Re: [PATCH net v3] net: rose: defer rose_neigh cleanup to workqueue to fix UAF

Next message: Zhang Yuwei: "[PATCH] driver core: Use mod_delayed_work to prevent lost deferred probe work"
Previous message: Carlos Bilbao: "Re: [PATCH v2] scsi: target: iscsi: reject invalid size Extended CDB AHS"
Next in thread: Mashiro Chen: "Re: [PATCH net v3] net: rose: defer rose_neigh cleanup to workqueue to fix UAF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Thu Apr 09 2026 - 22:51:04 EST

On Tue, 7 Apr 2026 01:01:25 +0800 Mashiro Chen wrote:
> rose_neigh_put() frees the rose_neigh object when the reference count
> reaches zero, but does not stop the t0timer and ftimer beforehand.
> If a timer has been scheduled and fires after the object is freed,
> the callback will access already-freed memory, leading to a
> use-after-free.

What if ROSE is built as a module and gets unloaded?

Please don't post the next version until next week, we're drowning in
these AI generated patches.
--
pw-bot: cr