git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Takamitsu Iwai <takamitz@amazon.co.jp>
	Sat, 23 Aug 2025 08:58:57 +0000 (17:58 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 4 Sep 2025 13:31:51 +0000 (15:31 +0200)
commit	d7563b456ed44151e1a82091d96f60166daea89b
tree	777323caf206abea452e2920aea056e6594a9254	tree \| snapshot
parent	0085b250fcc79f900c82a69980ec2f3e1871823b	commit \| diff

net: rose: include node references in rose_neigh refcount

[ Upstream commit da9c9c877597170b929a6121a68dcd3dd9a80f45 ]

Current implementation maintains two separate reference counting
mechanisms: the 'count' field in struct rose_neigh tracks references from
rose_node structures, while the 'use' field (now refcount_t) tracks
references from rose_sock.

This patch merges these two reference counting systems using 'use' field
for proper reference management. Specifically, this patch adds incrementing
and decrementing of rose_neigh->use when rose_neigh->count is incremented
or decremented.

This patch also modifies rose_rt_free(), rose_rt_device_down() and
rose_clear_route() to properly release references to rose_neigh objects
before freeing a rose_node through rose_remove_node().

These changes ensure rose_neigh structures are properly freed only when
all references, including those from rose_node structures, are released.
As a result, this resolves a slab-use-after-free issue reported by Syzbot.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+942297eecf7d2d61d1f1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=942297eecf7d2d61d1f1
Signed-off-by: Takamitsu Iwai <takamitz@amazon.co.jp>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250823085857.47674-4-takamitz@amazon.co.jp
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>