Re: [PATCH net] net/sched: act_api: use mutex in tcf_idr_check_alloc

Next message: Miguel Ojeda: "[PATCH] rust: x86: support Rust &gt;= 1.98.0 target spec"
Previous message: Aliaksandr Smirnou: "Re: [PATCH v6 0/2] Pinefeat cef168 lens control board driver"
In reply to: Kyle Zeng: "Re: [PATCH net] net/sched: act_api: use mutex in tcf_idr_check_alloc"
Next in thread: Jamal Hadi Salim: "Re: [PATCH net] net/sched: act_api: use mutex in tcf_idr_check_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jamal Hadi Salim

Date: Sat May 30 2026 - 07:50:45 EST

On Fri, May 29, 2026 at 7:15 PM Kyle Zeng <kylebot@xxxxxxxxxx> wrote:
>
> I ran the PoC against Jamal's patch (with inserted mdelay calls)
> multiple times. And I confirm the issue does not reproduce with the
> new patch.
>

Thanks Kyle. I will send the patch shortly.

cheers,
jamal
> Best,
> Kyle
>
> On Fri, May 29, 2026 at 7:13 AM Jamal Hadi Salim <jhs@xxxxxxxxxxxx> wrote:
> >
> > On Thu, May 28, 2026 at 9:13 PM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
> > >
> > > On Tue, 26 May 2026 15:08:47 -0700 Kyle Zeng wrote:
> > > > Currently, the NEWTFILTER path uses RCU to guard action idr accesses while
> > > > the DELTFILTER path uses mutex to guard action accesses. This
> > > > inconsistency leads to a race condition scenario, which can lead to
> > > > erroneous operations on refcount, eventually leading to use-after-free
> > > > situation.
> > > > In this patch, we revert the introduction of RCU back to mutex in the
> > > > NEWFILTER path, which is consistent with the DELFILTER path, avoiding
> > > > the race condition.
> > >
> > > The commit message is quite inadequate here. Looks like a
> > > run-of-the-mill UAF so you should explain the flow / race that leads
> > > to it properly.
> > >
> > > Doing some extra digging with Jamal off-list we can't find the reason
> > > why normal RCU protection wouldn't work here so maybe hold off reposting
> > > until you hear from Jamal.
> >
> > Kyle, can you try the attached patch?
> >
> > cheers,
> > jamal