Re: [PATCH net] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry

Next message: patchwork-bot+netdevbpf: "Re: [PATCH net v5] serial: caif: hold tty-&gt;link reference in ldisc_open and ser_release"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH net v3] net: sfp: improve Huawei MA5671a fixup"
In reply to: Ido Schimmel: "Re: [PATCH net] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Mon Mar 09 2026 - 22:00:46 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Fri, 6 Mar 2026 18:38:20 -0500 you wrote:
> When removing a nexthop from a group, remove_nh_grp_entry() publishes
> the new group via rcu_assign_pointer() then immediately frees the
> removed entry's percpu stats with free_percpu(). However, the
> synchronize_net() grace period in the caller remove_nexthop_from_groups()
> runs after the free. RCU readers that entered before the publish still
> see the old group and can dereference the freed stats via
> nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a
> use-after-free on percpu memory.
>
> [...]

Here is the summary with links:
- [net] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry
https://git.kernel.org/netdev/net/c/b2662e7593e9

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html