Re: [PATCH net] net: phonet: free phonet_device after RCU grace period

Next message: Boris Brezillon: "Re: [RFC PATCH 03/18] drm/panthor: Parse and store GPU_ID fields"
Previous message: Google: "Re: [PATCH] rethook: Use tsk-&gt;on_cpu to check task execution state"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net] net: phonet: free phonet_device after RCU grace period"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Mon Jun 08 2026 - 09:14:00 EST

On Wed, Jun 03, 2026 at 05:08:43PM -0700, Santosh Kalluri wrote:
> phonet_device_destroy() removes a phonet_device from the per-net device
> list with list_del_rcu(), but frees it immediately. RCU readers walking
> the same list can still hold a pointer to the object after it has been
> removed, leading to a slab-use-after-free.
>
> Use kfree_rcu(), matching the lifetime rule already used by
> phonet_address_del() for the same object type.
>
> Fixes: eeb74a9d45f7 ("Phonet: convert devices list to RCU")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Santosh Kalluri <santosh.kalluri129@xxxxxxxxx>
> Acked-by: Rémi Denis-Courmont <remi@xxxxxxxxxx>

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>