git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Takamitsu Iwai <takamitz@amazon.co.jp>
	Sat, 23 Aug 2025 08:58:56 +0000 (17:58 +0900)
committer	Jakub Kicinski <kuba@kernel.org>
	Wed, 27 Aug 2025 14:43:08 +0000 (07:43 -0700)
commit	d860d1faa6b2ce3becfdb8b0c2b048ad31800061
tree	a27770249cfd5066696f5bc917acf37170a632d1	tree \| snapshot
parent	dcb34659028f856c423a29ef9b4e2571d203444d	commit \| diff

net: rose: convert 'use' field to refcount_t

The 'use' field in struct rose_neigh is used as a reference counter but
lacks atomicity. This can lead to race conditions where a rose_neigh
structure is freed while still being referenced by other code paths.

For example, when rose_neigh->use becomes zero during an ioctl operation
via rose_rt_ioctl(), the structure may be removed while its timer is
still active, potentially causing use-after-free issues.

This patch changes the type of 'use' from unsigned short to refcount_t and
updates all code paths to use rose_neigh_hold() and rose_neigh_put() which
operate reference counts atomically.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Takamitsu Iwai <takamitz@amazon.co.jp>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250823085857.47674-3-takamitz@amazon.co.jp
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

include/net/rose.h		diff \| blob \| blame \| history
net/rose/af_rose.c		diff \| blob \| blame \| history
net/rose/rose_in.c		diff \| blob \| blame \| history
net/rose/rose_route.c		diff \| blob \| blame \| history
net/rose/rose_timer.c		diff \| blob \| blame \| history