Re: [PATCH net] net/sched: act_api: use mutex in tcf_idr_check_alloc

Next message: Bui Duc Phuc: "Re: [PATCH] regmap: reject volatile update_bits() in cache-only mode"
Previous message: Jacob Keller: "Re: [PATCH net-next] net: mana: Cache MANA_QUERY_LINK_CONFIG result to avoid repeated HWC queries"
In reply to: Jamal Hadi Salim: "Re: [PATCH net] net/sched: act_api: use mutex in tcf_idr_check_alloc"
Next in thread: Jamal Hadi Salim: "Re: [PATCH net] net/sched: act_api: use mutex in tcf_idr_check_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kyle Zeng

Date: Fri May 29 2026 - 19:16:15 EST

I ran the PoC against Jamal's patch (with inserted mdelay calls)
multiple times. And I confirm the issue does not reproduce with the
new patch.

Best,
Kyle

On Fri, May 29, 2026 at 7:13 AM Jamal Hadi Salim <jhs@xxxxxxxxxxxx> wrote:
>
> On Thu, May 28, 2026 at 9:13 PM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
> >
> > On Tue, 26 May 2026 15:08:47 -0700 Kyle Zeng wrote:
> > > Currently, the NEWTFILTER path uses RCU to guard action idr accesses while
> > > the DELTFILTER path uses mutex to guard action accesses. This
> > > inconsistency leads to a race condition scenario, which can lead to
> > > erroneous operations on refcount, eventually leading to use-after-free
> > > situation.
> > > In this patch, we revert the introduction of RCU back to mutex in the
> > > NEWFILTER path, which is consistent with the DELFILTER path, avoiding
> > > the race condition.
> >
> > The commit message is quite inadequate here. Looks like a
> > run-of-the-mill UAF so you should explain the flow / race that leads
> > to it properly.
> >
> > Doing some extra digging with Jamal off-list we can't find the reason
> > why normal RCU protection wouldn't work here so maybe hold off reposting
> > until you hear from Jamal.
>
> Kyle, can you try the attached patch?
>
> cheers,
> jamal