From: Jakub Kicinski <kuba@kernel.org>
To: Paul Moses <p@1g4.org>
Cc: davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
horms@kernel.org, jiri@resnulli.us, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU
Date: Tue, 10 Mar 2026 19:28:42 -0700 [thread overview]
Message-ID: <20260310192842.3c3b2070@kernel.org> (raw)
In-Reply-To: <20260309173450.538026-1-p@1g4.org>
On Mon, 09 Mar 2026 17:35:06 +0000 Paul Moses wrote:
> net_shaper_lookup() and the GET dump path traverse shaper state
> under rcu_read_lock() without taking the shaper lock. During
> teardown, net_shaper_flush() freed both the shapers and the
> hierarchy with kfree(), but netdev->net_shaper_hierarchy still
> pointed at the freed hierarchy.
>
> This lets GET readers race netdevice teardown and walk freed
> xarray state or freed shaper objects.
>
> Detach the hierarchy pointer from the netdevice under the
> shaper lock before teardown and switch the shaper and hierarchy
> frees in flush to kfree_rcu().
This is not the right fix. The shaper hierarchy as a while is not under
RCU. The problem is that we take a ref on netdev and then lock it,
assuming that it's still alive. But it may have gotten unregistered in
the meantime. The correct fix is to check that the netdev is still
alive after we lock the binding or take RCU from the Netlink side.
I'll take patch 2 it looks obviously correct.
next prev parent reply other threads:[~2026-03-11 2:28 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 17:35 [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU Paul Moses
2026-03-09 17:35 ` [PATCH net 2/2] net-shapers: don't free reply skb after genlmsg_reply() Paul Moses
2026-03-11 2:28 ` Jakub Kicinski [this message]
2026-03-11 14:04 ` [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU Paul Moses
2026-03-12 0:18 ` Jakub Kicinski
2026-03-12 6:05 ` Paul Moses
2026-03-12 14:25 ` Jakub Kicinski
2026-03-12 14:57 ` Paul Moses
2026-03-16 18:45 ` Paul Moses
2026-03-16 23:12 ` Jakub Kicinski
2026-03-16 23:41 ` Paul Moses
2026-03-16 23:59 ` Paul Moses
2026-03-11 2:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260310192842.3c3b2070@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jiri@resnulli.us \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=p@1g4.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox