Re: [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU

Next message: John Hubbard: "Re: [PATCH 1/2] rust: sizes: add u64 variants of SZ_* constants"
Previous message: Bryan O'Donoghue: "Re: [PATCHv2] usb: typec: qcom-pmic-typec: simplify allocation"
In reply to: Paul Moses: "Re: [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU"
Next in thread: Paul Moses: "Re: [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Wed Mar 11 2026 - 20:18:36 EST

On Wed, 11 Mar 2026 14:04:54 +0000 Paul Moses wrote:
> The reported UAF was in the GET doit reader path.
>
> GET doit enters rcu_read_lock(), then net_shaper_lookup() performs
> READ_ONCE(netdev->net_shaper_hierarchy) and walks the xarray locklessly.
>
> GET dump reads the hierarchy pointer first, then enters rcu_read_lock()
> and uses xa_find() to walk the xarray.
>
> Both paths rely on RCU to keep the hierarchy and its shapers valid during
> the lockless walk.

RCU was never intended to protect the whole hierarchy in shapers.
Only individual shapers inside the xarray.
The struct net_shaper_hierarchy is allocated lazily but it is never
freed during lifetime of the device, only once the device is dead.

The bug is that we are accessing a dead device.

(reminder: please quote what you're replying to correctly during ML
discussions)