From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB3223B9618
	for <linux-kernel@vger.kernel.org>; Wed, 13 May 2026 23:38:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.181
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778715536; cv=none; b=eParCbj9ERyTFj4sXSv8M2bgU563tu+FEchJ02jjyCRWv3u/lCmfu5rs9y0Hh3I1C4lCl9Y3zgFSG0yokRRhO1Jc+QJSYm9GNoXthiB7cL+Rdhk6LoEdPibGixI6Da6TjXURibFL6PCDfSkTnsFuuYxaAJXiJYb7Y8VC8MJbN4Y=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778715536; c=relaxed/simple;
	bh=oBAEVZATeASbH0nhe5drMl+9AytTIzOltLbIrseS608=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=gps7bdPBVqKPCp/lSd9cJ+OZNij/MJbamx42YsJR1VhJLjldPFVh5xyysb4KmQDo9Jx3kEFa+gFfmrixsaab9bcD3/J7ZlUauOEc30ARy2pZJIKBcjMGLDYaiqyANaKbE++H15R3Egb7ln3MYhpzzAa91z4RpBr2H7J/eh3PkTo=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pTdYvx5M; arc=none smtp.client-ip=209.85.222.181
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pTdYvx5M"
Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-90caad2e944so308128485a.2
        for <linux-kernel@vger.kernel.org>; Wed, 13 May 2026 16:38:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778715534; x=1779320334; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=tPQGmLtEe0WJuWlk4o1gxSupMduAnwXuzQSwzyxZi4M=;
        b=pTdYvx5MO4zbPeh/PcIK5Gh1pZTloEHd+8KGbwCGZJj5Vopexg0esPVevrd7hZ3ens
         FBRnqm/cFBM77WHWpAvTsbuxe8G73LNFOuE8cS5wlrkgpkp7UhpfiKeYu+G3+fLKRPvY
         M+9uwmmfhBqnZbTBAXqLMd6CI8BbkvwOay11E8vabUCnUga8GczhJSMWiL7ZAbsAxGWN
         t5syL1QGav+fokBHNbx825t8KNxMD4mZ3+J0S3BB4mMWbo9pYfUeiYrph+Er+OzPvBz6
         b9B/IfWlkEF80jgrvJgyDU76QmC2jhLgE5nrrMNbdke81ELQH9U+LNSlDsuezWxXI7cz
         +nmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778715534; x=1779320334;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=tPQGmLtEe0WJuWlk4o1gxSupMduAnwXuzQSwzyxZi4M=;
        b=DO1HXeMtxhuiqXbw95uaqemHVaQ2N7gKeW0tar3Jfd8Xjoi6lblZNejSrH2yuidP5K
         rrkb0hU5d1XLOzEdkauIkFdN5yfOyXxzQEtIjJtpQcdZPcD2ZexYTTog+Zx4hAoiHs/S
         LiUM7mfB4Rh6Dv3Np4Xol5+PmpJ6h3Q5qGT6GL50W45I1omnKbT+vJbm0F6DrT0PPFVl
         eDvmqlLRV6JGKbdQDBzyN+6CkBrVo3DI/JyGQB7ld3BcFMdDwVXryuzYQkN0rITLo6Dk
         +bTCerEFB6k/4bqvLB9KokG01844bkhKNBaHqr2fPJLEztkIGIYcuob5QYUltzIuPm1k
         bLNA==
X-Forwarded-Encrypted: i=1; AFNElJ+PIIarPxkBjGDxeEs4uJRiXiCrakFyCTFnCw19fHapXalaHmBHAUc8dRELnQMmUhZR7xzfkWeTaJ+Ws1Y=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy/cjby0G0cza3I1BReSig/6cj9TN9GC8ZBAWHV9cvyRFoSNeCd
	QUFr5D2xOAgSNoxTj8OMKlb5Zd4DkChUHzfY1+TXEVtjkzfVH8Sdg4vN
X-Gm-Gg: Acq92OF0FfIgozqnoPwsvBt72wdibc+vfpjjh8pNjL08i7pfxAvajOWZWgcCk4cvnil
	PoVc1j8kfCuC2oDQ6adhrGPq12e2b9xruud1+KA5xYqU06Xmf1mlKqlZz4Ha7YFeYtQaAuETHbv
	v2Lpf8XAUgHz+N+ZvPwTjHYRbAV6tmHInSyXHMnJSrLEqvBQ27XjO4lCiMc/EdyYscB5INkG4q/
	6x9vKe1LdlsDs1xXKFf+8AdNw88Ss9t64hMrwXvnuDgLEeGgVMcH2UystzcVwxxm7rkP57ADM3y
	5MWgM/rGmkdvMRaxWwKKAZhYWjx81MLgpmZ96pLNh6ZnyIWg/zOPD6HcwvNp3s7hzaRcmtdqmPx
	bQerPE4inmlwrC7+8vXz4oC+BgeMlEwB4IK4IjdUaVTWtWloU6vNColT4IKMpPvrtDyXLc3FySa
	8z89vrBkLIiGN9TaYG6kZrXDTyb6Lc7rRL1N8flMAxUrkpwEh/wcu/bCu3hrevs2s1UIyUFCTir
	/oXvsn1T5g/wbQakE+huSFZ3VFZWg3ZWVZjk7tZfU4=
X-Received: by 2002:a05:620a:1a1a:b0:8e4:ebbb:b162 with SMTP id af79cd13be357-90fab222fedmr756739285a.9.1778715533884;
        Wed, 13 May 2026 16:38:53 -0700 (PDT)
Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id af79cd13be357-910baf2236fsm94186085a.20.2026.05.13.16.38.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 13 May 2026 16:38:53 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: "David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org
Cc: Felix Maurer <fmaurer@redhat.com>,
	Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	Luka Gejak <luka.gejak@linux.dev>,
	Cong Wang <xiyou.wangcong@gmail.com>,
	Kexin Sun <kexinsun@smail.nju.edu.cn>,
	stable@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH net 0/1] net: hsr: fix node-table UAF on device teardown
Date: Wed, 13 May 2026 19:38:37 -0400
Message-ID: <20260513233838.3064715-1-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Hi,

HSR generic-netlink node-list/status readers walk hsr->node_db under
rcu_read_lock(), but RTM_DELLINK teardown frees the same node table
immediately via plain list_del() + kfree(). A reader that has already
obtained a struct hsr_node can race hsr_dellink() and dereference
freed node memory.

The patch below uses list_del_rcu() and the existing
hsr_free_node_rcu() callback in hsr_del_nodes(). The HSR prune paths
already use this lifetime rule for the same node_db.

Reproduction.

  The natural reader window between hsr_get_next_node() acquiring
  a node and ether_addr_copy() consuming it is short, so I widened
  it with a temporary udelay() in hsr_get_next_node() and
  hsr_get_node_data() (debug-only, not in this submission). Under
  x86_64 KVM with KASAN, an in-netns RTM_NEWLINK / parallel-readers
  / RTM_DELLINK loop then produces:

    BUG: KASAN: slab-use-after-free in hsr_get_next_node+0x1db/0x350
    Read of size 6 at addr ffff888009e6f290 by task hsr_genl_spam/...
    Freed by task ip:
      hsr_del_nodes+0x144/0x250
      hsr_dellink+0x6c/0x90
      rtnl_dellink+...

  The reader walks node_db under rcu_read_lock() while hsr_dellink()
  -> hsr_del_nodes() removes and immediately frees the entries.

  Without the artificial widening the race is still real but the
  observable window is ns-to-us scale, which is presumably why
  syzbot has not flagged it in the open. The fix is the same
  either way: honour the RCU lifetime that the prune paths
  already use.

Testing.

  - net/hsr/hsr_framereg.o builds clean on an x86_64 KASAN config.
  - With the widening patch applied on top of this fix, 50 rounds
    of the RTM_NEWLINK / parallel-readers / RTM_DELLINK harness
    run KASAN-silent. The same harness fires the splat above on
    the unpatched tree in the first round.
  - Without the widening, 100 rounds of the same harness in
    list-readers mode run clean on the patched kernel.
  - tools/testing/selftests/net/hsr/{hsr_ping,prp_ping,hsr_redbox}.sh
    -4 all pass on both stock and patched kernels, diff-clean.
  - scripts/checkpatch.pl --strict is clean.

A separate status-path NULL deref in hsr_get_node_data() shows up
when the same harness runs with status readers and the widening
patch. That predates this fix and is not addressed here; I will
send it as its own patch once the primitive is characterised.

This targets net and carries a stable tag back to the dellink
cleanup commit b9a1e627405d.

Michael Bommarito (1):
  net: hsr: defer node table free until after RCU readers

 net/hsr/hsr_framereg.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


base-commit: 8d90b09e6741f5103ccc81a53bf2391ea09419a7
--
2.53.0