On Wed, Dec 3, 2025 at 12:57 AM Minseong Kim ii4gsp@gmail.com wrote:
The global QoS list 'qos_head' in net/atm/mpc.c is accessed from the /proc/net/atm/mpc procfs interface without proper synchronization. The read-side seq_file show path (mpc_show() -> atm_mpoa_disp_qos()) walks qos_head without any lock, while the write-side path (proc_mpc_write() -> parse_qos() -> atm_mpoa_delete_qos()) can unlink and kfree() entries immediately. Concurrent read/write therefore leads to a use-after-free.
This risk is already called out in-tree: /* this is buggered - we need locking for qos_head */
Fix this by adding a mutex to protect all qos_head list operations. A mutex is used (instead of a spinlock) because atm_mpoa_disp_qos() invokes seq_printf(), which may sleep.
The fix:
- Adds qos_mutex protecting qos_head
- Introduces __atm_mpoa_search_qos() requiring the mutex
- Serializes add/search/delete/show/cleanup on qos_head
- Re-checks qos_head under lock in add path to avoid duplicates under concurrent additions
- Uses a single-exit pattern in delete for clarity
Note: atm_mpoa_search_qos() still returns an unprotected pointer; callers must ensure the entry is not freed while using it, or hold qos_mutex.
Reported-by: Minseong Kim ii4gsp@gmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Minseong Kim ii4gsp@gmail.com
Thanks for the patch.
Unfortunately it got mangled when you mailed it : https://patchwork.kernel.org/project/netdevbpf/patch/CAKrymDR1X3XTX_1ZW3XXXn...
Documentation/process/submitting-patches.rst might be helpful, especially the part about git send-email.
Thanks.