Commit f7cf8ece authored Apr 11, 2026 by Zhengchuan Liang Committed by Paolo Abeni Apr 14, 2026

net: caif: clear client service pointer on teardown



`caif_connect()` can tear down an existing client after remote shutdown by
calling `caif_disconnect_client()` followed by `caif_free_client()`.
`caif_free_client()` releases the service layer referenced by
`adap_layer->dn`, but leaves that pointer stale.

When the socket is later destroyed, `caif_sock_destructor()` calls
`caif_free_client()` again and dereferences the freed service pointer.

Clear the client/service links before releasing the service object so
repeated teardown becomes harmless.

Fixes: 43e36921 ("caif: Move refcount from service layer to sock and dev.")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/9f3d37847c0037568aae698ca23cd47c6691acb0.1775897577.git.zcliangcn@gmail.com


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent fe72340d

net/caif/cfsrvl.c

+12 −2

Original line number	Diff line number	Diff line
		@@ -191,10 +191,20 @@ bool cfsrvl_phyid_match(struct cflayer *layer, int phyid)

		void caif_free_client(struct cflayer *adap_layer)
		{
		struct cflayer *serv_layer;
		struct cfsrvl *servl;
		if (adap_layer == NULL \|\| adap_layer->dn == NULL)

		if (!adap_layer)
		return;

		serv_layer = adap_layer->dn;
		if (!serv_layer)
		return;
		servl = container_obj(adap_layer->dn);

		layer_set_dn(adap_layer, NULL);
		layer_set_up(serv_layer, NULL);

		servl = container_obj(serv_layer);
		servl->release(&servl->layer);
		}
		EXPORT_SYMBOL(caif_free_client);