Re: [PATCH] net-shapers: free rollback entries using kfree_rcu

Next message: Mark Pearson: "Re: [PATCH] platform/x86/lenovo: thinkpad_acpi: add named speed presets to fan_write_cmd_speed"
Previous message: Tetsuo Handa: "Re: [PATCH v5] hfs: update sanity check of the root record"
In reply to: Kangzheng Gu: "[PATCH] net-shapers: free rollback entries using kfree_rcu"
Next in thread: Kangzheng Gu: "Re: [PATCH] net-shapers: free rollback entries using kfree_rcu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Mon Mar 30 2026 - 21:16:36 EST

On Sat, 28 Mar 2026 18:58:04 +0000 Kangzheng Gu wrote:
> net_shaper_rollback() removes NET_SHAPER_NOT_VALID entries and frees
> them using kfree(), which can race with net_shaper_nl_get_dumpit() and
> lead to a use-after-free in net_shaper_fill_one().
>
> Use kfree_rcu() instead of kfree() to free rollback entries, since
> net_shaper_nl_get_dumpit() protects shaper access with rcu_read_lock().

If dump can see NOT_VALID entries we have a bigger problem than a UAF
don't you think? :/