Re: [PATCH v2] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove

Next message: patchwork-bot+netdevbpf: "Re: [PATCH net] net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list"
Previous message: Fenglin Wu: "Re: [PATCH] leds: rgb: leds-qcom-lpg: Fix LED color balancing in HW pattern mode"
In reply to: Simon Horman: "Re: [PATCH v2] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Mon Jun 08 2026 - 22:00:28 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Thu, 4 Jun 2026 14:48:01 +0800 you wrote:
> From: Mingyu Wang <25181214217@xxxxxxxxxxxxxxxxx>
>
> In qrtr_port_remove(), the socket reference count is decremented via
> __sock_put() before the port is removed from the qrtr_ports XArray and
> before the RCU grace period elapses.
>
> This breaks the fundamental RCU update paradigm. It exposes a race
> window where a concurrent RCU reader (such as qrtr_reset_ports() or
> qrtr_port_lookup()) can obtain a pointer to the socket from the XArray,
> and attempt to call sock_hold() on a socket whose reference count has
> already dropped to zero.
>
> [...]

Here is the summary with links:
- [v2] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
https://git.kernel.org/netdev/net/c/a2171131ecda

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html