[PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link_register
@ 2026-03-18 16:15 Sabrina Dubroca
  2026-03-19  4:15 ` Kuniyuki Iwashima
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Sabrina Dubroca @ 2026-03-18 16:15 UTC (permalink / raw)
  To: netdev; +Cc: Sabrina Dubroca, Kuniyuki Iwashima

Commit 6b57ff21a310 ("rtnetlink: Protect link_ops by mutex.") swapped
the EEXIST check with the init_srcu_struct, but didn't add cleanup of
the SRCU struct we just allocated in case of error.

Fixes: 6b57ff21a310 ("rtnetlink: Protect link_ops by mutex.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
 net/core/rtnetlink.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index dad4b1054955..8072a43196ef 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -627,6 +627,9 @@ int rtnl_link_register(struct rtnl_link_ops *ops)
 
 	list_add_tail_rcu(&ops->list, &link_ops);
 unlock:
+	if (err)
+		cleanup_srcu_struct(&ops->srcu);
+
 	mutex_unlock(&link_ops_mutex);
 
 	return err;
-- 
2.51.2


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link_register
  2026-03-18 16:15 [PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link_register Sabrina Dubroca
@ 2026-03-19  4:15 ` Kuniyuki Iwashima
  2026-03-20  0:04 ` Jakub Kicinski
  2026-03-20  0:05 ` Jakub Kicinski
  2 siblings, 0 replies; 6+ messages in thread
From: Kuniyuki Iwashima @ 2026-03-19  4:15 UTC (permalink / raw)
  To: Sabrina Dubroca; +Cc: netdev

On Wed, Mar 18, 2026 at 9:15 AM Sabrina Dubroca <sd@queasysnail.net> wrote:
>
> Commit 6b57ff21a310 ("rtnetlink: Protect link_ops by mutex.") swapped
> the EEXIST check with the init_srcu_struct, but didn't add cleanup of
> the SRCU struct we just allocated in case of error.
>
> Fixes: 6b57ff21a310 ("rtnetlink: Protect link_ops by mutex.")
> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>

Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>

Thanks !

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link_register
  2026-03-18 16:15 [PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link_register Sabrina Dubroca
  2026-03-19  4:15 ` Kuniyuki Iwashima
@ 2026-03-20  0:04 ` Jakub Kicinski
  2026-03-20  0:05 ` Jakub Kicinski
  2 siblings, 0 replies; 6+ messages in thread
From: Jakub Kicinski @ 2026-03-20  0:04 UTC (permalink / raw)
  To: Sabrina Dubroca; +Cc: netdev, Kuniyuki Iwashima

On Wed, 18 Mar 2026 17:15:15 +0100 Sabrina Dubroca wrote:
> Commit 6b57ff21a310 ("rtnetlink: Protect link_ops by mutex.") swapped
> the EEXIST check with the init_srcu_struct, but didn't add cleanup of
> the SRCU struct we just allocated in case of error.

FWIW AI has spotted a different bug while reviewing this:

As a related question about the srcu lifecycle for these ops structures,
is there a missing synchronize_rcu() in rtnl_link_unregister() that could
cause a use-after-free?
If rtnl_link_ops_get() traverses the link_ops list under rcu_read_lock(),
and rtnl_link_unregister() removes the ops via list_del_rcu() followed
immediately by synchronize_srcu(&ops->srcu) and cleanup_srcu_struct(),
what happens if an rcu reader finds the ops pointer but is preempted
before calling srcu_read_lock()?
Since no srcu readers are technically active yet, synchronize_srcu()
would return immediately, and cleanup_srcu_struct() would free the
per-CPU data. When the preempted reader resumes, wouldn't it execute
srcu_read_lock() on freed data?
Does rtnl_link_unregister() need a synchronize_rcu() after list_del_rcu()
and before destroying the srcu struct to ensure all rcu-side list
traversals have completed?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link_register
  2026-03-18 16:15 [PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link_register Sabrina Dubroca
  2026-03-19  4:15 ` Kuniyuki Iwashima
  2026-03-20  0:04 ` Jakub Kicinski
@ 2026-03-20  0:05 ` Jakub Kicinski
  2026-03-20  7:23   ` Sabrina Dubroca
  2 siblings, 1 reply; 6+ messages in thread
From: Jakub Kicinski @ 2026-03-20  0:05 UTC (permalink / raw)
  To: Sabrina Dubroca; +Cc: netdev, Kuniyuki Iwashima

On Wed, 18 Mar 2026 17:15:15 +0100 Sabrina Dubroca wrote:
>  	list_add_tail_rcu(&ops->list, &link_ops);
>  unlock:
> +	if (err)
> +		cleanup_srcu_struct(&ops->srcu);
> +
>  	mutex_unlock(&link_ops_mutex);

Does the cleanup have to be under the lock?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link_register
  2026-03-20  0:05 ` Jakub Kicinski
@ 2026-03-20  7:23   ` Sabrina Dubroca
  2026-03-21  0:35     ` Jakub Kicinski
  0 siblings, 1 reply; 6+ messages in thread
From: Sabrina Dubroca @ 2026-03-20  7:23 UTC (permalink / raw)
  To: Jakub Kicinski; +Cc: netdev, Kuniyuki Iwashima

2026-03-19, 17:05:41 -0700, Jakub Kicinski wrote:
> On Wed, 18 Mar 2026 17:15:15 +0100 Sabrina Dubroca wrote:
> >  	list_add_tail_rcu(&ops->list, &link_ops);
> >  unlock:
> > +	if (err)
> > +		cleanup_srcu_struct(&ops->srcu);
> > +
> >  	mutex_unlock(&link_ops_mutex);
> 
> Does the cleanup have to be under the lock?

Right. I'll send a v2.
(OTOH I don't think we'll ever have to worry about contention on this
lock, but we've probably said that about many locks in the past)

-- 
Sabrina

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link_register
  2026-03-20  7:23   ` Sabrina Dubroca
@ 2026-03-21  0:35     ` Jakub Kicinski
  0 siblings, 0 replies; 6+ messages in thread
From: Jakub Kicinski @ 2026-03-21  0:35 UTC (permalink / raw)
  To: Sabrina Dubroca; +Cc: netdev, Kuniyuki Iwashima

On Fri, 20 Mar 2026 08:23:42 +0100 Sabrina Dubroca wrote:
> 2026-03-19, 17:05:41 -0700, Jakub Kicinski wrote:
> > On Wed, 18 Mar 2026 17:15:15 +0100 Sabrina Dubroca wrote:  
> > >  	list_add_tail_rcu(&ops->list, &link_ops);
> > >  unlock:
> > > +	if (err)
> > > +		cleanup_srcu_struct(&ops->srcu);
> > > +
> > >  	mutex_unlock(&link_ops_mutex);  
> > 
> > Does the cleanup have to be under the lock?  
> 
> Right. I'll send a v2.

SG, I'll mark this as Changes Requested then.

> (OTOH I don't think we'll ever have to worry about contention on this
> lock, but we've probably said that about many locks in the past)

Right. I'm not sure why I feel this way but the way the condition is
placed makes it read to me as if being under the lock was important :S

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-03-21  0:35 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-18 16:15 [PATCH net] rtnetlink: fix leak of SRCU struct in rtnl_link_register Sabrina Dubroca
2026-03-19  4:15 ` Kuniyuki Iwashima
2026-03-20  0:04 ` Jakub Kicinski
2026-03-20  0:05 ` Jakub Kicinski
2026-03-20  7:23   ` Sabrina Dubroca
2026-03-21  0:35     ` Jakub Kicinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox