git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Takamitsu Iwai <takamitz@amazon.co.jp>
	Sat, 23 Aug 2025 08:58:56 +0000 (17:58 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 4 Sep 2025 13:31:51 +0000 (15:31 +0200)
commit	0085b250fcc79f900c82a69980ec2f3e1871823b
tree	b8d8907364251f4242a366ed50bdee4a4f64c383	tree \| snapshot
parent	8e88504a28743d4f0e87f6c0c6a670e66f7b6b5b	commit \| diff

net: rose: convert 'use' field to refcount_t

[ Upstream commit d860d1faa6b2ce3becfdb8b0c2b048ad31800061 ]

The 'use' field in struct rose_neigh is used as a reference counter but
lacks atomicity. This can lead to race conditions where a rose_neigh
structure is freed while still being referenced by other code paths.

For example, when rose_neigh->use becomes zero during an ioctl operation
via rose_rt_ioctl(), the structure may be removed while its timer is
still active, potentially causing use-after-free issues.

This patch changes the type of 'use' from unsigned short to refcount_t and
updates all code paths to use rose_neigh_hold() and rose_neigh_put() which
operate reference counts atomically.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Takamitsu Iwai <takamitz@amazon.co.jp>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250823085857.47674-3-takamitz@amazon.co.jp
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/net/rose.h		diff \| blob \| blame \| history
net/rose/af_rose.c		diff \| blob \| blame \| history
net/rose/rose_in.c		diff \| blob \| blame \| history
net/rose/rose_route.c		diff \| blob \| blame \| history
net/rose/rose_timer.c		diff \| blob \| blame \| history