From: Breno Leitao <leitao@debian.org>
To: Jakub Kicinski <kuba@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Amerigo Wang <amwang@redhat.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
vlad.wing@gmail.com, asantostc@gmail.com, kernel-team@meta.com,
stable@vger.kernel.org
Subject: Re: [PATCH net] netpoll: fix a use-after-free on shutdown path
Date: Thu, 25 Jun 2026 03:55:58 -0700 [thread overview]
Message-ID: <aj0HCBYX97SydzlW@gmail.com> (raw)
In-Reply-To: <20260624192513.33023e54@kernel.org>
On Wed, Jun 24, 2026 at 07:25:13PM -0700, Jakub Kicinski wrote:
> On Mon, 22 Jun 2026 08:01:23 -0700 Breno Leitao wrote:
> > + * synchronize_net() does not protect the worker
> > + * (queue_process() is not an RCU reader). It fences the
> > + * senders -- the real RCU readers -- so they cannot re-arm
> > + * tx_work after the np->dev->npinfo was set to NULL.
> > + */
> > + synchronize_net();
> > + cancel_delayed_work_sync(&npinfo->tx_work);
>
> Maybe we can avoid the sync_net and the comment by using
> disable_delayed_work_sync() ?
I've been thinking about it, and I think you have a good point.
queue_process() is the only place that take npinfo without RCU
protection.
This is what it happening right now:
CPU0 {
run tx_work (queue_process())
npinfo = container_of()...
while {
A: deqeue skb from the txq
try to send
}
}
CPU 1 {
call_rcu() -> rcu_cleanup_netpoll_info()
np->dev->npinfo, NULL
B: kfree(npinfo);
}
Then, if B happens before A, we have the UAF. That said, if we make sure
that tx_work() is done, then we are OK with rcu_cleanup_netpoll_info
I am not totally sure if the order of pointer zero'ing and disabling
tx work is important, but, it doesn't seem so, any order would be OK
for:
RCU_INIT_POINTER(np->dev->npinfo, NULL);
disable_delayed_work_sync(&npinfo->tx_work);
Given that npinfo is not read inside queue_process(), then, order doesn't
matter.
Thanks for the point, I will update.
--breno
---
pw-bot: cr
prev parent reply other threads:[~2026-06-25 10:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 15:01 [PATCH net] netpoll: fix a use-after-free on shutdown path Breno Leitao
2026-06-23 4:05 ` Pavan Chebbi
2026-06-25 2:25 ` Jakub Kicinski
2026-06-25 10:55 ` Breno Leitao [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aj0HCBYX97SydzlW@gmail.com \
--to=leitao@debian.org \
--cc=amwang@redhat.com \
--cc=asantostc@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kernel-team@meta.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=vlad.wing@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.