From: Stanislav Fomichev <stfomichev@gmail.com>
To: Eric Dumazet <edumazet@google.com>
Cc: Stanislav Fomichev <sdf@fomichev.me>,
netdev@vger.kernel.org, davem@davemloft.net, kuba@kernel.org,
pabeni@redhat.com, Jamal Hadi Salim <jhs@mojatatu.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jiri Pirko <jiri@resnulli.us>, Saeed Mahameed <saeed@kernel.org>
Subject: Re: [PATCH net-next v10 04/14] net: hold netdev instance lock during qdisc ndo_setup_tc
Date: Thu, 13 Mar 2025 02:11:07 -0700 [thread overview]
Message-ID: <Z9KhK_M7IinJu8Ih@mini-arch> (raw)
In-Reply-To: <CANn89i+4F1f2FSUxmxP=qqir0z_3ZDNpQoqkE3X7bwp81U3sCw@mail.gmail.com>
On 03/13, Eric Dumazet wrote:
> On Wed, Mar 5, 2025 at 5:37 PM Stanislav Fomichev <sdf@fomichev.me> wrote:
> >
> > Qdisc operations that can lead to ndo_setup_tc might need
> > to have an instance lock. Add netdev_lock_ops/netdev_unlock_ops
> > invocations for all psched_rtnl_msg_handlers operations.
> >
> > Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> > Cc: Cong Wang <xiyou.wangcong@gmail.com>
> > Cc: Jiri Pirko <jiri@resnulli.us>
> > Cc: Saeed Mahameed <saeed@kernel.org>
> > Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
> > Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
> > ---
> > net/sched/sch_api.c | 28 ++++++++++++++++++++++++----
> > 1 file changed, 24 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
> > index 21940f3ae66f..f5101c2ffc66 100644
> > --- a/net/sched/sch_api.c
> > +++ b/net/sched/sch_api.c
> > @@ -1279,9 +1279,11 @@ static struct Qdisc *qdisc_create(struct net_device *dev,
> > * We replay the request because the device may
> > * go away in the mean time.
> > */
> > + netdev_unlock_ops(dev);
> > rtnl_unlock();
> > request_module(NET_SCH_ALIAS_PREFIX "%s", name);
> > rtnl_lock();
>
> Oops, dev might have disappeared.
>
> As explained a few lines above in the comment :
>
> /* We dropped the RTNL semaphore in order to
> * perform the module load. So, even if we
> * succeeded in loading the module we have to
> * tell the caller to replay the request. We
> * indicate this using -EAGAIN.
> * We replay the request because the device may
> * go away in the mean time.
> */
>
>
>
> > + netdev_lock_ops(dev);
>
> So this might trigger an UAF.
Oh, good catch, let me try to add more logic here to be more careful
on the replay path. We can make the caller not unlock the instance lock
in this case I think..
next prev parent reply other threads:[~2025-03-13 9:11 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-05 16:37 [PATCH net-next v10 00/14] net: Hold netdev instance lock during ndo operations Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 01/14] net: hold netdev instance lock during ndo_open/ndo_stop Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 02/14] net: hold netdev instance lock during nft ndo_setup_tc Stanislav Fomichev
2025-03-07 19:39 ` Eric Dumazet
2025-03-07 19:57 ` Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 03/14] net: sched: wrap doit/dumpit methods Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 04/14] net: hold netdev instance lock during qdisc ndo_setup_tc Stanislav Fomichev
2025-03-13 8:51 ` Eric Dumazet
2025-03-13 9:11 ` Stanislav Fomichev [this message]
2025-05-05 13:41 ` Cosmin Ratiu
2025-05-05 15:07 ` Stanislav Fomichev
2025-05-05 15:12 ` Cosmin Ratiu
2025-05-05 18:35 ` Jakub Kicinski
2025-05-05 18:54 ` Stanislav Fomichev
2025-05-05 19:03 ` Jakub Kicinski
2025-03-05 16:37 ` [PATCH net-next v10 05/14] net: hold netdev instance lock during queue operations Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 06/14] net: hold netdev instance lock during rtnetlink operations Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 07/14] net: hold netdev instance lock during ioctl operations Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 08/14] net: hold netdev instance lock during sysfs operations Stanislav Fomichev
2025-03-24 15:34 ` Cosmin Ratiu
2025-03-24 15:56 ` Cosmin Ratiu
2025-03-24 16:06 ` Stanislav Fomichev
2025-03-24 17:06 ` Cosmin Ratiu
2025-03-24 18:18 ` Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 09/14] net: hold netdev instance lock during ndo_bpf Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 10/14] net: ethtool: try to protect all callback with netdev instance lock Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 11/14] net: replace dev_addr_sem " Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 12/14] net: add option to request " Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 13/14] docs: net: document new locking reality Stanislav Fomichev
2025-03-05 16:37 ` [PATCH net-next v10 14/14] eth: bnxt: remove most dependencies on RTNL Stanislav Fomichev
2025-03-06 21:50 ` [PATCH net-next v10 00/14] net: Hold netdev instance lock during ndo operations patchwork-bot+netdevbpf
-- strict thread matches above, loose matches on Subject: below --
2025-03-02 0:08 Stanislav Fomichev
2025-03-02 0:08 ` [PATCH net-next v10 04/14] net: hold netdev instance lock during qdisc ndo_setup_tc Stanislav Fomichev
2025-03-02 20:56 ` Jamal Hadi Salim
2025-03-03 15:35 ` Stanislav Fomichev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9KhK_M7IinJu8Ih@mini-arch \
--to=stfomichev@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeed@kernel.org \
--cc=sdf@fomichev.me \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).