From nobody Fri Jun 19 07:45:37 2026
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5679B3659FD
	for <linux-kernel@vger.kernel.org>; Sun, 26 Apr 2026 14:43:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777214590; cv=none;
 b=REZ5SdgPyOt/gqCfg2Wkbf/e9GVA8HZK0HsYAtHfXSizlfjfjndYRbVWJQ+wZRd4XfMsM2RSL4K0prhrgNFFIkt2y1/KmiVKhpZtfR7S4hvR02xNiiPBwWCOo12RUbKM6EA1HlU0qgyCIAAoAoVtpdvP8uw0fjIKGsBB24hWLFQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777214590; c=relaxed/simple;
	bh=r6IW2Vxqif4eP3VQmis8+qHG2ez7xshZW7LUio3QdpI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=eh0NVB8RgyUBwt3pHrfop0B9GCkvgUEgz7poE7o7Dt+irFoyy/ZKRSdhp7+8HpUsUyVqq78JThVD5SsfXTCFHURJ1hRLX5MEnnZ59IhT+Q3yVulXyEs0zkQdlKDJx38FyFducti4x67TZ4qxTjN6xnO34wTgGVBVKi5DeOrgHVI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=kLZgChtG; arc=none smtp.client-ip=209.85.128.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="kLZgChtG"
Received: by mail-wm1-f54.google.com with SMTP id
 5b1f17b1804b1-488b150559bso74548225e9.1
        for <linux-kernel@vger.kernel.org>;
 Sun, 26 Apr 2026 07:43:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777214588; x=1777819388;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9s1WYxPrrvK/oJoRsHuHHnoI8/Jk8XB2HAvh4QuaKcQ=;
        b=kLZgChtGfuoe/1fxADWQr+ppuBG7DmX7oteFEIwJ2kQFt0g9FTasPFEpkMVd12FB1p
         FGo+EWVzli5rhzCWArXoBgXMvSoR0MYk5IMAy7soAj5B0jeHQ2fVdy9q0JusJk0Lllp2
         3LVYyiuCr8+f9wgifaFQ0r3Q7FbOCzIFuce6t5eAn6u1XuYuV+0bqqWUmPbs3CEYIEnq
         83l3uhLtuwd6Nt8ImkVTKxlOExHgWuOyjSxCTEePMuDRzpbQl0CtJ2vauN5jn5hxxILs
         0GffxVEzUrB+z4WERTpFAHPKNE/yF85A6BTG9I3o+oG8ARKNmi2mGOp9cfdIMvs+OIq0
         PNcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777214588; x=1777819388;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=9s1WYxPrrvK/oJoRsHuHHnoI8/Jk8XB2HAvh4QuaKcQ=;
        b=RFILuqqdHYRApzyzmgaDayeNe6JDVbs7w5qyQWArUXorkpT3Qds+3ZYnABeeUtxeuo
         NwrBZnYaXeNmelI/rNVPRQ+Nz3bMndRrZnwabRicVwAakhOwwAzkH1W93Jqs70FVtSLC
         UjTTMWM/4y69ANnEn5NnvbkCHFNc9pnu1Kj7hMAzFSCEe17JR2yE3WxMeuQ6kStA1K8E
         EBg90pffjSh+RSAaEuV8t6ECpWYguX/+LOTBPYTaGSanJghsfwMGpsRPX3jmRdpyUZUV
         XL/WZO7PLKkgWym010aH5yFnczqV99E5ol0w5unN5SET6D8LVfVk1dMSylfKDKy1V/Xf
         pOig==
X-Forwarded-Encrypted: i=1;
 AFNElJ/ERYw5ONcUTFSQynZrx+xnC3/C9dZdZG4kQ9Vhs7iS46rSQa1Mghe8q/EwYkrVMO1Ec0zoFJ0qHBLUHpM=@vger.kernel.org
X-Gm-Message-State: AOJu0YwwqLsPlVIPoEDzX+yXcwapTJae59IL7oPt8H9s2SyIfAnlkxHH
	e48j4NGe+EvXNiPEPePoax+CAUl+x4rv/HdCETfHe4ofVQ3Sw0g1YIMR
X-Gm-Gg: AeBDievLImog27wokwYMnFiXY3dJcSIztinMlE5JtOVXd0wvpBKku0XzDuI1Z8lBV31
	CI5sM+74/CtYLTKSrBYqd6ovr18SzYBQoQ44J79VpVNk2oba//nuT+j8NpVjd6RIAM1lVFcFUvn
	c00tApZutOI1YBoyTb4ajbN+/7IfxBhyo2JIitu0UAkt9MhrugPjW7NXX4iy1O/HfnSbHxM/B9+
	OAB02PQv+AQZO1RlqffTUq962dJG3ToOCtibfma6flVQD2Q+LiyR7xN4y4aMY2QGRlXc6dNrz7I
	eariAfQVRv7yZgDeWiJw5tTULjCuX8rKuSzzXiCuMlN9ZmPFgpHplw32Aq4T7mLP5vXeNOWuOJ8
	4Va1jlLgeQgjm84uwqh1+zTYttN5IhAAuIZ+RK/6LPJJpvTMtjSlUylh41SHbwC/G9fc8udQ/2e
	OpeY5EHG0bTp+mxBxNAbq9uvkgcsqM6DsgSNFEv4lChQiLuCqcuzYwRC5WGGZGIQoSFuzda5cWw
	36MDdUxbLHrRqY=
X-Received: by 2002:a05:600c:c10a:b0:483:2c98:4368 with SMTP id
 5b1f17b1804b1-488fb771613mr428687215e9.18.1777214587716;
        Sun, 26 Apr 2026 07:43:07 -0700 (PDT)
Received: from ubuntu-f6bvp (lfbn-idf1-1-366-193.w86-195.abo.wanadoo.fr.
 [86.195.82.193])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-488fc18bccfsm658230335e9.8.2026.04.26.07.43.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 07:43:07 -0700 (PDT)
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
To: netdev@vger.kernel.org
Cc: linux-hams@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	horms@kernel.org,
	Bernard Pidoux <bernard.f6bvp@gmail.com>
Subject: [PATCH net 1/5] rose: fix dev_put() leak in rose_loopback_timer()
Date: Sun, 26 Apr 2026 16:43:01 +0200
Message-ID: <20260426144305.984349-2-bernard.f6bvp@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260426144305.984349-1-bernard.f6bvp@gmail.com>
References: <20260426144305.984349-1-bernard.f6bvp@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

rose_rx_call_request() always consumes or returns the skb but never
releases the device reference obtained from rose_dev_get().  When
rose_rx_call_request() succeeds (returns non-zero) dev_put() was never
called, leaking one reference per loopback CALL_REQUEST.

Move dev_put() outside the conditional so it is called unconditionally
after rose_rx_call_request() in all cases.

Also remove the dead check (!rose_loopback_neigh->dev &&
!rose_loopback_neigh->loopback) that immediately precedes it: the
loopback neighbour always has loopback=3D1 so this condition can never
be true.

Fixes: 0453c6824595 ("net/rose: fix unbound loop in rose_loopback_timer()")
Tested-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
---
 net/rose/rose_loopback.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index b538e39b3df5..914c8f453a1d 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -96,22 +96,15 @@ static void rose_loopback_timer(struct timer_list *unus=
ed)
 		}
=20
 		if (frametype =3D=3D ROSE_CALL_REQUEST) {
-			if (!rose_loopback_neigh->dev &&
-			    !rose_loopback_neigh->loopback) {
-				kfree_skb(skb);
-				continue;
-			}
-
 			dev =3D rose_dev_get(dest);
 			if (!dev) {
 				kfree_skb(skb);
 				continue;
 			}
=20
-			if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) =3D=3D 0=
) {
-				dev_put(dev);
+			if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) =3D=3D 0)
 				kfree_skb(skb);
-			}
+			dev_put(dev);
 		} else {
 			kfree_skb(skb);
 		}
--=20
2.51.0
From nobody Fri Jun 19 07:45:37 2026
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40C3236604F
	for <linux-kernel@vger.kernel.org>; Sun, 26 Apr 2026 14:43:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777214591; cv=none;
 b=sNy7X4AW3jzX2tgRZ2t99MvaShuW+Uc181B0rmN9WPJNstQ++kUzV7BN9Ew9/uAtJ0DL9pO3njfd8SBIItOX16hhz1RE90xH71Ab0bPpkFbDdJmysnz0N4Sj9cQ40jrElWTz9CDcTeYN5wMVN0mECRst44wceoDJfI89uuWei0s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777214591; c=relaxed/simple;
	bh=GTNaJU5rfiK/7CNFGset7McFd/fW6p7Tcwie3dvvoTM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=ImoBt2epjuJKZgTOOgbgpU9s9OMa3WNMFuDkUgrDMEwSIP+AhNPG25aadJr8YRYVL8rTCD2qCNQ54o10TxFvTEnuYvkvEMKMb/2MDenWrs1p3c5v8lomDU/w4YR46jQO703IixXdWmJUomKuqKnKWUlrxWHWIOqEI++0Y2rTZ6M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=D3AqaEBx; arc=none smtp.client-ip=209.85.128.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="D3AqaEBx"
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-488ab2db91aso131925445e9.3
        for <linux-kernel@vger.kernel.org>;
 Sun, 26 Apr 2026 07:43:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777214589; x=1777819389;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2KpsmARPAtRSvoDa9ymJ5i0W11MeQfCElgcBQa+2W2k=;
        b=D3AqaEBxrIgQBPDf2orZ4mLmKmnzyer1H6/PBz8GoahCZHrkm9i201Fe/gpunZ7Gf5
         suqIcZwmT07Z5Jg5pH/VpelOrgnw51964yiXFNV2jNBBxAUtm2iYms4uigklXOG5fgVX
         11Aar0tIoMAkyl0+cKCRQr/e/BumPBEsEhbq2o7fpF3dGJnglcojHONwzsW26BHl2bMo
         qSkEJdAPBqrdxh3UmjMcNzZpNvRokXQ8fSUsTR3D6P1jiFN7VKAzAeJNG+kAu6SzdJ/W
         NqmjfmcpZnJjaW53FYtN4q+F2GB0S9SJ7SIDDpCphRJzMlPg4bUu4vy8hETUKaLpx+Yk
         mQiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777214589; x=1777819389;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=2KpsmARPAtRSvoDa9ymJ5i0W11MeQfCElgcBQa+2W2k=;
        b=k3OKR+2cqNW6L0eiXAmA/wdsTfJA/QJUzRIDJacJJMtp8E1XuOVUdYQ5e1g8mHglmx
         YHNrImoUCHrheq8iLjXBH/zmRXR7pO4N4Sva334CAFRi5DigaQCwPQE6xywAK83t3nQ1
         qTFv771BKJxk4S71uhEzV/UnsH7jM4+pOFBuK/LpSEfysrNMKqJvUMD12zTK7cxwRBow
         IsXSrEKu2Mvofmf0lqOIAWYj/UIrGEhW9FIfB70CbvFWOOi4UPl3p+o4h6NT0+X9Pavi
         B4zhG2xb3+UeqkaoHe06Q60kw5ap7vGsx7RE6jd16KMCeXks4gl5g7sL+ZBRpFcRZVUb
         kQkw==
X-Forwarded-Encrypted: i=1;
 AFNElJ8rhFgZTo32I0UDa86xQ1rSA6ZC+4uNwkw8GPfoQbpdzHDvQs4mg1UPKZ45Bw+Dqmd0M/OcqiM8ySQdWMk=@vger.kernel.org
X-Gm-Message-State: AOJu0YwfWGiHQlBYPtWFntCxt2iwqAo44S9H8N46iJ/OlEoXuKok4dHE
	M0hc/+3t00xgqed/94Yt5JPhAaGG0okv8x4mzC3zMW442AL11LYo0TZT
X-Gm-Gg: AeBDievN7wyIHy4AzZ5LPJjz7iikpIwoeFa+LuZwG01n8P2p5LNgYyW5iDDZ/x+DV5S
	7FSmCaD+Pv6OG9uji+JNyq6vnDbKEeORZmoZ2g0HxM/3CtChakD7n1sXFtdRS//MnqDQxKP5scD
	LqLsKtuK7GnK+t+IqEhWU0/6OIo05eB+z7Et2oEbLZdkPy4aAncPPVfXR6llsUoJokXf4bt0KvR
	SERYs0SoijcpmShzdI2kOfCtcR+stqkZQ/ZXCt82z+u027lQH58QRSXI6go0XrI8dv3wlPprzJZ
	eNU4YcnzX9kUBvTwTjZM2qtDF8UCLZ9EvISPAksJ5l1IRbBNE58tuS5m4oUbOKEknTSkzFI8TJ4
	MZOb90qP4Ku8pD6seBe0/wsx8qSTRyfacYUWBT9Pbc6skQ7CzcvFM7GiZ9J7Dut+owvemw63ZwQ
	wNQkuTV/1manmUYmMAWEwsrezCw6c8rQiQ5A/1rDVy1BQC2Y61nPmEhS1VDbk+q5wq49biEG73C
	wfZIR+PMDIbx44=
X-Received: by 2002:a05:600c:3515:b0:488:8b99:54a1 with SMTP id
 5b1f17b1804b1-488fb78e7c5mr542589465e9.28.1777214588545;
        Sun, 26 Apr 2026 07:43:08 -0700 (PDT)
Received: from ubuntu-f6bvp (lfbn-idf1-1-366-193.w86-195.abo.wanadoo.fr.
 [86.195.82.193])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-488fc18bccfsm658230335e9.8.2026.04.26.07.43.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 07:43:08 -0700 (PDT)
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
To: netdev@vger.kernel.org
Cc: linux-hams@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	horms@kernel.org,
	Bernard Pidoux <bernard.f6bvp@gmail.com>
Subject: [PATCH net 2/5] rose: hold loopback neighbour reference across timer
 callback
Date: Sun, 26 Apr 2026 16:43:02 +0200
Message-ID: <20260426144305.984349-3-bernard.f6bvp@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260426144305.984349-1-bernard.f6bvp@gmail.com>
References: <20260426144305.984349-1-bernard.f6bvp@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

rose_loopback_timer() dereferences rose_loopback_neigh throughout its
body but holds no reference on it.  A concurrent rose_loopback_clear()
followed by rose_add_loopback_neigh() could free and reallocate the
neighbour while the timer body is running, causing a use-after-free.

Take a reference with rose_neigh_hold() at the start of the callback
(bailing out if the pointer is already NULL) and release it with
rose_neigh_put() at the single exit point.  The neigh cannot be freed
while the callback holds a reference.

Fixes: d860d1faa6b2 ("net: rose: convert 'use' field to refcount_t")
Tested-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
---
 net/rose/rose_loopback.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index 914c8f453a1d..d66913df360d 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -66,10 +66,15 @@ static void rose_loopback_timer(struct timer_list *unus=
ed)
 	unsigned int lci_i, lci_o;
 	int count;
=20
+	if (rose_loopback_neigh)
+		rose_neigh_hold(rose_loopback_neigh);
+	else
+		return;
+
 	for (count =3D 0; count < ROSE_LOOPBACK_LIMIT; count++) {
 		skb =3D skb_dequeue(&loopback_queue);
 		if (!skb)
-			return;
+			goto out;
 		if (skb->len < ROSE_MIN_LEN) {
 			kfree_skb(skb);
 			continue;
@@ -109,6 +114,10 @@ static void rose_loopback_timer(struct timer_list *unu=
sed)
 			kfree_skb(skb);
 		}
 	}
+
+out:
+	rose_neigh_put(rose_loopback_neigh);
+
 	if (!skb_queue_empty(&loopback_queue))
 		mod_timer(&loopback_timer, jiffies + 1);
 }
--=20
2.51.0
From nobody Fri Jun 19 07:45:37 2026
Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com
 [209.85.128.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F2508366DB4
	for <linux-kernel@vger.kernel.org>; Sun, 26 Apr 2026 14:43:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.49
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777214594; cv=none;
 b=K8NJW9gb1Grs7IucJsVicKCacgcWGS30vM3Dt1KYtm5nwk3bg7hxvJkAgtqvfMWQXeG91/vWVXEmR833jH8HBN074dYJjyrMAHw6i6iSjEvto3p38Xt0ZHvhdysZ0md0sAeYv4QVr2OXKFvAKWBlH8HnzKWwhw27CKAqbaklthg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777214594; c=relaxed/simple;
	bh=Re4gp72M+Kx1ob9peixynICA2ch+YUmknvJWbzp+frY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=lKYkSq/OQYE2o9ZxXZprUxKb+OWrQjf5vS2Jlkg1ZF36jJxc+KgeOf0f0AwdRnXhCdiqwlaTZiH2XgFUrbJi/8TNIwoHDZAREsLTjtPCUi1JzerKGOTQ5C5tWn99qquwrganimKneqlfhQmu6z7dCjtJUqv0lpDGqvUpfq4cypM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=QfRKprcb; arc=none smtp.client-ip=209.85.128.49
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="QfRKprcb"
Received: by mail-wm1-f49.google.com with SMTP id
 5b1f17b1804b1-48896199cbaso92522775e9.1
        for <linux-kernel@vger.kernel.org>;
 Sun, 26 Apr 2026 07:43:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777214589; x=1777819389;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=skBBZ9ixztfRWmWoAATqpN2NCAoakIzBp3aEndiAumw=;
        b=QfRKprcbzK2Z6Y18O2XVMC12KR8QL0tSoJVegEVPQhh4RCRwH7e6mQiaLGq7LWqWOU
         k257hSI/iYx48pCuhPM+XGC2LBhwu8ZPlawhXnWamHoXUfjhrlfIRCOuqq9O5xdgfQgR
         sPYVBvlsznoAHhQitUMt0iNv/BfIEBJsdQSSxJnVIbM8ROnOZru4aXuXNBfq9dQEHgzx
         p6XGnNrQT/VJcD1F/owWU99NFMPO3XZtBi9NpcjhER4ucN+o1K/ete/sLfC9C8/QtNCS
         V1WSjCdjUnqABrwe0AT71Af1MAuGYuADeFBbCLR5i9vIW/2h0nR4d3ZDTx/i7SVonVW8
         xuSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777214589; x=1777819389;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=skBBZ9ixztfRWmWoAATqpN2NCAoakIzBp3aEndiAumw=;
        b=gI/sjGyQNxKW6GgLhQF18PA8Wa14rb7oEV8KYk/md26BE2MAOzh5GfdUgaO3BVHFHQ
         65Wrz2lvIzHx0Lz8DRQMZqVCLe9wH7VBidAofVQynRhNgTusI+bskcxXxu6n5Qz1DpgX
         yr5zotGLT6R4fwxAYB1T1f/wdUW1QIC+cJTnX1xRK+kxvxFBoxkUScmItQkRFAGhQVNo
         cCE25M01uIeN6oYjnVmbWhv/IFPNe8pLugeiUxJKonA0FrbMNUVzYqhLNhz/FWykrA4J
         saT4/LSxafEa+ZZJV4bMohhNAtGBH4AEPkCh6uApzuGPMO+a+zcTNO+71RrljIhmj0L3
         mUHg==
X-Forwarded-Encrypted: i=1;
 AFNElJ+87h9Tnot50M5K/qSscX4ek9ZZMOxYrWpJ/uji7tuUGKM5mE0u/CMw6Gl3NWDUvTl00WhNbq9WEMzAivA=@vger.kernel.org
X-Gm-Message-State: AOJu0YzzxsiNAUqyhw6SclnnUIxCLljvFjOl7YIza7glTB7Z6GBwKn3J
	JmgSljC+GDzbZLRfDXJQNA932agbxoZZk0qtiQEuLNcHxQD3oc9RprMe
X-Gm-Gg: AeBDieswGVeOzSCnFJwYQ5ndPsM/ALbju+1595GWEXRxWvLAuE2K0iPSK/FEZdDeJYi
	clOtrfpEWWNyUS3MLEK2YGj/GEoqz/a/d7QJLwwsgxa5JbB3ui80TTyW3NMmpC9Xh5O7ZmCw3+L
	ZNs5+DhARtuqubDqWUM/aUBVbZeivq7LpJxMIZ8KvogTe6LZ5NPmWp7Gjx/c4urlm1ZeQ/FLH6v
	LJAAPqORKXnHgWJ4m38KAw6GcjeI4gLsVRril9O00T5TrGazq1xHA0ge0AmV+9mlbiIxTSBAAre
	y8F1cPsoBX3BhfVTQuuq0hKCQwN22Bfh6df0xK9Hv2JXG589fwir7A0rWproqclZW/rIs3ZPD/R
	ynS5bKtYgZqQHvOOn1hSEzPme4BBXFav9cRomC+b5fORsUre/xhsjCXbGeT6biVyNW91D4PnY64
	MQMFjaadglJjc5+ZTvINC52W4xVPHzxX4Y3NW2qMM32ZCJec7uzhFQAZ6cX+NgjxcgebCi7J4W/
	HDsDBqEyeUtmTA=
X-Received: by 2002:a05:600c:a416:b0:488:e7e4:8425 with SMTP id
 5b1f17b1804b1-488fb787674mr447887245e9.23.1777214589232;
        Sun, 26 Apr 2026 07:43:09 -0700 (PDT)
Received: from ubuntu-f6bvp (lfbn-idf1-1-366-193.w86-195.abo.wanadoo.fr.
 [86.195.82.193])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-488fc18bccfsm658230335e9.8.2026.04.26.07.43.08
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 07:43:08 -0700 (PDT)
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
To: netdev@vger.kernel.org
Cc: linux-hams@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	horms@kernel.org,
	Bernard Pidoux <bernard.f6bvp@gmail.com>
Subject: [PATCH net 3/5] rose: fix race between loopback timer and module
 removal
Date: Sun, 26 Apr 2026 16:43:03 +0200
Message-ID: <20260426144305.984349-4-bernard.f6bvp@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260426144305.984349-1-bernard.f6bvp@gmail.com>
References: <20260426144305.984349-1-bernard.f6bvp@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

rose_loopback_clear() called timer_delete() which returns immediately
without waiting for any running callback to complete.  If the timer
fired concurrently with module removal, rose_loopback_timer() could
re-arm the timer after timer_delete() returned and then access
rose_loopback_neigh after it was freed.

Two complementary changes close the race:

1. Add a loopback_stopping atomic flag.  rose_loopback_timer() checks
   it at entry (before acquiring a reference) and again inside the
   loop; when set it drains the queue and exits without re-arming the
   timer.

2. Switch rose_loopback_clear() to timer_delete_sync() so it blocks
   until any in-flight callback has returned before freeing resources.

The smp_mb() between setting the flag and calling timer_delete_sync()
ensures the flag is visible to any callback that is about to run.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Tested-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
---
 net/rose/rose_loopback.c | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index d66913df360d..80d7879ef36a 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -12,13 +12,15 @@
 #include <net/rose.h>
 #include <linux/init.h>
=20
-static struct sk_buff_head loopback_queue;
 #define ROSE_LOOPBACK_LIMIT 1000
-static struct timer_list loopback_timer;
=20
+static struct timer_list loopback_timer;
+static struct sk_buff_head loopback_queue;
 static void rose_set_loopback_timer(void);
 static void rose_loopback_timer(struct timer_list *unused);
=20
+static atomic_t loopback_stopping =3D ATOMIC_INIT(0);
+
 void rose_loopback_init(void)
 {
 	skb_queue_head_init(&loopback_queue);
@@ -66,6 +68,9 @@ static void rose_loopback_timer(struct timer_list *unused)
 	unsigned int lci_i, lci_o;
 	int count;
=20
+	if (atomic_read(&loopback_stopping))
+		return;
+
 	if (rose_loopback_neigh)
 		rose_neigh_hold(rose_loopback_neigh);
 	else
@@ -75,6 +80,13 @@ static void rose_loopback_timer(struct timer_list *unuse=
d)
 		skb =3D skb_dequeue(&loopback_queue);
 		if (!skb)
 			goto out;
+
+		if (atomic_read(&loopback_stopping)) {
+			kfree_skb(skb);
+			skb_queue_purge(&loopback_queue);
+			goto out;
+		}
+
 		if (skb->len < ROSE_MIN_LEN) {
 			kfree_skb(skb);
 			continue;
@@ -118,7 +130,7 @@ static void rose_loopback_timer(struct timer_list *unus=
ed)
 out:
 	rose_neigh_put(rose_loopback_neigh);
=20
-	if (!skb_queue_empty(&loopback_queue))
+	if (!atomic_read(&loopback_stopping) && !skb_queue_empty(&loopback_queue))
 		mod_timer(&loopback_timer, jiffies + 1);
 }
=20
@@ -126,10 +138,15 @@ void __exit rose_loopback_clear(void)
 {
 	struct sk_buff *skb;
=20
-	timer_delete(&loopback_timer);
+	atomic_set(&loopback_stopping, 1);
+	/* Pairs with atomic_read() in rose_loopback_timer(): ensure the
+	 * stopping flag is visible before we cancel, so a concurrent
+	 * callback aborts its loop early rather than re-arming the timer.
+	 */
+	smp_mb();
+
+	timer_delete_sync(&loopback_timer);
=20
-	while ((skb =3D skb_dequeue(&loopback_queue)) !=3D NULL) {
-		skb->sk =3D NULL;
+	while ((skb =3D skb_dequeue(&loopback_queue)) !=3D NULL)
 		kfree_skb(skb);
-	}
 }
--=20
2.51.0
From nobody Fri Jun 19 07:45:37 2026
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com
 [209.85.128.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B630436922D
	for <linux-kernel@vger.kernel.org>; Sun, 26 Apr 2026 14:43:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777214593; cv=none;
 b=DI2x4Laui7e6wnwWkObjpgObQZeaLUHWWDX4FF9b9h+UlEk/OyPdkk+ohyENNe9AEpiZxVk7TK1O/Bw1qIQ/R+n3e11AIFjZo1MCh3sGW9V95H8egzRyB1se0ch+LXsGT+AFJBB5KeMiv0KTuonhRdmENCwuaBh4086OY9kQ90M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777214593; c=relaxed/simple;
	bh=iysh4N66Tl7xoc3UugBwoFjq1QevI5EVO8XIhrhB53g=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=UmVkT6h1C2DPLQfS3+IClfUYHHczd32Nw+Gx6lju0SgUw8Eq2CwU0hUXFU0QDkdgyjSiIfUbYfuSUGG9CPybN/vWMMzD5KjgkYjWY7Z/lO+nshZGTCy2S/JVmNXYKuMOk+wRdviA5zZzW7hXAVbKNm86C93jo6vWXZ3p/9462BA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=obqE+cH7; arc=none smtp.client-ip=209.85.128.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="obqE+cH7"
Received: by mail-wm1-f51.google.com with SMTP id
 5b1f17b1804b1-4891e5b9c1fso76245055e9.2
        for <linux-kernel@vger.kernel.org>;
 Sun, 26 Apr 2026 07:43:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777214590; x=1777819390;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Crl6zSnTLgudSBuh74XMca0YFvGlbtRGkF7ktfLkgrk=;
        b=obqE+cH7zX34c6wxqY1F42KTEbdgiT7Q4ziQ0OQF+Drrl6+PJ2B1Hd7HUdDXgY81q4
         ONPmvosjoq3ZInACpPQw8vdfTp1E7J0R0v0P5jI0eFZ+JeJorEzHkTwlF4I+QhGMGnuq
         /rAtArnjL1WxfdNyGpHQKnrjUKAzS6w3tuSnR4tTs48dO5X8kSqN++gYAM3kXGuhEFYy
         iXsXFTqgSUrVP9idxn/A33GBfu3eoJ5Sohz6qrveH4MTw5Ro+76LGo0HQedZz7WPSQST
         e0SR5Oajupr/hWvA+E39O5gY7ZhZUYZ+B2kEWMCajOXF6I3T95WMxhGABCde03+FWs81
         DQ3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777214590; x=1777819390;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=Crl6zSnTLgudSBuh74XMca0YFvGlbtRGkF7ktfLkgrk=;
        b=kR41CVSqMBhuNTue8elG/apgGEPYFNTgkwAqDkohJcZ7CBW+KhSIcbRKxyzG3ZU+Am
         v7qO420HBMdvJPYy2ZiiTeql1ijeW/Sec50yJpIAz9DftsRcfya60gNyTuXgupmNUJ6H
         UMFqjrwUW8xb5XiUfbzSNhymIWawWIvKnfsfNctKGle0GOypAV/DFmeevEndh0afpglY
         TYg2uAVGaTe3mTWPPUHkTS5n6zHoqFxnzoXvad663SdpfYOcVuAYnLv0NLrSX4eTuT45
         T9E0tpu6PYts/3/a2ktUv1PEz3RkqtZgt+Y94R7QCu4pwFJv8rqYF2O+/CZxx8uzFTtK
         lMmA==
X-Forwarded-Encrypted: i=1;
 AFNElJ8cX7c5QyY1T5kzUA3v8VPmRighKPxwKqHYa2UmFB41+mI5HVOHyT6ffDX90MGATekEVgutR2iI3VOFE9E=@vger.kernel.org
X-Gm-Message-State: AOJu0YyLHZJFJtOveneTsj/xX0JeCCk3hC7wvtchNeKYDS9dFHJTPqUM
	xMvNrcVmFOld2wvoXn0QGZurkGKbBTnAf5Xzdk5p/7i7HEmuKlh71n/G
X-Gm-Gg: AeBDiesIZyWQOZEhkB8GVSCryiuAOlltMjdE0XVTjeJ8fFulamy8UshZNVcm2nmw0/z
	8HiKwccauIY9T25t3wFv+Ftkq9aAQIWEfFi7830FhkDu+YRm8T3cIWWEJPNJHr0oq7ZAvdhFfaf
	XLM3al6JhqGgsTiQS+6Cb2zor2uJeM8QP428yV5A0lnyACPcTAaN8PSwthocRrjcXT1FKl6mxeQ
	HOI7GddePd05jY84EhaKn6rmn5FuNorEB3urcPrlMgK943gV7PZtyzdUoHnKgDH3PkVqc/nC2rJ
	XVDri9wVBy6ajqDDnKttET43FUvjDr1H/UQ1NIOS5/WAo4hQIXdydjqs4PxoMwzo/KL+uGNlKgp
	bxww/wl4dOmEOF3GNNk4DtZH3Jr0obYIZbDRRo2sYk0YYaRco1iSz69aoSJGVtP9gqD2qTZy2Ho
	roAYxU0F7DdUJlM6GpXexT+v0mPIV9WkQJRu2sUBIOIser/o9d47aWqPQzJ9px1n/0CWKGBKmkW
	g35xLbq/1JqG/C76y9+HG/ijQ==
X-Received: by 2002:a05:600c:5254:b0:488:8bdd:cfcc with SMTP id
 5b1f17b1804b1-488fb6e62a8mr600438295e9.0.1777214590130;
        Sun, 26 Apr 2026 07:43:10 -0700 (PDT)
Received: from ubuntu-f6bvp (lfbn-idf1-1-366-193.w86-195.abo.wanadoo.fr.
 [86.195.82.193])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-488fc18bccfsm658230335e9.8.2026.04.26.07.43.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 07:43:09 -0700 (PDT)
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
To: netdev@vger.kernel.org
Cc: linux-hams@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	horms@kernel.org,
	Bernard Pidoux <bernard.f6bvp@gmail.com>
Subject: [PATCH net 4/5] rose: clear neighbour pointer after rose_neigh_put()
 in state machines
Date: Sun, 26 Apr 2026 16:43:04 +0200
Message-ID: <20260426144305.984349-5-bernard.f6bvp@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260426144305.984349-1-bernard.f6bvp@gmail.com>
References: <20260426144305.984349-1-bernard.f6bvp@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

After calling rose_neigh_put() in rose_state1_machine() through
rose_state5_machine(), rose->neighbour was left pointing at the
potentially freed neighbour structure.  A subsequent timer expiry or
concurrent teardown path could dereference the stale pointer, causing
a use-after-free.

