Re: [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU

Next message: patchwork-bot+netdevbpf: "Re: [PATCH net] net: dsa: mxl862xx: don't set user_mii_bus"
Previous message: Harry Yoo: "Re: [PATCH 3/8] mm/zsmalloc: Introduce objcgs pointer in struct zpdesc"
In reply to: Paul Moses: "[PATCH net 2/2] net-shapers: don't free reply skb after genlmsg_reply()"
Next in thread: Paul Moses: "Re: [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Tue Mar 10 2026 - 22:29:38 EST

On Mon, 09 Mar 2026 17:35:06 +0000 Paul Moses wrote:
> net_shaper_lookup() and the GET dump path traverse shaper state
> under rcu_read_lock() without taking the shaper lock. During
> teardown, net_shaper_flush() freed both the shapers and the
> hierarchy with kfree(), but netdev->net_shaper_hierarchy still
> pointed at the freed hierarchy.
>
> This lets GET readers race netdevice teardown and walk freed
> xarray state or freed shaper objects.
>
> Detach the hierarchy pointer from the netdevice under the
> shaper lock before teardown and switch the shaper and hierarchy
> frees in flush to kfree_rcu().

This is not the right fix. The shaper hierarchy as a while is not under
RCU. The problem is that we take a ref on netdev and then lock it,
assuming that it's still alive. But it may have gotten unregistered in
the meantime. The correct fix is to check that the netdev is still
alive after we lock the binding or take RCU from the Netlink side.

I'll take patch 2 it looks obviously correct.