From nobody Tue Apr 7 13:56:16 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF0313CCFAA; Fri, 3 Apr 2026 16:06:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775232380; cv=none; b=UAwGuLtF057Q5M3jlylYWM4eWRQ2QluDZaXl3NYtnUZ9ea3Y8lvqLtFLWWGQl4SqaqiptmsbPAw5+kwb8IeSa7wyY8hagAxWcKBaHccCAJvY6NGgvxKDD02AXwtSWS//EyWxoZaoIgNJRzjOXuqVFK2ukDbtg0RVVzZjAE/0hNg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775232380; c=relaxed/simple; bh=RckRdf53GDiyrrla3oj4hAD/DNKxx6grhyOozCqDgGk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Lnj9C+dmss+4W4wgvC+1LD0Q5IB+vwgvO+egbZNUlPTxinEF/tSgruQ5Nnv46zDtCFBcfj/esBoj4cNO3GHhSVbfPHznQDnZEdfKkaTIerELpICSgRyQmDq8iuBBQivYb+skbSLEH9xX1/pMuxBRGaP+qPHqK/qEe3k7uhqB/zs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=eQPiLmjo; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="eQPiLmjo" Received: by smtp.kernel.org (Postfix) with ESMTPS id 8CD30C2BCB1; Fri, 3 Apr 2026 16:06:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1775232380; bh=RckRdf53GDiyrrla3oj4hAD/DNKxx6grhyOozCqDgGk=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=eQPiLmjouzXSU4RKCt1QNDmyKpx6hGTo4t0e+rtTzqN2lbZ8alZMfGnrOumHoVbNc AKLrexeniymhQyKbQvw+MvLqtur7bsHJSu9FRTMo0X4etpXrJSx4hlqZQQy/6fZtIZ 5KMjwE3hxm0b7pHCiH35miUVEV7qXWAjo2j8tO3J3QLkJGUpND6bF19D7ZRROlVN5N gpmxC3OV5U9wFOcIw49oMjZATlQfi0RvRJYOrG4LbEuZ3W+xg2s0eG0tFib2Y2/0ZY L45nBgFpeVYSVf44lOsT2DeiHL5SAoXf7fluo6pEp1kYFcMxZts+2XCIj8q3mBogTe thur9XTGihwvQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 842ACE8537A; Fri, 3 Apr 2026 16:06:20 +0000 (UTC) From: Manivannan Sadhasivam via B4 Relay Date: Fri, 03 Apr 2026 21:36:08 +0530 Subject: [PATCH v2 5/5] net: qrtr: ns: Fix use-after-free in driver remove() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260403-qrtr-fix-v2-5-f88a14859c63@oss.qualcomm.com> References: <20260403-qrtr-fix-v2-0-f88a14859c63@oss.qualcomm.com> In-Reply-To: <20260403-qrtr-fix-v2-0-f88a14859c63@oss.qualcomm.com> To: Manivannan Sadhasivam , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Manivannan Sadhasivam X-Mailer: b4 0.15.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1665; i=manivannan.sadhasivam@oss.qualcomm.com; h=from:subject:message-id; bh=EKnJBPyE8K/Uxe3dMOqp6oAHc724HrgGM2UtRYAxcbE=; b=owEBbQGS/pANAwAKAVWfEeb+kc71AcsmYgBpz+V58HcsafAzCiDUq93S+ISP2Pv+dqaFAy7vX VMZ11JAjSWJATMEAAEKAB0WIQRnpUMqgUjL2KRYJ5dVnxHm/pHO9QUCac/leQAKCRBVnxHm/pHO 9fZRB/0WRME4UaAPVOxxBfAFS6wZkqdpCyfphwoctFAR7hmeHtgnPcSfuhFz5NvDeBGfpMX4GwZ R2omrFgpOYXH7q+Zzu9nkqY9hFzL1kQSDhqHVVA1mHvvFTaMkH1rxk6F8hDGANaQwsXbpJxm4ks BvvFNB+pmoh+dhddW8cCNLB6Q7feta3EKULMgJQoqxlZOjSqwW39sVybhMQvJjxq5QQT6/H1mYQ wz2sLHbGI2KJ2y5gxq2P2RnsEFz8NDuWGjFG5xZFwCtB+4DKjvkT0OGTE8a1OUZJ5JNpXSruUyH Ui06PAMD8c+pZGhTPQDU1Obul5IXePJYBlp0rahYZYCa1RM9 X-Developer-Key: i=manivannan.sadhasivam@oss.qualcomm.com; a=openpgp; fpr=C668AEC3C3188E4C611465E7488550E901166008 X-Endpoint-Received: by B4 Relay for manivannan.sadhasivam@oss.qualcomm.com/default with auth_id=461 X-Original-From: Manivannan Sadhasivam Reply-To: manivannan.sadhasivam@oss.qualcomm.com From: Manivannan Sadhasivam In the remove callback, if a packet arrives after destroy_workqueue() is called, but before sock_release(), the qrtr_ns_data_ready() callback will try to queue the work, causing use-after-free issue. Fix this issue by saving the default 'sk_data_ready' callback during qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at the start of remove(). This ensures that even if a packet arrives after destroy_workqueue(), the work struct will not be dereferenced. Cc: stable@vger.kernel.org Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspa= ce") Signed-off-by: Manivannan Sadhasivam --- net/qrtr/ns.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c index dfb5dad9473c..c62d79e03d64 100644 --- a/net/qrtr/ns.c +++ b/net/qrtr/ns.c @@ -25,6 +25,7 @@ static struct { u32 lookup_count; struct workqueue_struct *workqueue; struct work_struct work; + void (*saved_data_ready)(struct sock *sk); int local_node; } qrtr_ns; =20 @@ -754,6 +755,7 @@ int qrtr_ns_init(void) goto err_sock; } =20 + qrtr_ns.saved_data_ready =3D qrtr_ns.sock->sk->sk_data_ready; qrtr_ns.sock->sk->sk_data_ready =3D qrtr_ns_data_ready; =20 sq.sq_port =3D QRTR_PORT_CTRL; @@ -803,6 +805,10 @@ EXPORT_SYMBOL_GPL(qrtr_ns_init); =20 void qrtr_ns_remove(void) { + write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock); + qrtr_ns.sock->sk->sk_data_ready =3D qrtr_ns.saved_data_ready; + write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock); + cancel_work_sync(&qrtr_ns.work); destroy_workqueue(qrtr_ns.workqueue); =20 --=20 2.51.0