The current implementation of rose_neigh uses 'use' and 'count' field of
type unsigned short as a reference count. This approach lacks atomicity,
leading to potential race conditions. As a result, syzbot has reported
slab-use-after-free errors due to unintended removals.

This series introduces refcount_t for reference counting to ensure
atomicity and prevent race conditions. The patches are structured as
follows:

1. Refactor rose_remove_neigh() to separate removal and freeing operations
2. Convert 'use' field to refcount_t for appropriate reference counting
3. Include references from rose_node to 'use' field

These changes should resolve the reported slab-use-after-free issues and
improve the overall stability of the ROSE network layer.

Changes:
 v2:
  - Added rose_neigh_put() in error paths of rose_connect() to prevent
    reference count leaks that could occur after moving the reference
    count increment to rose_get_neigh().
  - Added rose_neigh_put() at the end of rose_route_frame() to properly
    release the temporary reference held by new_neigh variable when
    the function completes.
  - Added rose_neigh_hold() in the second for loop of rose_get_neigh()
    to maintain consistent reference counting behavior between both loops.

  v1:
    https://lore.kernel.org/all/20250820174707.83372-1-takamitz@amazon.co.jp/ (local)


Takamitsu Iwai (3):
  net: rose: split remove and free operations in rose_remove_neigh()
  net: rose: convert 'use' field to refcount_t
  net: rose: include node references in rose_neigh refcount

 include/net/rose.h    | 18 ++++++++++++-
 net/rose/af_rose.c    | 13 ++++-----
 net/rose/rose_in.c    | 12 ++++-----
 net/rose/rose_route.c | 62 ++++++++++++++++++++++++++-----------------
 net/rose/rose_timer.c |  2 +-
 5 files changed, 69 insertions(+), 38 deletions(-)

-- 
2.39.5 (Apple Git-154)