net: hsr: defer node table free until after RCU readers - wireguard-linux

diff options

author	Michael Bommarito <michael.bommarito@gmail.com>	2026-05-13 19:38:38 -0400
committer	Jakub Kicinski <kuba@kernel.org>	2026-05-15 18:25:26 -0700
commit	aaec7096f9961eb223b5b149abe9495525c205d9 (patch)
tree	a7fc1c2df4f4a5fb76cfd188d8c1fb85e2e893da /include/linux/bcma/ssh:/git@git.zx2c4.com
parent	vsock/virtio: fix zerocopy completion for multi-skb sends (diff)

net: hsr: defer node table free until after RCU readers

HSR node-list and node-status generic-netlink operations run under rcu_read_lock(). They walk hsr->node_db through hsr_get_next_node() and hsr_get_node_data(), but RTM_DELLINK teardown removes the same node table with plain list_del() and frees each node immediately. That lets a generic-netlink reader hold a struct hsr_node pointer across hsr_dellink(). In a KASAN build, widening the reader window after hsr_get_next_node() obtains the node reproduces a slab-use-after-free when the reader copies node->macaddress_A; the freeing stack is hsr_del_nodes() from hsr_dellink(). Use list_del_rcu() and defer the free through the existing hsr_free_node_rcu() callback. This matches the lifetime rule used by the HSR prune paths, which already delete nodes with list_del_rcu() and call_rcu(). Fixes: b9a1e627405d ("hsr: implement dellink to clean up resources") Cc: stable@vger.kernel.org # v5.3+ Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Link: https://patch.msgid.link/20260513233838.3064715-2-michael.bommarito@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Diffstat (limited to 'include/linux/bcma/ssh:/git@git.zx2c4.com')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: