Re: [PATCH] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paolo Abeni <pabeni@redhat.com>
To: Weiming Shi <bestswngs@gmail.com>,
	Subash Abhinov Kasiviswanathan
	<subash.a.kasiviswanathan@oss.qualcomm.com>,
	Sean Tranchetti <sean.tranchetti@oss.qualcomm.com>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org, Xiang Mei <xmei5@asu.edu>
Subject: Re: [PATCH] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink()
Date: Thu, 14 May 2026 12:59:23 +0200	[thread overview]
Message-ID: <eb06cfd2-6ee4-475d-bafd-9331b879692e@redhat.com> (raw)
In-Reply-To: <20260511120015.2298403-4-bestswngs@gmail.com>

On 5/11/26 2:00 PM, Weiming Shi wrote:
> From: Security Analysis <xmei5@asu.edu>
> 
> rmnet_dellink() removes the endpoint from the hash table with
> hlist_del_init_rcu() and then immediately frees it with kfree(). However,
> RCU readers on the receive path (rmnet_rx_handler ->
> __rmnet_map_ingress_handler) may still hold a reference to the endpoint and
> dereference ep->egress_dev after the memory has been freed. The endpoint is
> a kmalloc-32 object, and the stale read at offset 8 corresponds to the
> egress_dev pointer.
> 
>   BUG: unable to handle page fault for address: ffffffffde942eef
>   Oops: 0002 [#1] SMP NOPTI
>   CPU: 1 UID: 0 PID: 137 Comm: poc_write Not tainted 7.0.0+ #4 PREEMPTLAZY
>   RIP: 0010:rmnet_vnd_rx_fixup (rmnet_vnd.c:27)
>   Call Trace:
>    <TASK>
>    __rmnet_map_ingress_handler (rmnet_handlers.c:48 rmnet_handlers.c:101)
>    rmnet_rx_handler (rmnet_handlers.c:129 rmnet_handlers.c:235)
>    __netif_receive_skb_core.constprop.0 (net/core/dev.c:6096)
>    __netif_receive_skb_one_core (net/core/dev.c:6208)
>    netif_receive_skb (net/core/dev.c:6467)
>    tun_get_user (drivers/net/tun.c:1955)
>    tun_chr_write_iter (drivers/net/tun.c:2003)
>    vfs_write (fs/read_write.c:688)
>    ksys_write (fs/read_write.c:740)
>    </TASK>
> 
> Replace kfree() with kfree_rcu_mightsleep() so the endpoint memory remains
> valid through the RCU grace period. Also remove the rmnet_vnd_dellink() call
> and inline only the nr_rmnet_devs decrement, since rmnet_vnd_dellink() would
> set ep->egress_dev to NULL during the grace period, creating a data race with
> lockless readers.
> 
> Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
> Assisted-by: Claude:claude-opus-4-7
> Reported-by: Xiang Mei <xmei5@asu.edu>
> Signed-off-by: Weiming Shi <bestswngs@gmail.com>

SoB tag must match the 'From' header, and must be a real name, likely
'From' should be fixed.

Also you must specify the target tree in the subj prefix ('net' in this
case).

Please have an accurate read of

Documentation/process/maintainer-netdev.rst

before submitting the next revision

> ---
>  drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
> index 269c0449760c..2e17a43aec5a 100644
> --- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
> +++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
> @@ -213,8 +213,8 @@ static void rmnet_dellink(struct net_device *dev, struct list_head *head)
>  	ep = rmnet_get_endpoint(real_port, mux_id);
>  	if (ep) {
>  		hlist_del_init_rcu(&ep->hlnode);
> -		rmnet_vnd_dellink(mux_id, real_port, ep);
> -		kfree(ep);
> +		real_port->nr_rmnet_devs--;
> +		kfree_rcu_mightsleep(ep);

This is under the rtnl lock and will wait for an rcu grace period, which
is bad for rtnl lock contention. Please add an rcu field to `struct
rmnet_endpoint` and use kfree_rcu() instead.

/P

     prev parent reply	other threads:[~2026-05-14 10:59 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-11 12:00 [PATCH] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink() Weiming Shi
2026-05-11 12:15 ` Weiming Shi
2026-05-14 10:59 ` Paolo Abeni [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=eb06cfd2-6ee4-475d-bafd-9331b879692e@redhat.com \
    --to=pabeni@redhat.com \
    --cc=andrew+netdev@lunn.ch \
    --cc=bestswngs@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=sean.tranchetti@oss.qualcomm.com \
    --cc=subash.a.kasiviswanathan@oss.qualcomm.com \
    --cc=xmei5@asu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.