From: Jakub Kicinski <kuba@kernel.org>
To: Tristan Madani <tristmd@gmail.com>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Simon Horman <horms@kernel.org>,
netdev@vger.kernel.org, stable@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: shaper: use kfree_rcu() in net_shaper_flush()
Date: Thu, 28 May 2026 11:34:05 -0700 [thread overview]
Message-ID: <20260528113405.34a87c54@kernel.org> (raw)
In-Reply-To: <20260528160845.2636043-1-tristan@talencesecurity.com>
On Thu, 28 May 2026 16:08:45 +0000 Tristan Madani wrote:
> net_shaper_flush() frees shaper objects with plain kfree() after
> xa_erase(), but net_shaper_nl_get_doit() and net_shaper_nl_get_dumpit()
> read shaper objects under rcu_read_lock() via xa_load(). This creates a
> use-after-free window where an RCU reader may still hold a pointer to a
> shaper object that has been freed.
>
> The race is:
>
> CPU 0 (reader) CPU 1 (flush/unregister)
> rcu_read_lock()
> shaper = xa_load(...) xa_lock()
> // shaper points to valid obj __xa_erase(...)
> kfree(shaper) <- frees immediately
> net_shaper_fill_one(shaper) xa_unlock()
> // use-after-free
> rcu_read_unlock()
>
> Other code paths in the same file already use kfree_rcu() correctly
> (net_shaper_pre_insert error path, net_shaper_notify_down,
> net_shaper_cap_pair_update, and net_shaper_rollback as of commit
> b8d7519352ba). The struct net_shaper already contains an rcu_head field.
>
> Fix by replacing kfree() with kfree_rcu() in net_shaper_flush() to
> defer freeing until after the RCU grace period.
>
> Found by source code audit.
No, the device is fully invisible at this point.
Please don't send fixes unless you can actually trigger the crash.
--
pw-bot: reject
pv-bot: slop
prev parent reply other threads:[~2026-05-28 18:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 16:08 [PATCH] net: shaper: use kfree_rcu() in net_shaper_flush() Tristan Madani
2026-05-28 18:34 ` Jakub Kicinski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260528113405.34a87c54@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tristmd@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.