Re: [PATCH net 1/1] net/sched: teql: Fix double-free in teql_master_xmit

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: patchwork-bot+netdevbpf@kernel.org
To: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: netdev@vger.kernel.org, davem@davemloft.net, edumazet@google.com,
	kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
	jiri@resnulli.us, keenanat2000@gmail.com, security@kernel.org,
	victor@mojatatu.com
Subject: Re: [PATCH net 1/1] net/sched: teql: Fix double-free in teql_master_xmit
Date: Tue, 17 Mar 2026 02:50:07 +0000	[thread overview]
Message-ID: <177371580729.3402731.13769692238630260864.git-patchwork-notify@kernel.org> (raw)
In-Reply-To: <20260315155422.147256-1-jhs@mojatatu.com>

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Sun, 15 Mar 2026 11:54:22 -0400 you wrote:
> Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should
> be called using the seq_lock to avoid racing with the datapath. Failure
> to do so may cause crashes like the following:
> 
> [  238.028993][  T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)
> [  238.029328][  T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318
> [  238.029749][  T318]
> [  238.029900][  T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)
> [  238.029906][  T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> [  238.029910][  T318] Call Trace:
> [  238.029913][  T318]  <TASK>
> [  238.029916][  T318]  dump_stack_lvl (lib/dump_stack.c:122)
> [  238.029928][  T318]  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
> [  238.029940][  T318]  ? skb_release_data (net/core/skbuff.c:1139)
> [  238.029944][  T318]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> ...
> [  238.029957][  T318]  ? skb_release_data (net/core/skbuff.c:1139)
> [  238.029969][  T318]  kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)
> [  238.029979][  T318]  ? skb_release_data (net/core/skbuff.c:1139)
> [  238.029989][  T318]  check_slab_allocation (mm/kasan/common.c:231)
> [  238.029995][  T318]  kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))
> [  238.030004][  T318]  skb_release_data (net/core/skbuff.c:1139)
> ...
> [  238.030025][  T318]  sk_skb_reason_drop (net/core/skbuff.c:1256)
> [  238.030032][  T318]  pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)
> [  238.030039][  T318]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> ...
> [  238.030054][  T318]  qdisc_reset (net/sched/sch_generic.c:1034)
> [  238.030062][  T318]  teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)
> [  238.030071][  T318]  __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)
> [  238.030077][  T318]  qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)
> [  238.030089][  T318]  ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)
> [  238.030095][  T318]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [  238.030102][  T318]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [  238.030106][  T318]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [  238.030114][  T318]  tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)
> ...
> [  238.072958][  T318] Allocated by task 303 on cpu 5 at 238.026275s:
> [  238.073392][  T318]  kasan_save_stack (mm/kasan/common.c:58)
> [  238.073884][  T318]  kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
> [  238.074230][  T318]  __kasan_slab_alloc (mm/kasan/common.c:369)
> [  238.074578][  T318]  kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)
> [  238.076091][  T318]  kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))
> [  238.076450][  T318]  __alloc_skb (net/core/skbuff.c:713)
> [  238.076834][  T318]  alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)
> [  238.077178][  T318]  sock_alloc_send_pskb (net/core/sock.c:2997)
> [  238.077520][  T318]  packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)
> [  238.081469][  T318]
> [  238.081870][  T318] Freed by task 299 on cpu 1 at 238.028496s:
> [  238.082761][  T318]  kasan_save_stack (mm/kasan/common.c:58)
> [  238.083481][  T318]  kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
> [  238.085348][  T318]  kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))
> [  238.085900][  T318]  __kasan_slab_free (mm/kasan/common.c:287)
> [  238.086439][  T318]  kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3))
> [  238.087007][  T318]  skb_release_data (net/core/skbuff.c:1139)
> [  238.087491][  T318]  consume_skb (net/core/skbuff.c:1451)
> [  238.087757][  T318]  teql_master_xmit (net/sched/sch_teql.c:358)
> [  238.088116][  T318]  dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887)
> [  238.088468][  T318]  sch_direct_xmit (net/sched/sch_generic.c:347)
> [  238.088820][  T318]  __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1))
> [  238.089166][  T318]  __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802)
> 
> [...]

Here is the summary with links:
  - [net,1/1] net/sched: teql: Fix double-free in teql_master_xmit
    https://git.kernel.org/netdev/net/c/66360460cab6

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

     prev parent reply	other threads:[~2026-03-17  2:50 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-15 15:54 [PATCH net 1/1] net/sched: teql: Fix double-free in teql_master_xmit Jamal Hadi Salim
2026-03-17  2:50 ` patchwork-bot+netdevbpf [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=177371580729.3402731.13769692238630260864.git-patchwork-notify@kernel.org \
    --to=patchwork-bot+netdevbpf@kernel.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=keenanat2000@gmail.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=security@kernel.org \
    --cc=victor@mojatatu.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox