From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>
Cc: Kuniyuki Iwashima <kuniyu@amazon.com>,
Kuniyuki Iwashima <kuni1840@gmail.com>, <netdev@vger.kernel.org>
Subject: [PATCH v2 net 0/2] net: Fix race of rtnl_net_lock(dev_net(dev)).
Date: Fri, 7 Feb 2025 13:42:49 +0900 [thread overview]
Message-ID: <20250207044251.65421-1-kuniyu@amazon.com> (raw)
Yael Chemla reported that commit 7fb1073300a2 ("net: Hold rtnl_net_lock()
in (un)?register_netdevice_notifier_dev_net().") started to trigger KASAN's
use-after-free splat.
The problem is that dev_net(dev) fetched before rtnl_net_lock() might be
different after rtnl_net_lock().
The patch 1 fixes the issue by checking dev_net(dev) after rtnl_net_lock(),
and the patch 2 fixes the same potential issue that would emerge once RTNL
is removed.
Changes:
v2:
* Use dev_net_rcu()
* Use msleep(1) instead of cond_resched() after maybe_get_net()
* Remove cond_resched() after net_eq() check
v1: https://lore.kernel.org/netdev/20250130232435.43622-1-kuniyu@amazon.com/
Kuniyuki Iwashima (2):
net: Fix dev_net(dev) race in unregister_netdevice_notifier_dev_net().
dev: Use rtnl_net_dev_lock() in unregister_netdev().
net/core/dev.c | 69 +++++++++++++++++++++++++++++++++++++-------------
1 file changed, 52 insertions(+), 17 deletions(-)
--
2.39.5 (Apple Git-154)
next reply other threads:[~2025-02-07 4:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-07 4:42 Kuniyuki Iwashima [this message]
2025-02-07 4:42 ` [PATCH v2 net 1/2] net: Fix dev_net(dev) race in unregister_netdevice_notifier_dev_net() Kuniyuki Iwashima
2025-02-07 6:42 ` Eric Dumazet
2025-02-07 6:58 ` Kuniyuki Iwashima
2025-02-07 7:01 ` Eric Dumazet
2025-02-07 7:07 ` Kuniyuki Iwashima
2025-02-07 4:42 ` [PATCH v2 net 2/2] dev: Use rtnl_net_dev_lock() in unregister_netdev() Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250207044251.65421-1-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox