Re: [PATCH net v2 1/1] net/sched: act_api: use RCU with deferred freeing for action lifecycle

Next message: Dave Jiang: "Re: [PATCH V3 7/9] dax: fix holder_ops race in fs_put_dax()"
Previous message: Jeremy Linton: "[PATCH] ACPI: CPPC: Suppress UBSAN warning caused by field misuse"
In reply to: Victor Nogueira: "Re: [PATCH net v2 1/1] net/sched: act_api: use RCU with deferred freeing for action lifecycle"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Mon Jun 01 2026 - 20:00:27 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Sun, 31 May 2026 12:08:12 -0400 you wrote:
> When NEWTFILTER and DELFILTER are run concurrently it is possible to create a
> race with an associated action.
>
> Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:
>
> 0: mutex_lock() <-- holds the idr lock
> 0: rcu_read_lock()
> 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)
> 0: mutex_unlock() <-- releases the idr lock
> 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
> 1: idr_remove(idr, index) <-- Action removed from IDR
> 1: mutex_unlock() <-- mutex released allowing us to delete the action
> 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral
> 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory
>
> [...]

Here is the summary with links:
- [net,v2,1/1] net/sched: act_api: use RCU with deferred freeing for action lifecycle
https://git.kernel.org/netdev/net/c/5057e1aca011

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html