From: Jakub Kicinski <kuba@kernel.org>
To: Florian Westphal <fw@strlen.de>
Cc: Shigeru Yoshida <syoshida@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Phil Sutter <phil@nwl.cc>,
syzbot+5a66db916cdde0dbcc1c@syzkaller.appspotmail.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org
Subject: Re: [PATCH net] net: flow_offload: protect driver_block_list in flow_block_cb_setup_simple()
Date: Thu, 12 Feb 2026 18:34:47 -0800 [thread overview]
Message-ID: <20260212183447.2d577f5b@kernel.org> (raw)
In-Reply-To: <aYxw2CpxOKLh1wOz@strlen.de>
On Wed, 11 Feb 2026 13:06:48 +0100 Florian Westphal wrote:
> Shigeru Yoshida <syoshida@redhat.com> wrote:
> > syzbot reported a list_del corruption in flow_block_cb_setup_simple(). [0]
> >
> > flow_block_cb_setup_simple() accesses the driver_block_list (e.g.,
> > netdevsim's nsim_block_cb_list) without any synchronization. The
> > nftables offload path calls into this function via ndo_setup_tc while
> > holding the per-netns commit_mutex, but this mutex does not prevent
> > concurrent access from tasks in different network namespaces that
> > share the same driver_block_list, leading to list corruption:
> >
> > - Task A (FLOW_BLOCK_BIND) calls list_add_tail() to insert a new
> > flow_block_cb into driver_block_list.
> >
> > - Task B (FLOW_BLOCK_UNBIND) concurrently calls list_del() on another
> > flow_block_cb from the same list.
>
> Looking at the *upper layer*, I don't think it expected drivers to use
> a single global list for this bit something that is scoped to the
> net_device.
Maybe subjective but the fix seems a little off to me.
Isn't flow_block_cb_setup_simple() just a "simple" implementation
for reuse in drivers locking in there doesn't really guarantee much?
If we think netdevsim is doing something odd, let's make it work
like real drivers.
TBH I thought block setup was always under rtnl_lock.
next prev parent reply other threads:[~2026-02-13 2:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-08 11:00 [PATCH net] net: flow_offload: protect driver_block_list in flow_block_cb_setup_simple() Shigeru Yoshida
2026-02-11 12:06 ` Florian Westphal
2026-02-13 2:34 ` Jakub Kicinski [this message]
2026-02-13 11:30 ` Florian Westphal
2026-02-13 16:17 ` Jakub Kicinski
2026-02-15 13:06 ` Florian Westphal
2026-02-17 11:42 ` Pablo Neira Ayuso
2026-02-17 22:05 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260212183447.2d577f5b@kernel.org \
--to=kuba@kernel.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
--cc=syoshida@redhat.com \
--cc=syzbot+5a66db916cdde0dbcc1c@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.