Re: [PATCH net] net/sched: act_api: use mutex in tcf_idr_check_alloc

Next message: kernel test robot: "[paulmck-rcu:dev] BUILD SUCCESS 3ef56ac10dd9f8b554f187fb1d9be78e14031195"
Previous message: Michal Simek: "[PATCH v2 0/3] clock: versal-clk: Fix Versal NET clock binding and switch to CCF"
In reply to: Jakub Kicinski: "Re: [PATCH net] net/sched: act_api: use mutex in tcf_idr_check_alloc"
Next in thread: Kyle Zeng: "Re: [PATCH net] net/sched: act_api: use mutex in tcf_idr_check_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jamal Hadi Salim

Date: Fri May 29 2026 - 10:22:45 EST

On Thu, May 28, 2026 at 9:13 PM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
>
> On Tue, 26 May 2026 15:08:47 -0700 Kyle Zeng wrote:
> > Currently, the NEWTFILTER path uses RCU to guard action idr accesses while
> > the DELTFILTER path uses mutex to guard action accesses. This
> > inconsistency leads to a race condition scenario, which can lead to
> > erroneous operations on refcount, eventually leading to use-after-free
> > situation.
> > In this patch, we revert the introduction of RCU back to mutex in the
> > NEWFILTER path, which is consistent with the DELFILTER path, avoiding
> > the race condition.
>
> The commit message is quite inadequate here. Looks like a
> run-of-the-mill UAF so you should explain the flow / race that leads
> to it properly.
>
> Doing some extra digging with Jamal off-list we can't find the reason
> why normal RCU protection wouldn't work here so maybe hold off reposting
> until you hear from Jamal.

Kyle, can you try the attached patch?

cheers,
jamal

Attachment: patchlet-action-rcu
Description: Binary data