[PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU
From: Paul Moses
Date: Mon Mar 09 2026 - 13:38:23 EST
net_shaper_lookup() and the GET dump path traverse shaper state
under rcu_read_lock() without taking the shaper lock. During
teardown, net_shaper_flush() freed both the shapers and the
hierarchy with kfree(), but netdev->net_shaper_hierarchy still
pointed at the freed hierarchy.
This lets GET readers race netdevice teardown and walk freed
xarray state or freed shaper objects.
Detach the hierarchy pointer from the netdevice under the
shaper lock before teardown and switch the shaper and hierarchy
frees in flush to kfree_rcu().
Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Paul Moses <p@xxxxxxx>
---
net/shaper/shaper.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c
index 005bfc766e22d..3ad5a2d621a91 100644
--- a/net/shaper/shaper.c
+++ b/net/shaper/shaper.c
@@ -23,6 +23,7 @@
struct net_shaper_hierarchy {
struct xarray shapers;
+ struct rcu_head rcu;
};
struct net_shaper_nl_ctx {
@@ -1352,23 +1353,28 @@ int net_shaper_nl_cap_get_dumpit(struct sk_buff *skb,
static void net_shaper_flush(struct net_shaper_binding *binding)
{
- struct net_shaper_hierarchy *hierarchy = net_shaper_hierarchy(binding);
+ struct net_shaper_hierarchy *hierarchy;
struct net_shaper *cur;
unsigned long index;
- if (!hierarchy)
+ net_shaper_lock(binding);
+ hierarchy = net_shaper_hierarchy(binding);
+ if (!hierarchy) {
+ net_shaper_unlock(binding);
return;
+ }
+
+ WRITE_ONCE(binding->netdev->net_shaper_hierarchy, NULL);
- net_shaper_lock(binding);
xa_lock(&hierarchy->shapers);
xa_for_each(&hierarchy->shapers, index, cur) {
__xa_erase(&hierarchy->shapers, index);
- kfree(cur);
+ kfree_rcu(cur, rcu);
}
xa_unlock(&hierarchy->shapers);
net_shaper_unlock(binding);
- kfree(hierarchy);
+ kfree_rcu(hierarchy, rcu);
}
void net_shaper_flush_netdev(struct net_device *dev)
--
2.53.GIT