From nobody Mon Jun 8 09:49:26 2026 Received: from m16.mail.163.com (m16.mail.163.com [220.197.31.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8ACBB30E85C; Sat, 30 May 2026 08:23:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=220.197.31.2 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780129425; cv=none; b=tkH8xb1BvxsOkp2XxFt3VNVHC1lxO9M7ONQtZzHArNH0pdo8cjxPddOLrHlA/sTEGfuTFoYVWHJy7jr6gb+chjTVZ/h+NjMcStWfXfiuzRVCWS7lH+il+5ApVA47yJa/4ZzdTdaXffHJNvJkcq20omgg9PjxqfdBDjFbaq29kp8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780129425; c=relaxed/simple; bh=LSkIBo4gDPkYTilY3gyUoXUlIQlHQI9yEaTT1JVX65A=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Yi4U14kjl1QarMdv5TXXEfvYInqyikZK8sx8gqw02OSSPDKcgjxjH9xrWLN0Hgy0OxbR1EU/uPlLD6m19siZzYROcV+yIjdFpHv5XLBFmpRWqBVBb+G3VAXwKdPKjgsyzUalenI8KArCJcJpihOkTShMlqRR1AYbKjt2pd3JcI4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com; spf=pass smtp.mailfrom=163.com; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b=LjFDz3GH; arc=none smtp.client-ip=220.197.31.2 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=163.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b="LjFDz3GH" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:To:Subject:Date:Message-Id:MIME-Version; bh=qZ 2Fjwwm5hDmCK5YhIOGAYcFdo/AIR1P2G8gCMd6Et0=; b=LjFDz3GH2vZo9QcaZw 3+ZV0QYk8KYu5Lt1hRaPpJSRqcmOOMMnM7EnzTU4nHyNmJjSAvR3mSmCS/pTOV3z lnDlt+JP7o0Xf0WTYIbfDNL8vxXQiOiELvYCaDUdgPvoHXeV5zwp39fVHAu0BtbP K/psW/J31qoNXvQwrNUsDxj0M= Received: from 163.com (unknown []) by gzga-smtp-mtada-g0-3 (Coremail) with SMTP id _____wBnJtVUnhpqr9W1AQ--.60856S2; Sat, 30 May 2026 16:22:48 +0800 (CST) From: w15303746062@163.com To: Manivannan Sadhasivam , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Simon Horman , Luca Weiss , Bjorn Andersson , linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mingyu Wang <25181214217@stu.xidian.edu.cn> Subject: [PATCH] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove Date: Sat, 30 May 2026 16:22:43 +0800 Message-Id: <20260530082243.1123402-1-w15303746062@163.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: _____wBnJtVUnhpqr9W1AQ--.60856S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7ZF48trWrXF13WF4UWr1xXwb_yoW8KFW5pr WFyan0y34kGr1DKF48Aa18Ga48ZFyrJrZ3GFZ3Can5ZFn3AwnrZw10yr1Y9FyUCFs3JrWx ZF1DCFs09FyYyFDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07j5EfOUUUUU= X-CM-SenderInfo: jzrvjiatxuliiws6il2tof0z/xtbC4xjewmoanljxjAAA3s Content-Type: text/plain; charset="utf-8" From: Mingyu Wang <25181214217@stu.xidian.edu.cn> In qrtr_port_remove(), the socket reference count is decremented via __sock_put() before the port is removed from the qrtr_ports XArray and before the RCU grace period elapses. This breaks the fundamental RCU update paradigm. It exposes a race window where a concurrent RCU reader (such as qrtr_reset_ports() or qrtr_port_lookup()) can obtain a pointer to the socket from the XArray, and attempt to call sock_hold() on a socket whose reference count has already dropped to zero. This exact race condition was hit during syzkaller fuzzing, leading to the following refcount saturation warning and a potential Use-After-Free: refcount_t: saturated; leaking memory. WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xa= e/0x1d0 Modules linked in: qrtr(+) bochs drm_shmem_helper ... Call Trace: qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr] __qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr] qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr] kernel_bind+0xe4/0x120 net/socket.c:3592 qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr] qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr] do_one_initcall+0xf5/0x5e0 init/main.c:1283 ... Fix this by deferring the reference count decrement until after the xa_erase() and the synchronize_rcu() complete. Furthermore, replace __sock_put() with sock_put() to ensure that the socket memory is safely freed if this happens to be the last reference, preventing memory leaks. Fixes: a365023a76f2 ("net: qrtr: combine nameservice into main module") Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> --- net/qrtr/af_qrtr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c index 7cec6a7859b0..9ddc8657f7db 100644 --- a/net/qrtr/af_qrtr.c +++ b/net/qrtr/af_qrtr.c @@ -707,13 +707,13 @@ static void qrtr_port_remove(struct qrtr_sock *ipc) if (port =3D=3D QRTR_PORT_CTRL) port =3D 0; =20 - __sock_put(&ipc->sk); - xa_erase(&qrtr_ports, port); =20 /* Ensure that if qrtr_port_lookup() did enter the RCU read section we * wait for it to up increment the refcount */ synchronize_rcu(); + + sock_put(&ipc->sk); } =20 /* Assign port number to socket. --=20 2.34.1