Re: [PATCH net v3] net: rose: defer rose_neigh cleanup to workqueue to fix UAF

Next message: Berk Cem Goksel: "[PATCH] ALSA: 6fire: fix use-after-free on disconnect"
Previous message: Ashutosh Desai: "[PATCH] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path"
In reply to: Jakub Kicinski: "Re: [PATCH net v3] net: rose: defer rose_neigh cleanup to workqueue to fix UAF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mashiro Chen

Date: Fri Apr 10 2026 - 01:09:31 EST

On Tue, 7 Apr 2026 Jakub Kicinski wrote:
> What if ROSE is built as a module and gets unloaded?
> Please don't post the next version until next week

Got it, I will not post any patches until next week.

I've never thought about the module unload path, this is
the point I missed in my previous patch. I will deep analysis
if the timers are properly stopped before the module is
removed. I will address this in v4 next week.

Sorry for low quality and simple analysis without auditing.

73s,
Mashiro Chen

On 4/10/26 10:49, Jakub Kicinski wrote:

On Tue, 7 Apr 2026 01:01:25 +0800 Mashiro Chen wrote:

rose_neigh_put() frees the rose_neigh object when the reference count
reaches zero, but does not stop the t0timer and ftimer beforehand.
If a timer has been scheduled and fires after the object is freed,
the callback will access already-freed memory, leading to a
use-after-free.

What if ROSE is built as a module and gets unloaded?

Please don't post the next version until next week, we're drowning in
these AI generated patches.