Hi, On Tue, Jun 9, 2026 at 4:03 AM Yizhou Zhao <[email protected]> wrote: > > lowpan_nhc_do_uncompression() looks up an NHC descriptor while holding > lowpan_nhc_lock. If the descriptor has no uncompress callback, the error > path drops the lock before printing nhc->name. > > lowpan_nhc_del() removes descriptors under the same lock and then relies > on synchronize_net() before the owning module can be unloaded. That only > waits for net RX RCU readers. lowpan_header_decompress() is also exported > and can be reached from callers that are not necessarily covered by the net > core RX critical section, for example the Bluetooth 6LoWPAN L2CAP receive > path. > > This leaves a race where one task drops lowpan_nhc_lock in the error path, > another task unregisters and frees the matching descriptor after > synchronize_net() returns, and the first task then dereferences nhc->name > for the warning. > > With the post-unlock window widened, KASAN reports: > > BUG: KASAN: slab-use-after-free in lowpan_nhc_do_uncompression+0x1f4/0x220 > Read of size 8 > lowpan_nhc_do_uncompression > lowpan_header_decompress > > Fix this by printing the warning before dropping lowpan_nhc_lock, so the > descriptor name is read while unregister is still excluded. The malformed > packet is still rejected with -ENOTSUPP. > > Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface") > Cc: [email protected] > Reported-by: Yizhou Zhao <[email protected]> > Reported-by: Yuxiang Yang <[email protected]> > Reported-by: Ao Wang <[email protected]> > Reported-by: Xuewei Feng <[email protected]> > Reported-by: Qi Li <[email protected]> > Reported-by: Ke Xu <[email protected]> > Assisted-by: GLM:GLM-5.1 > Signed-off-by: Yizhou Zhao <[email protected]>
looks good. Thanks. Acked-by: Alexander Aring <[email protected]> - Alex
