Re: [PATCH net v3] tipc: fix use-after-free of the discoverer in tipc_disc_rcv()

Next message: Yuanshen Cao: "[PATCH v2 1/5] dmaengine: sun6i-dma: Refactor to support A733 interrupt and register handling"
Previous message: srinivas pandruvada: "Re: [PATCH v1] cpufreq: intel_pstate: Skip HWP_CAP reads in Broadwell mode"
In reply to: Tung Quang Nguyen: "RE: [PATCH net v3] tipc: fix use-after-free of the discoverer in tipc_disc_rcv()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Sun Jun 21 2026 - 17:40:53 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Wed, 17 Jun 2026 21:57:45 +0800 you wrote:
> bearer_disable() frees b->disc with tipc_disc_delete()'s plain kfree(),
> but tipc_disc_rcv() still dereferences b->disc in RX softirq under
> rcu_read_lock() (tipc_udp_recv -> tipc_rcv -> tipc_disc_rcv).
>
> L2 bearers are safe thanks to the synchronize_net() in
> tipc_disable_l2_media(), but the UDP bearer defers that call to the
> cleanup_bearer() workqueue, so the discoverer is freed with no grace
> period:
>
> [...]

Here is the summary with links:
- [net,v3] tipc: fix use-after-free of the discoverer in tipc_disc_rcv()
https://git.kernel.org/netdev/net/c/1579342d7113

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html