Set rose->neighbour to NULL immediately after each rose_neigh_put()
call in the state machine functions.

Fixes: d860d1faa6b2 ("net: rose: convert 'use' field to refcount_t")
Tested-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
---
 net/rose/rose_in.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/rose/rose_in.c b/net/rose/rose_in.c
index 0276b393f0e5..622527f1354f 100644
--- a/net/rose/rose_in.c
+++ b/net/rose/rose_in.c
@@ -57,6 +57,7 @@ static int rose_state1_machine(struct sock *sk, struct sk=
_buff *skb, int framety
 		rose_write_internal(sk, ROSE_CLEAR_CONFIRMATION);
 		rose_disconnect(sk, ECONNREFUSED, skb->data[3], skb->data[4]);
 		rose_neigh_put(rose->neighbour);
+		rose->neighbour =3D NULL;
 		break;
=20
 	default:
@@ -80,11 +81,13 @@ static int rose_state2_machine(struct sock *sk, struct =
sk_buff *skb, int framety
 		rose_write_internal(sk, ROSE_CLEAR_CONFIRMATION);
 		rose_disconnect(sk, 0, skb->data[3], skb->data[4]);
 		rose_neigh_put(rose->neighbour);
+		rose->neighbour =3D NULL;
 		break;
=20
 	case ROSE_CLEAR_CONFIRMATION:
 		rose_disconnect(sk, 0, -1, -1);
 		rose_neigh_put(rose->neighbour);
+		rose->neighbour =3D NULL;
 		break;
=20
 	default:
@@ -122,6 +125,7 @@ static int rose_state3_machine(struct sock *sk, struct =
sk_buff *skb, int framety
 		rose_write_internal(sk, ROSE_CLEAR_CONFIRMATION);
 		rose_disconnect(sk, 0, skb->data[3], skb->data[4]);
 		rose_neigh_put(rose->neighbour);
+		rose->neighbour =3D NULL;
 		break;
=20
 	case ROSE_RR:
@@ -235,6 +239,7 @@ static int rose_state4_machine(struct sock *sk, struct =
sk_buff *skb, int framety
 		rose_write_internal(sk, ROSE_CLEAR_CONFIRMATION);
 		rose_disconnect(sk, 0, skb->data[3], skb->data[4]);
 		rose_neigh_put(rose->neighbour);
+		rose->neighbour =3D NULL;
 		break;
=20
 	default:
@@ -255,6 +260,7 @@ static int rose_state5_machine(struct sock *sk, struct =
sk_buff *skb, int framety
 		rose_write_internal(sk, ROSE_CLEAR_CONFIRMATION);
 		rose_disconnect(sk, 0, skb->data[3], skb->data[4]);
 		rose_neigh_put(rose_sk(sk)->neighbour);
+		rose_sk(sk)->neighbour =3D NULL;
 	}
=20
 	return 0;
--=20
2.51.0
From nobody Fri Jun 19 07:45:37 2026
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com
 [209.85.128.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 33EF236CE02
	for <linux-kernel@vger.kernel.org>; Sun, 26 Apr 2026 14:43:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777214594; cv=none;
 b=iOOcrursR9K8BRceDGBKdNdmd+TAPbfMYwMRDos2To8LnLMsnrRbF57EeaTU7RcVD8u4mbsIpEuHf+aEcj3iNH8pxfIufHzG8wgyTi6v5qV6IdJYSlM93uVoB7nY3tVHA+WMDKvjFiLInBwxNFjeCRJgkKg51DQC7VbmNt1mR04=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777214594; c=relaxed/simple;
	bh=omBg6V4Fvn8LmVTYDPlZGWlmNNg8jjHRCnm2bN1y8CU=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=jf7yutNp0BENtIpgvfqUUgTWp5jUZ39q7K1vSBl/7yjphQhbt88lP7ptXpAaeGuGHo5QcyasZwud5y8+9HTiElKvkjOzu0W4Uzvn4qgBdWoNO7UmrLD+lQYEji4cRff7a+ywIErVSBx1WW1Y1/nAR+fk+hu5kdW5rIyE7CIm5Ao=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=E11hbNXz; arc=none smtp.client-ip=209.85.128.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="E11hbNXz"
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-48909558b3aso92209825e9.0
        for <linux-kernel@vger.kernel.org>;
 Sun, 26 Apr 2026 07:43:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777214592; x=1777819392;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+BIOcSBCSL76yWTH37hlldgnFggOiRZJIQY7KqIeVNg=;
        b=E11hbNXzs4GGTMoQ2hl3uxU/F1i8fd/D9KFLI3VMyVNKIp9AxnoWMsItpxZ0v0CjIb
         16zpLaAmU95mNphj1ppaC9j02951OArxB+AZKyAsuH76p0SOK50XGFhzq4Xvh1rmBPat
         zsnTFiFd1VIyxAlXYY7cQ7TXO/UaGgBcLAlxGMRxnieEJyV/mfxeRKIHLNibG6tUtIbO
         yUW+JywEcZQvFgW2o9FIG8smD6Exn5Fa/mGam1QxLMXM8UJQ6ph3oFB20LCx86XBejvo
         Yunp/Yw5ICY0C6Lym+zYO1bbGBm1IecWPTbZsFe5wTiVLWg5ukjo9At/NKZiIV5fNPEe
         zSvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777214592; x=1777819392;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=+BIOcSBCSL76yWTH37hlldgnFggOiRZJIQY7KqIeVNg=;
        b=nIb4tto8KEnllRjfgenP3MkkDw2Vs5vkbBNykoFVUWAbl8EOoFv6wZ2gqzpJYgWHUN
         MFZlGrj6oVFa2Hnd8fPvPyzRhxZhf54SyzBwtQrk4GVobhdx3YxX7JF3RsRmftp+cGEX
         aKWHRkQe/i+L4EI40D+pS7bdlsEliZVGgaEJlkiI+b6Owu/czyg6Ct/az/ArjOr0TnVG
         LCzC5OH2/P/oMkj0iUBayYRq9P9PzX/UvtEGNwjIap84t6t01eKDl/CG5XuJC+N10Yf8
         GCScOsGmGQi3xMSTCKX68extxgIheN4FQKxHZt+k4La58yQl+Oj7pcQhdx+Tpe3K1vui
         P/vg==
X-Forwarded-Encrypted: i=1;
 AFNElJ+urjdpMzeoIiIHSLc0mY+6WyILpZXkDAN6sw/2rh2r/hd7J5wvhEmaWCi2rTlPh6WkN6K4X8F9QZntig0=@vger.kernel.org
X-Gm-Message-State: AOJu0YwMUTXl6rVNNjWnW8p1i0WxYnE0USXEPhhfEXcQbTx09C+nO3T9
	7tUd9P77oA3WHcaWWx4phv3z7nQu64EbnSyK3XYC0hiepoFyTjkZS7B3
X-Gm-Gg: AeBDiesCgeDiZUbyHQbQyEXEpZh+gSjze3I/nOPaEuerlAi3yIKoCI1PEehas0RvGAr
	D2Rew3ohTYTTcwxjG8xiOIkhixcBMjatCXfo4YZfD/qiL0sbx5o4kG+U5Mi4LWINizFh8j57R+K
	e5FnW7pWOWBIs3P/skF+gymjnSHyB3tyvGFs7GV8jlp1dsbBw67Pc4cAbRRgqSY5M9b1LdS9eJH
	OKQR7g4sOqAZ0c+jmmL9dYayK7T1MPxBspvCFaQvNMLhzo91Lrgv0jL7G0uod6hiHN6vtpR2YCR
	LYElvfr5fHL+1vXvn2kcaweeF9BpgYSHtTNRYUtl3j4F9AMEbBCX5T3boIsv057HJjO2EmnidMt
	+XgmwEZIxonv4Nhwt5AKk1MF8Cd4rP8ElD38BhyZYBSeIwxk91CcjjvRAjeg8yOV1fvolv4RjIH
	W+sbLfxb0mhtEcMbUk7DPa7unLh/sx+bXtf5lA0hWSDBZgDoMQ9eQV9+0BpInaO+tMZ8Lto3vOO
	h87uXUOCogfkueNheKzCIc3+A==
X-Received: by 2002:a05:600c:c09c:b0:48a:5363:8cac with SMTP id
 5b1f17b1804b1-48a53638e07mr263908545e9.22.1777214591567;
        Sun, 26 Apr 2026 07:43:11 -0700 (PDT)
Received: from ubuntu-f6bvp (lfbn-idf1-1-366-193.w86-195.abo.wanadoo.fr.
 [86.195.82.193])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-488fc18bccfsm658230335e9.8.2026.04.26.07.43.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 07:43:10 -0700 (PDT)
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
To: netdev@vger.kernel.org
Cc: linux-hams@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	horms@kernel.org,
	Bernard Pidoux <bernard.f6bvp@gmail.com>
Subject: [PATCH net 5/5] rose: guard rose_neigh_put() against NULL in timer
 expiry
Date: Sun, 26 Apr 2026 16:43:05 +0200
Message-ID: <20260426144305.984349-6-bernard.f6bvp@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260426144305.984349-1-bernard.f6bvp@gmail.com>
References: <20260426144305.984349-1-bernard.f6bvp@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In rose_timer_expiry(), the ROSE_STATE_2 branch calls
rose_neigh_put(rose->neighbour) without first checking whether the
pointer is NULL.  After commit 5de7665e0a07 ("net: rose: fix timer
races against user threads") the timer is re-armed when the socket is
owned by a user thread; between the re-arm and the next firing, a
device-down event or concurrent teardown via rose_kill_by_device() can
set rose->neighbour to NULL, leading to a NULL-pointer dereference
inside rose_neigh_put().

Add a NULL check before the put and clear the pointer afterwards.

Fixes: 5de7665e0a07 ("net: rose: fix timer races against user threads")
Tested-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
---
 net/rose/rose_timer.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/rose/rose_timer.c b/net/rose/rose_timer.c
index bb60a1654d61..d997d24ab081 100644
--- a/net/rose/rose_timer.c
+++ b/net/rose/rose_timer.c
@@ -180,7 +180,10 @@ static void rose_timer_expiry(struct timer_list *t)
 		break;
=20
 	case ROSE_STATE_2:	/* T3 */
-		rose_neigh_put(rose->neighbour);
+		if (rose->neighbour) {
+			rose_neigh_put(rose->neighbour);
+			rose->neighbour =3D NULL;
+		}
 		rose_disconnect(sk, ETIMEDOUT, -1, -1);
 		break;
=20
--=20
2.51.0