiGEFW0dQ2MwgCFoqz60MaXFcPj0QvBZyEbr6sN+W5zCdzfqPJMgwXvBfoL0pslSX X8DQ== X-Gm-Message-State: AOJu0YwQk4pZRmM3X2kGrxpYtSwG7YyNmIgwAuo8v6yig//7G0vPHKrF w5odF1Nv5Joxds4JL8xrsCBU8S5nDCIFRufpD8aILuugjyE8Xtu4ewzdjBeH/kwLuvEzMcuZ X-Gm-Gg: ASbGncv0kBNqKG/Xl1UEZWpE1j5xONmHWXj3+o9QNJR37JPm0QXg1/E0YdgYhMFt4sV MHja4/i+vdFVGygcXJq/YvltKM8yykd5x6ij3JV2X+BHFiMl4TzJslPKSu7Joa3XQeVTItObIQS zT/FS3An+ptRJ5JDdLkk+WNvRSIZ2BhvNeSSfX5Jd8k+G4kZypPhzYnKVov4Dw2xCH3YniSrD1A CsGbTrrT25Lj3PtjC/gg25iv5hxhYg172N0QeoagYW0lHIe0xu5iCtjmZ6Lh8zqx4uAYz7Apdpl iOdWIqIMIAt/SpGvmR1ro/L9pqgRJ28DrOg0numelS6lsk/4HGJEr8HJTFL/4jWcQsPfFyTBcRP g+Uc5RL5a6WJBJ01co9wLIzSMCKd07A0szeg8gzt5pIYyJF5dYpK5QvS04vIDXUdhaxYjV0nLzH 0YfehhlfYcjk8G5KowqWpz X-Google-Smtp-Source: AGHT+IEwQzDisDPfZTg6BF32YdJKUEWAmTUGs/Dql3APGe59cEQ2jsM7+AT6Rb8EqoYHoJO3OpbZTA== X-Received: by 2002:ac8:5807:0:b0:4ec:f697:2bf3 with SMTP id d75a77b69052e-4ee58a7fe58mr368629841cf.26.1764348053378; Fri, 28 Nov 2025 08:40:53 -0800 (PST) Received: from biancapradeep.lan ([2605:a601:a619:8500::8]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-4efd2f9a71fsm28684531cf.6.2025.11.28.08.40.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 08:40:52 -0800 (PST) From: Hithashree Bojanala To: Cc: linux-kernel@vger.kernel.org, marcelo.leitner@gmail.com, davem@davemloft.net, edumazet@google.com, Hithashree Bojanala , syzbot+e94b93511bda261f4c43@syzkaller.appspotmail.com Subject: [PATCH] Fix refcount bug in time scheduled paths Date: Fri, 28 Nov 2025 11:40:23 -0500 Message-ID: <20251128164025.224958-1-bojanalahithashri@gmail.com> X-Mailer: git-send-email 2.47.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The SCTP heartbeat timer callback can cause a refcount underflow when rescheduling the timer. The issue occurs when mod_timer() is called inside sctp_generate_heartbeat_event() to reschedule an already-pending timer. The current approach only takes a reference if mod_timer() returns 0 (timer was not pending). However, when rescheduling inside a timer callback, we're consuming the reference that was held for the current timer firing. If we reschedule without taking a new reference, the subsequent timer callback will do sctp_transport_put() without a corresponding hold, leading to refcount underflow. The fix is to always take a reference when rescheduling inside a timer callback, since the callback will always drop a reference at the end. Reported-by: syzbot+e94b93511bda261f4c43@syzkaller.appspotmail.com Fixes: https://syzkaller.appspot.com/bug?extid=3De94b93511bda261f4c43 Signed-off-by: Hithashree Bojanala --- net/sctp/sm_sideeffect.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c index 424f10a6fdba..733617781ed9 100644 --- a/net/sctp/sm_sideeffect.c +++ b/net/sctp/sm_sideeffect.c @@ -377,9 +377,10 @@ void sctp_generate_heartbeat_event(struct timer_list *= t) if (sock_owned_by_user(sk)) { pr_debug("%s: sock is busy\n", __func__); =20 - /* Try again later. */ - if (!mod_timer(&transport->hb_timer, jiffies + (HZ/20))) - sctp_transport_hold(transport); + /* Always hold a reference when rescheduling inside timer callback + * because this callback will put the reference at the end */ + sctp_transport_hold(transport); + mod_timer(&transport->hb_timer, jiffies + (HZ/20)); goto out_unlock; } =20 @@ -388,8 +389,10 @@ void sctp_generate_heartbeat_event(struct timer_list *= t) timeout =3D sctp_transport_timeout(transport); if (elapsed < timeout) { elapsed =3D timeout - elapsed; - if (!mod_timer(&transport->hb_timer, jiffies + elapsed)) - sctp_transport_hold(transport); + /* Always hold a reference when rescheduling inside timer callback + * because this callback will put the reference at the end*/ + sctp_transport_hold(transport); + mod_timer(&transport->hb_timer, jiffies + elapsed); goto out_unlock; } =20 --=20 2.47.0