On Mon, 20 Oct 2025 15:25:40 +0300, Dan Carpenter wrote:
> Task0					Task1						Task2
> =====					=====						=====
> [97] nr_add_node()
> [113] nr_neigh_get_dev()		[97] nr_add_node()
> 					[214] nr_node_lock()
> 					[245] nr_node->routes[2].neighbour->count--
> 					[246] nr_neigh_put(nr_node->routes[2].neighbour);
> 					[248] nr_remove_neigh(nr_node->routes[2].neighbour)
> 					[283] nr_node_unlock()
> [214] nr_node_lock()
> [253] nr_node->routes[2].neighbour = nr_neigh
> [254] nr_neigh_hold(nr_neigh);							[97] nr_add_node()
> 											[XXX] nr_neigh_put()
>                                                                                         ^^^^^^^^^^^^^^^^^^^^
> 
> These charts are supposed to be chronological so [XXX] is wrong because the
> use after free happens on line [248].  Do we really need three threads to
> make this race work?
The UAF problem occurs in Task2. Task1 sets the refcount of nr_neigh to 1,
then Task0 adds it to routes[2]. Task2 releases routes[2].neighbour after
executing [XXX]nr_neigh_put().

BR,
Lizhi