[PATCH] net-shapers: free rollback entries using kfree_rcu

[PATCH] net-shapers: free rollback entries using kfree_rcu

[Kangzheng Gu]

net_shaper_rollback() removes NET_SHAPER_NOT_VALID entries and frees
them using kfree(), which can race with net_shaper_nl_get_dumpit() and
lead to a use-after-free in net_shaper_fill_one().

Use kfree_rcu() instead of kfree() to free rollback entries, since
net_shaper_nl_get_dumpit() protects shaper access with rcu_read_lock().

Cc: stable@vger.kernel.org
Fixes: 93954b40f6a4 ("net-shapers: implement NL set and delete operations")
Signed-off-by: Kangzheng Gu <xiaoguai0992@gmail.com>
---
 net/shaper/shaper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c
index 94bc9c7382ea..8922f7f64768 100644
--- a/net/shaper/shaper.c
+++ b/net/shaper/shaper.c
@@ -434,7 +434,7 @@ static void net_shaper_rollback(struct net_shaper_binding *binding)
 	xa_for_each_marked(&hierarchy->shapers, index, cur,
 			   NET_SHAPER_NOT_VALID) {
 		__xa_erase(&hierarchy->shapers, index);
-		kfree(cur);
+		kfree_rcu(cur, rcu);
 	}
 	xa_unlock(&hierarchy->shapers);
 }
-- 
2.50.1

Re: [PATCH] net-shapers: free rollback entries using kfree_rcu

[Jakub Kicinski]

On Sat, 28 Mar 2026 18:58:04 +0000 Kangzheng Gu wrote:
> net_shaper_rollback() removes NET_SHAPER_NOT_VALID entries and frees
> them using kfree(), which can race with net_shaper_nl_get_dumpit() and
> lead to a use-after-free in net_shaper_fill_one().
> 
> Use kfree_rcu() instead of kfree() to free rollback entries, since
> net_shaper_nl_get_dumpit() protects shaper access with rcu_read_lock().

If dump can see NOT_VALID entries we have a bigger problem than a UAF
don't you think? :/

Re: [PATCH] net-shapers: free rollback entries using kfree_rcu

[Kangzheng Gu]

Hi,

Jakub Kicinski <kuba@kernel.org> 于2026年3月31日周二 09:15写道：
> If dump can see NOT_VALID entries we have a bigger problem than a UAF
> don't you think? :/
I am not sure. My concern is whether the NOT_VALID can be exposed to
user by design.
I find that NOT_VALID is used in limited place.
A representative one is that net_shaper_nl_get_doit calling
net_shaper_lookup to check the NOT_VALID flag.
If it is a problem, maybe there are more paths that should be guarded
with NOT_VALID check.

I use the kfree_rcu since net_shaper_pre_insert has another failing
path like this:
    xa_lock(&hierarchy->shapers);
    prev = __xa_store(&hierarchy->shapers, index, cur, GFP_KERNEL);
    __xa_set_mark(&hierarchy->shapers, index, NET_SHAPER_NOT_VALID);
    xa_unlock(&hierarchy->shapers);
    if (xa_err(prev)) {
        NL_SET_ERR_MSG(extack, "Can't insert shaper into device store");
        kfree_rcu(cur, rcu);
        ret = xa_err(prev);
        goto free_id;
    }

Beside rollback, I also find another kfree(cur) in net_shaper_flush,
which I reported several weeks ago to security@kernel:
        <CAKvcANOZufuVeDqPAuMWh0GCiV5pGmmZHrRo_V+_8YSG7Cs_ag@mail.gmail.com>
It involves another free of shaper using kfree instead of kfree_rcu, I
think it is also a problem.
I noticed this patch
https://patchwork.kernel.org/project/netdevbpf/patch/20260309173450.538026-1-p@1g4.org/,
but it seems that there is no further progress on it.
Except in rollback and flush, all other frees of shaper uses
kfree_rcu, so I think that it maybe just the problem of free rather
than the flag.

Best Regards,
Kangzheng

Re: [PATCH] net-shapers: free rollback entries using kfree_rcu

[Jakub Kicinski]

On Tue, 31 Mar 2026 15:41:28 +0800 Kangzheng Gu wrote:
> Jakub Kicinski <kuba@kernel.org> 于2026年3月31日周二 09:15写道：
> > If dump can see NOT_VALID entries we have a bigger problem than a UAF
> > don't you think? :/  
> I am not sure.

Please experiment and return once you are sure.
netdevsim (netdev simulator) driver supports net_shapers, so you can
easily exercise this code in a VM.

Re: [PATCH] net-shapers: free rollback entries using kfree_rcu

[Paul Moses]

> I noticed this patch
> https://patchwork.kernel.org/project/netdevbpf/patch/20260309173450.538026-1-p@1g4.org/,
> but it seems that there is no further progress on it.

> Please experiment and return once you are sure.
> netdevsim (netdev simulator) driver supports net_shapers, so you can
> easily exercise this code in a VM.
>

Unfortunately in the case of shaper.c, netdevsim only implemented stubs 
that return 0, so it's a not a 1:1 representation of the physical drivers.
The rollback path specifically is not reliably reachable with netdevsim,
whereas it looks like a proper trigger with real hardware.