| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251204090905.28663-1-junjie.cao@intel.com> Date: Thu, 4 Dec 2025 17:09:03 +0800 From: Junjie Cao <junjie.cao@...el.com> To: pabeni@...hat.com, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, syzbot+14afda08dc3484d5db82@...kaller.appspotmail.com Cc: horms@...nel.org, linux-hams@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, stable@...r.kernel.org, junjie.cao@...el.com Subject: [PATCH v2 0/2] netrom: fix deadlock and refcount leak in nr_rt_device_down Hi, syzbot reported a circular locking dependency in the NET/ROM routing code involving nr_neigh_list_lock, nr_node_list_lock and nr_node->node_lock when nr_rt_device_down() interacts with the ioctl path. This series fixes that deadlock and also addresses a long-standing reference count leak found while auditing the same code. Patch 1/2 refactors nr_rt_device_down() to avoid nested locking between nr_neigh_list_lock and nr_node_list_lock by doing two separate passes over nodes and neighbours, and adjusts nr_rt_free() to follow the same lock ordering. Patch 2/2 fixes a per-route reference count leak by dropping nr_neigh->count and calling nr_neigh_put() when removing routes from nr_rt_device_down(), mirroring the behaviour of nr_dec_obs()/nr_del_node(). [1] https://syzkaller.appspot.com/bug?extid=14afda08dc3484d5db82 Thanks, Junjie
Powered by blists - more mailing lists