From: Simon Horman <horms@kernel.org>
To: Petr Machata <petrm@nvidia.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
netdev@vger.kernel.org, Ido Schimmel <idosch@nvidia.com>,
mlxsw@nvidia.com, Jiri Pirko <jiri@resnulli.us>
Subject: Re: [PATCH net 2/3] mlxsw: spectrum_router: Fix neighbour use-after-free
Date: Wed, 3 Dec 2025 17:55:19 +0000 [thread overview]
Message-ID: <aTB5h090Hu9BHFJ1@horms.kernel.org> (raw)
In-Reply-To: <92d75e21d95d163a41b5cea67a15cd33f547cba6.1764695650.git.petrm@nvidia.com>
On Tue, Dec 02, 2025 at 06:44:12PM +0100, Petr Machata wrote:
> From: Ido Schimmel <idosch@nvidia.com>
>
> We sometimes observe use-after-free when dereferencing a neighbour [1].
> The problem seems to be that the driver stores a pointer to the
> neighbour, but without holding a reference on it. A reference is only
> taken when the neighbour is used by a nexthop.
>
> Fix by simplifying the reference counting scheme. Always take a
> reference when storing a neighbour pointer in a neighbour entry. Avoid
> taking a referencing when the neighbour is used by a nexthop as the
> neighbour entry associated with the nexthop already holds a reference.
>
> Tested by running the test that uncovered the problem over 300 times.
> Without this patch the problem was reproduced after a handful of
> iterations.
...
> Fixes: 6cf3c971dc84 ("mlxsw: spectrum_router: Add private neigh table")
> Signed-off-by: Ido Schimmel <idosch@nvidia.com>
> Reviewed-by: Petr Machata <petrm@nvidia.com>
> Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
...
next prev parent reply other threads:[~2025-12-03 17:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-02 17:44 [PATCH net 0/3] mlxsw: Three (m)router fixes Petr Machata
2025-12-02 17:44 ` [PATCH net 1/3] mlxsw: spectrum_router: Fix possible neighbour reference count leak Petr Machata
2025-12-03 17:54 ` Simon Horman
2025-12-02 17:44 ` [PATCH net 2/3] mlxsw: spectrum_router: Fix neighbour use-after-free Petr Machata
2025-12-03 17:55 ` Simon Horman [this message]
2025-12-02 17:44 ` [PATCH net 3/3] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Petr Machata
2025-12-03 17:55 ` Simon Horman
2025-12-05 3:20 ` [PATCH net 0/3] mlxsw: Three (m)router fixes patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aTB5h090Hu9BHFJ1@horms.kernel.org \
--to=horms@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=idosch@nvidia.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=mlxsw@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petrm@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.