On Mon, 20 Oct 2025 21:34:56 +0800, Lizhi Xu wrote:
> > Task0					Task1						Task2
> > =====					=====						=====
> > [97] nr_add_node()
> > [113] nr_neigh_get_dev()		[97] nr_add_node()
> > 					[214] nr_node_lock()
> > 					[245] nr_node->routes[2].neighbour->count--
> > 					[246] nr_neigh_put(nr_node->routes[2].neighbour);
> > 					[248] nr_remove_neigh(nr_node->routes[2].neighbour)
> > 					[283] nr_node_unlock()
> > [214] nr_node_lock()
> > [253] nr_node->routes[2].neighbour = nr_neigh
> > [254] nr_neigh_hold(nr_neigh);							[97] nr_add_node()
> > 											[XXX] nr_neigh_put()
> >                                                                                         ^^^^^^^^^^^^^^^^^^^^
> > 
> > These charts are supposed to be chronological so [XXX] is wrong because the
> > use after free happens on line [248].  Do we really need three threads to
> > make this race work?
> The UAF problem occurs in Task2. Task1 sets the refcount of nr_neigh to 1,
> then Task0 adds it to routes[2]. Task2 releases routes[2].neighbour after
> executing [XXX]nr_neigh_put().
Execution Order:
1 -> Task0
[113] nr_neigh_get_dev() // After execution, the refcount value is 3

2 -> Task1
[246] nr_neigh_put(nr_node->routes[2].neighbour);   // After execution, the refcount value is 2
[248] nr_remove_neigh(nr_node->routes[2].neighbour) // After execution, the refcount value is 1

3 -> Task0
[253] nr_node->routes[2].neighbour = nr_neigh       // nr_neigh's refcount value is 1 and add it to routes[2]

4 -> Task2
[XXX] nr_neigh_put(nr_node->routes[2].neighbour)    // After execution, neighhour is freed
if (nr_node->routes[2].neighbour->count == 0 && !nr_node->routes[2].neighbour->locked)  // Uaf occurs this line when accessing neighbour->count

BR,
Lizhi