Re: [PATCH net-next] net/dst: improve dst_ops refcounting with per-dst bit

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: xietangxin <xietangxin@yeah.net>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org, eric.dumazet@gmail.com
Subject: Re: [PATCH net-next] net/dst: improve dst_ops refcounting with per-dst bit
Date: Fri, 27 Mar 2026 15:05:40 +0800	[thread overview]
Message-ID: <a39bee2b-7b73-4844-a2fc-475120e3d320@yeah.net> (raw)
In-Reply-To: <CANn89iL1cex3LK824Wke0URGqRv+fD16vUdM0y=dvdPgPqgdhA@mail.gmail.com>



On 3/27/2026 11:51 AM, Eric Dumazet wrote:
> On Tue, Mar 24, 2026 at 8:42 PM xietangxin <xietangxin@yeah.net> wrote:
>>
> 
>> Hi Eric,
>>
>> I tested your patch with my reproduction script, but the UAF still occurs
>> with a warning in dst_entries_destroy() just before the crash.
>>
>> The reason is that for IPv6, dst_entries on the rt6_uncached_list are
>> handled by rt6_uncached_list_flush_dev() during netns destruction,
>> which bypasses dst_dev_put().
>>
>> I tested add changes like dst_dev_put() inside rt6_uncached_list_flush_dev(),
>> the UAF is gone and the dst_entries_destroy warning no longer appears.
> 
> 
> Could you share  the incremental patch you added on top of mine ?
> 
> Thanks.

Hi Eric,

Sure. Here is the incremental patch that I added on top of your patch.

---
diff --git a/include/net/dst.h b/include/net/dst.h
index 793f38452bf4..393cc84b6aa5 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -401,6 +401,7 @@ void dst_init(struct dst_entry *dst, struct dst_ops *ops,
              struct net_device *dev, int initial_obsolete,
              unsigned short flags);
 void dst_dev_put(struct dst_entry *dst);
+void dst_count_dec(struct dst_entry *dst);

 static inline void dst_confirm(struct dst_entry *dst)
 {
diff --git a/net/core/dst.c b/net/core/dst.c
index d1efd3e7c44e..b5c5e04e10c1 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -139,7 +139,7 @@ static void dst_destroy_rcu(struct rcu_head *head)
    dst_destroy(dst);
 }

-static void dst_count_dec(struct dst_entry *dst)
+void dst_count_dec(struct dst_entry *dst)
 {
    struct dst_ops *ops = READ_ONCE(dst->ops);

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 658c0f742e45..9744a8e2fdc8 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -173,6 +173,7 @@ static void rt6_uncached_list_flush_dev(struct net_device *dev)
            struct inet6_dev *rt_idev = rt->rt6i_idev;
            struct net_device *rt_dev = rt->dst.dev;
            bool handled = false;
+           struct dst_entry *dst = &rt->dst;

            if (rt_idev && rt_idev->dev == dev) {
                rt->rt6i_idev = in6_dev_get(blackhole_netdev);
@@ -181,14 +182,16 @@ static void rt6_uncached_list_flush_dev(struct net_device *dev)
            }

            if (rt_dev == dev) {
-               rt->dst.dev = blackhole_netdev;
+               dst->dev = blackhole_netdev;
+               dst_count_dec(dst);
+               WRITE_ONCE(dst->ops, dst->ops->template);
                netdev_ref_replace(rt_dev, blackhole_netdev,
-                          &rt->dst.dev_tracker,
+                          &dst->dev_tracker,
                           GFP_ATOMIC);
                handled = true;
            }
            if (handled)
-               list_del_init(&rt->dst.rt_uncached);
+               list_del_init(&dst->rt_uncached);
        }
        spin_unlock_bh(&ul->lock);
    }

-- 
Best regards,
Tangxin Xie

     prev parent reply	other threads:[~2026-03-27  7:10 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-24  7:37 [PATCH net-next] net/dst: improve dst_ops refcounting with per-dst bit Eric Dumazet
2026-03-25  3:42 ` xietangxin
2026-03-27  3:51   ` Eric Dumazet
2026-03-27  7:05     ` xietangxin [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:793f38452bf dfblob:393cc84b6aa dfblob:d1efd3e7c44
dfblob:b5c5e04e10c dfblob:658c0f742e4 dfblob:9744a8e2fdc )
 OR (
bs:"Re: [PATCH net-next] net/dst: improve dst_ops refcounting with per-dst bit" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a39bee2b-7b73-4844-a2fc-475120e3d320@yeah.net \
    --to=xietangxin@yeah.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox