* [report?] A race condition is suspected.
@ 2023-07-04 6:07 Hyunwoo Kim
2023-07-28 8:12 ` Hyunwoo Kim
0 siblings, 1 reply; 2+ messages in thread
From: Hyunwoo Kim @ 2023-07-04 6:07 UTC (permalink / raw)
To: sam; +Cc: davem, pabeni, kuba, netdev, imv4bel, v4bel
Dear all,
From the code, it looks like a use-after-free due to a race condition
could be caused by the lack of a proper lock between the ncsi_dev_work()
worker and the vlan ioctl:
```
cpu0 cpu1
ncsi_dev_work()
ncsi_configure_channel()
set_one_vid()
rcu_read_lock()
sock_ioctl()
vlan_ioctl_handler()
unregister_vlan_dev()
vlan_vid_del()
__vlan_vid_del()
vlan_kill_rx_filter_info()
ncsi_vlan_rx_kill_vid()
list_del_rcu(&vlan->list);
kfree(vlan);
vid = vlan->vid; // use-after-free?
rcu_read_unlock()
```
However, I do not have a device that uses the ncsi_dev_work() worker,
so I have not been able to debug this.
Can a race condition like this actually happen, and if so, it seems
like we need to change `kfree(vlan);` to `kfree_rcu(vlan)`, or add
an appropriate lock to the worker.
Regards,
Hyunwoo Kim
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [report?] A race condition is suspected.
2023-07-04 6:07 [report?] A race condition is suspected Hyunwoo Kim
@ 2023-07-28 8:12 ` Hyunwoo Kim
0 siblings, 0 replies; 2+ messages in thread
From: Hyunwoo Kim @ 2023-07-28 8:12 UTC (permalink / raw)
To: sam; +Cc: davem, pabeni, kuba, netdev, imv4bel, v4bel
On Mon, Jul 03, 2023 at 11:07:34PM -0700, Hyunwoo Kim wrote:
> Dear all,
>
> From the code, it looks like a use-after-free due to a race condition
> could be caused by the lack of a proper lock between the ncsi_dev_work()
> worker and the vlan ioctl:
> ```
> cpu0 cpu1
>
> ncsi_dev_work()
> ncsi_configure_channel()
> set_one_vid()
> rcu_read_lock()
> sock_ioctl()
> vlan_ioctl_handler()
> unregister_vlan_dev()
> vlan_vid_del()
> __vlan_vid_del()
> vlan_kill_rx_filter_info()
> ncsi_vlan_rx_kill_vid()
> list_del_rcu(&vlan->list);
> kfree(vlan);
> vid = vlan->vid; // use-after-free?
> rcu_read_unlock()
> ```
>
> However, I do not have a device that uses the ncsi_dev_work() worker,
> so I have not been able to debug this.
>
> Can a race condition like this actually happen, and if so, it seems
> like we need to change `kfree(vlan);` to `kfree_rcu(vlan)`, or add
> an appropriate lock to the worker.
>
>
> Regards,
> Hyunwoo Kim
Hi,
Can I get a review of this report?
Should I submit a patch to replace kfree_rcu()?
Regards,
Hyunwoo Kim
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-07-28 8:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-04 6:07 [report?] A race condition is suspected Hyunwoo Kim
2023-07-28 8:12 ` Hyunwoo Kim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).