From: Ihor Solodrai <ihor.solodrai@linux.dev>
To: Jesper Dangaard Brouer <hawk@kernel.org>, netdev@vger.kernel.org
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-team@cloudflare.com
Subject: Re: [PATCH net V1] veth: prevent NULL pointer dereference in veth_xdp_rcv
Date: Wed, 11 Jun 2025 09:00:49 -0700 [thread overview]
Message-ID: <3beaf713-a08d-42d9-8543-c6df4ce4215b@linux.dev> (raw)
In-Reply-To: <174964557873.519608.10855046105237280978.stgit@firesoul>
On 6/11/25 5:40 AM, Jesper Dangaard Brouer wrote:
> The veth peer device is RCU protected, but when the peer device gets
> deleted (veth_dellink) then the pointer is assigned NULL (via
> RCU_INIT_POINTER).
>
> This patch adds a necessary NULL check in veth_xdp_rcv when accessing
> the veth peer net_device.
>
> This fixes a bug introduced in commit dc82a33297fc ("veth: apply qdisc
> backpressure on full ptr_ring to reduce TX drops"). The bug is a race
> and only triggers when having inflight packets on a veth that is being
> deleted.
>
> Reported-by: Ihor Solodrai <ihor.solodrai@linux.dev>
> Closes: https://lore.kernel.org/all/fecfcad0-7a16-42b8-bff2-66ee83a6e5c4@linux.dev/
> Reported-by: syzbot+c4c7bf27f6b0c4bd97fe@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/683da55e.a00a0220.d8eae.0052.GAE@google.com/
> Fixes: dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to reduce TX drops")
> Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
> ---
> Commit dc82a33297fc have reached Linus'es tree in v6.16-rc1~132^2~208^2.
> Thus, we can correct this before the release of v6.16.
>
> drivers/net/veth.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/veth.c b/drivers/net/veth.c
> index e58a0f1b5c5b..a3046142cb8e 100644
> --- a/drivers/net/veth.c
> +++ b/drivers/net/veth.c
> @@ -909,7 +909,7 @@ static int veth_xdp_rcv(struct veth_rq *rq, int budget,
>
> /* NAPI functions as RCU section */
> peer_dev = rcu_dereference_check(priv->peer, rcu_read_lock_bh_held());
> - peer_txq = netdev_get_tx_queue(peer_dev, queue_idx);
> + peer_txq = peer_dev ? netdev_get_tx_queue(peer_dev, queue_idx) : NULL;
>
> for (i = 0; i < budget; i++) {
> void *ptr = __ptr_ring_consume(&rq->xdp_ring);
> @@ -959,7 +959,7 @@ static int veth_xdp_rcv(struct veth_rq *rq, int budget,
> rq->stats.vs.xdp_packets += done;
> u64_stats_update_end(&rq->stats.syncp);
>
> - if (unlikely(netif_tx_queue_stopped(peer_txq)))
> + if (peer_txq && unlikely(netif_tx_queue_stopped(peer_txq)))
> netif_tx_wake_queue(peer_txq);
>
> return done;
>
>
Acked-by: Ihor Solodrai <ihor.solodrai@linux.dev>
Thank you!
next prev parent reply other threads:[~2025-06-11 16:01 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-25 14:55 [PATCH net-next V7 0/2] veth: qdisc backpressure and qdisc check refactor Jesper Dangaard Brouer
2025-04-25 14:55 ` [PATCH net-next V7 1/2] net: sched: generalize check for no-queue qdisc on TX queue Jesper Dangaard Brouer
2025-04-25 14:55 ` [PATCH net-next V7 2/2] veth: apply qdisc backpressure on full ptr_ring to reduce TX drops Jesper Dangaard Brouer
2025-04-26 5:40 ` Toshiaki Makita
2025-06-09 22:09 ` Ihor Solodrai
2025-06-10 11:43 ` Jesper Dangaard Brouer
2025-06-10 15:56 ` Jesper Dangaard Brouer
2025-06-10 18:26 ` Ihor Solodrai
2025-06-10 21:40 ` Jesper Dangaard Brouer
2025-06-11 0:25 ` Ihor Solodrai
2025-06-11 7:40 ` Jesper Dangaard Brouer
2025-06-11 12:40 ` [PATCH net V1] veth: prevent NULL pointer dereference in veth_xdp_rcv Jesper Dangaard Brouer
2025-06-11 16:00 ` Ihor Solodrai [this message]
2025-06-12 15:20 ` patchwork-bot+netdevbpf
2025-10-17 16:09 ` [PATCH net-next V7 2/2] veth: apply qdisc backpressure on full ptr_ring to reduce TX drops Jesper Dangaard Brouer
2025-04-28 22:20 ` [PATCH net-next V7 0/2] veth: qdisc backpressure and qdisc check refactor patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3beaf713-a08d-42d9-8543-c6df4ce4215b@linux.dev \
--to=ihor.solodrai@linux.dev \
--cc=bpf@vger.kernel.org \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=hawk@kernel.org \
--cc=kernel-team@cloudflare.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.