From: Simon Horman <horms@kernel.org>
To: Breno Leitao <leitao@debian.org>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Shuah Khan <shuah@kernel.org>,
david decotigny <decot@googlers.com>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-kselftest@vger.kernel.org, asantostc@gmail.com,
efault@gmx.de, calvin@wbinvd.org, kernel-team@meta.com,
stable@vger.kernel.org, jv@jvosburgh.net
Subject: Re: [PATCH net v3 1/3] netpoll: fix incorrect refcount handling causing incorrect cleanup
Date: Mon, 8 Sep 2025 11:12:56 +0100 [thread overview]
Message-ID: <20250908101256.GA2015@horms.kernel.org> (raw)
In-Reply-To: <20250905-netconsole_torture-v3-1-875c7febd316@debian.org>
On Fri, Sep 05, 2025 at 10:25:07AM -0700, Breno Leitao wrote:
> commit efa95b01da18 ("netpoll: fix use after free") incorrectly
> ignored the refcount and prematurely set dev->npinfo to NULL during
> netpoll cleanup, leading to improper behavior and memory leaks.
>
> Scenario causing lack of proper cleanup:
>
> 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is
> allocated, and refcnt = 1
> - Keep in mind that npinfo is shared among all netpoll instances. In
> this case, there is just one.
>
> 2) Another netpoll is also associated with the same NIC and
> npinfo->refcnt += 1.
> - Now dev->npinfo->refcnt = 2;
> - There is just one npinfo associated to the netdev.
>
> 3) When the first netpolls goes to clean up:
> - The first cleanup succeeds and clears np->dev->npinfo, ignoring
> refcnt.
> - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);`
> - Set dev->npinfo = NULL, without proper cleanup
> - No ->ndo_netpoll_cleanup() is either called
>
> 4) Now the second target tries to clean up
> - The second cleanup fails because np->dev->npinfo is already NULL.
> * In this case, ops->ndo_netpoll_cleanup() was never called, and
> the skb pool is not cleaned as well (for the second netpoll
> instance)
> - This leaks npinfo and skbpool skbs, which is clearly reported by
> kmemleak.
>
> Revert commit efa95b01da18 ("netpoll: fix use after free") and adds
> clarifying comments emphasizing that npinfo cleanup should only happen
> once the refcount reaches zero, ensuring stable and correct netpoll
> behavior.
>
> Cc: stable@vger.kernel.org
> Cc: jv@jvosburgh.net
> Fixes: efa95b01da18 ("netpoll: fix use after free")
> Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2025-09-08 10:13 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-05 17:25 [PATCH net v3 0/3] net: netpoll: fix a memleak and create a selftest Breno Leitao
2025-09-05 17:25 ` [PATCH net v3 1/3] netpoll: fix incorrect refcount handling causing incorrect cleanup Breno Leitao
2025-09-08 10:12 ` Simon Horman [this message]
2025-09-08 20:47 ` Calvin Owens
2025-09-09 1:29 ` Jakub Kicinski
2025-09-09 20:17 ` Breno Leitao
2025-09-09 23:16 ` Jakub Kicinski
2025-09-10 14:12 ` Breno Leitao
2025-09-10 17:58 ` Jakub Kicinski
2025-09-10 18:50 ` Breno Leitao
2025-09-10 0:18 ` Jay Vosburgh
2025-09-10 14:07 ` Breno Leitao
2025-09-09 14:05 ` Breno Leitao
2025-09-10 0:40 ` Calvin Owens
2025-09-05 17:25 ` [PATCH net v3 2/3] selftest: netcons: refactor target creation Breno Leitao
2025-09-05 17:27 ` kernel test robot
2025-09-08 10:13 ` Simon Horman
2025-09-05 17:25 ` [PATCH net v3 3/3] selftest: netcons: create a torture test Breno Leitao
2025-09-08 10:13 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250908101256.GA2015@horms.kernel.org \
--to=horms@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=asantostc@gmail.com \
--cc=calvin@wbinvd.org \
--cc=davem@davemloft.net \
--cc=decot@googlers.com \
--cc=edumazet@google.com \
--cc=efault@gmx.de \
--cc=jv@jvosburgh.net \
--cc=kernel-team@meta.com \
--cc=kuba@kernel.org \
--cc=leitao@debian.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=shuah@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.