git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Michael Bommarito <michael.bommarito@gmail.com>
	Wed, 13 May 2026 23:38:38 +0000 (19:38 -0400)
committer	Jakub Kicinski <kuba@kernel.org>
	Sat, 16 May 2026 01:25:26 +0000 (18:25 -0700)
commit	aaec7096f9961eb223b5b149abe9495525c205d9
tree	a7fc1c2df4f4a5fb76cfd188d8c1fb85e2e893da	tree \| snapshot
parent	ae38d9179190a956e2a87a69ef1dd6f451b51c4d	commit \| diff

net: hsr: defer node table free until after RCU readers

HSR node-list and node-status generic-netlink operations run under
rcu_read_lock(). They walk hsr->node_db through hsr_get_next_node() and
hsr_get_node_data(), but RTM_DELLINK teardown removes the same node table
with plain list_del() and frees each node immediately.

That lets a generic-netlink reader hold a struct hsr_node pointer across
hsr_dellink(). In a KASAN build, widening the reader window after
hsr_get_next_node() obtains the node reproduces a slab-use-after-free
when the reader copies node->macaddress_A; the freeing stack is
hsr_del_nodes() from hsr_dellink().

Use list_del_rcu() and defer the free through the existing
hsr_free_node_rcu() callback. This matches the lifetime rule used by the
HSR prune paths, which already delete nodes with list_del_rcu() and
call_rcu().

Fixes: b9a1e627405d ("hsr: implement dellink to clean up resources")
Cc: stable@vger.kernel.org # v5.3+
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260513233838.3064715-2-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>