From: Leon Romanovsky <leonro@nvidia.com>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: <kuba@kernel.org>, <bpf@vger.kernel.org>,
<netdev@vger.kernel.org>,
"Martin KaFai Lau" <martin.lau@kernel.org>,
<syzbot+376a289e86a0fd02b9ba@syzkaller.appspotmail.com>
Subject: Re: [PATCH net-next] tcx: Fix splat during dev unregister
Date: Sun, 30 Jul 2023 12:31:28 +0300 [thread overview]
Message-ID: <20230730093128.GA94048@unreal> (raw)
In-Reply-To: <222255fe07cb58f15ee662e7ee78328af5b438e4.1690549248.git.daniel@iogearbox.net>
On Fri, Jul 28, 2023 at 11:47:17PM +0200, Daniel Borkmann wrote:
> From: Martin KaFai Lau <martin.lau@kernel.org>
>
> During unregister_netdevice_many_notify(), the ordering of our concerned
> function calls is like this:
>
> unregister_netdevice_many_notify
> dev_shutdown
> qdisc_put
> clsact_destroy
> tcx_uninstall
>
> The syzbot reproducer triggered a case that the qdisc refcnt is not
> zero during dev_shutdown().
>
> tcx_uninstall() will then WARN_ON_ONCE(tcx_entry(entry)->miniq_active)
> because the miniq is still active and the entry should not be freed.
> The latter assumed that qdisc destruction happens before tcx teardown.
>
> This fix is to avoid tcx_uninstall() doing tcx_entry_free() when the
> miniq is still alive and let the clsact_destroy() do the free later, so
> that we do not assume any specific ordering for either of them.
>
> If still active, tcx_uninstall() does clear the entry when flushing out
> the prog/link. clsact_destroy() will then notice the "!tcx_entry_is_active()"
> and then does the tcx_entry_free() eventually.
>
> Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support")
> Reported-by: syzbot+376a289e86a0fd02b9ba@syzkaller.appspotmail.com
> Reported-by: Leon Romanovsky <leonro@nvidia.com>
> Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
> Co-developed-by: Daniel Borkmann <daniel@iogearbox.net>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Tested-by: syzbot+376a289e86a0fd02b9ba@syzkaller.appspotmail.com
> ---
> [ Sending directly to net-next given the issue was reported there by Leon. ]
>
> include/linux/bpf_mprog.h | 16 ++++++++++++++++
> kernel/bpf/tcx.c | 12 ++++++++----
> 2 files changed, 24 insertions(+), 4 deletions(-)
>
Thanks,
Tested-by: Leon Romanovsky <leonro@nvidia.com>
next prev parent reply other threads:[~2023-07-30 9:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 21:47 [PATCH net-next] tcx: Fix splat during dev unregister Daniel Borkmann
2023-07-30 9:31 ` Leon Romanovsky [this message]
2023-07-31 21:50 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230730093128.GA94048@unreal \
--to=leonro@nvidia.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kuba@kernel.org \
--cc=martin.lau@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+376a289e86a0fd02b9ba@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.