[PATCH net 1/5] rose: fix dev_put() leak in rose_loopback_timer()

Next message: Jonathan Cameron: "Re: [PATCH v3 1/3] iio: imu: inv_mpu6050: fix unbalanced regulator_disable calls, when probe fails"
Previous message: Bernard Pidoux: "[PATCH net 0/5] rose: fix use-after-free and reference counting bugs"
In reply to: Bernard Pidoux: "[PATCH net 0/5] rose: fix use-after-free and reference counting bugs"
Next in thread: Bernard Pidoux: "[PATCH net 2/5] rose: hold loopback neighbour reference across timer callback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bernard Pidoux

Date: Sun Apr 26 2026 - 10:44:10 EST

rose_rx_call_request() always consumes or returns the skb but never
releases the device reference obtained from rose_dev_get(). When
rose_rx_call_request() succeeds (returns non-zero) dev_put() was never
called, leaking one reference per loopback CALL_REQUEST.

Move dev_put() outside the conditional so it is called unconditionally
after rose_rx_call_request() in all cases.

Also remove the dead check (!rose_loopback_neigh->dev &&
!rose_loopback_neigh->loopback) that immediately precedes it: the
loopback neighbour always has loopback=1 so this condition can never
be true.

Fixes: 0453c6824595 ("net/rose: fix unbound loop in rose_loopback_timer()")
Tested-by: Bernard Pidoux <bernard.f6bvp@xxxxxxxxx>
Signed-off-by: Bernard Pidoux <bernard.f6bvp@xxxxxxxxx>
---
net/rose/rose_loopback.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index b538e39b3df5..914c8f453a1d 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -96,22 +96,15 @@ static void rose_loopback_timer(struct timer_list *unused)
}

if (frametype == ROSE_CALL_REQUEST) {
- if (!rose_loopback_neigh->dev &&
- !rose_loopback_neigh->loopback) {
- kfree_skb(skb);
- continue;
- }
-
dev = rose_dev_get(dest);
if (!dev) {
kfree_skb(skb);
continue;
}

- if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) == 0) {
- dev_put(dev);
+ if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) == 0)
kfree_skb(skb);
- }
+ dev_put(dev);
} else {
kfree_skb(skb);
}
--
2.51.0