Re: [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU

Next message: Hongxing Zhu: "RE: [PATCH 2/2] dt-bindings: PCI: snps,dw-pcie: Drop deprecated reset-gpio"
Previous message: Hongxing Zhu: "RE: [PATCH 1/2] dt-bindings: PCI: fsl,imx6q-pcie: Switch to undeprecated reset-gpios"
In reply to: Jakub Kicinski: "Re: [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU"
Next in thread: Jakub Kicinski: "Re: [PATCH net 1/2] net-shapers: clear hierarchy pointer and defer flush frees with RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paul Moses

Date: Thu Mar 12 2026 - 02:06:25 EST

> On Wed, 11 Mar 2026 14:04:54 +0000 Paul Moses wrote:
> > The reported UAF was in the GET doit reader path.
> >
> > GET doit enters rcu_read_lock(), then net_shaper_lookup() performs
> > READ_ONCE(netdev->net_shaper_hierarchy) and walks the xarray locklessly.
> >
> > GET dump reads the hierarchy pointer first, then enters rcu_read_lock()
> > and uses xa_find() to walk the xarray.
> >
> > Both paths rely on RCU to keep the hierarchy and its shapers valid during
> > the lockless walk.
>
> RCU was never intended to protect the whole hierarchy in shapers.
> Only individual shapers inside the xarray.
> The struct net_shaper_hierarchy is allocated lazily but it is never
> freed during lifetime of the device, only once the device is dead.
>
> The bug is that we are accessing a dead device.
>
> (reminder: please quote what you're replying to correctly during ML
> discussions)
>

I'm sorry, I'm not seeing it that way. We are racing teardown, that's true,
but there is no reliance on the device being gone to hit this bug. It can
happen before or after, makes no difference.

SET/GROUP/DELETE paths might all be susceptible to your bug but GET is not,
it never follows the “ref then lock” pattern.

So the choices I'm left with are fundamentally changing in the GET paths locking
contract or papering over the locking issue to where it's no longer reachable.

Thanks,
Paul