git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Takamitsu Iwai <takamitz@amazon.co.jp>
	Sat, 23 Aug 2025 08:58:56 +0000 (17:58 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 4 Sep 2025 13:30:25 +0000 (15:30 +0200)
commit	f8c29fc437d03a98fb075c31c5be761cc8326284
tree	08467da8716d6a03cc98b70119d0d5e85dce2571	tree \| snapshot
parent	4998ab3eb2b8a904be2d988899fd1316ed1fdc8e	commit \| diff

net: rose: convert 'use' field to refcount_t

[ Upstream commit d860d1faa6b2ce3becfdb8b0c2b048ad31800061 ]

The 'use' field in struct rose_neigh is used as a reference counter but
lacks atomicity. This can lead to race conditions where a rose_neigh
structure is freed while still being referenced by other code paths.

For example, when rose_neigh->use becomes zero during an ioctl operation
via rose_rt_ioctl(), the structure may be removed while its timer is
still active, potentially causing use-after-free issues.

This patch changes the type of 'use' from unsigned short to refcount_t and
updates all code paths to use rose_neigh_hold() and rose_neigh_put() which
operate reference counts atomically.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Takamitsu Iwai <takamitz@amazon.co.jp>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250823085857.47674-3-takamitz@amazon.co.jp
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/net/rose.h		diff \| blob \| blame \| history
net/rose/af_rose.c		diff \| blob \| blame \| history
net/rose/rose_in.c		diff \| blob \| blame \| history
net/rose/rose_route.c		diff \| blob \| blame \| history
net/rose/rose_timer.c		diff \| blob \| blame \| history