| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250313100407.2285897-1-sdf@fomichev.me>
Date: Thu, 13 Mar 2025 03:04:07 -0700
From: Stanislav Fomichev <sdf@...ichev.me>
To: netdev@...r.kernel.org
Cc: davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
linux-kernel@...r.kernel.org,
jhs@...atatu.com,
xiyou.wangcong@...il.com,
jiri@...nulli.us,
horms@...nel.org,
sdf@...ichev.me
Subject: [PATCH net-next] net: don't relock netdev when on qdisc_create replay
Eric reports that by the time we call netdev_lock_ops after
rtnl_unlock/rtnl_lock, the dev might point to an invalid device.
Don't relock the device after request_module and don't try
to unlock it in the caller (tc_modify_qdisc) in case of replay.
Fixes: a0527ee2df3f ("net: hold netdev instance lock during qdisc ndo_setup_tc")
Reported-by: Eric Dumazet <edumazet@...gle.com>
Link: https://lore.kernel.org/netdev/20250305163732.2766420-1-sdf@fomichev.me/T/#me8dfd778ea4c4463acab55644e3f9836bc608771
Signed-off-by: Stanislav Fomichev <sdf@...ichev.me>
---
net/sched/sch_api.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index abace7665cfe..f1ec6ec0cf05 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1278,13 +1278,14 @@ static struct Qdisc *qdisc_create(struct net_device *dev,
* tell the caller to replay the request. We
* indicate this using -EAGAIN.
* We replay the request because the device may
- * go away in the mean time.
+ * go away in the mean time. Note that we also
+ * don't relock the device because it might
+ * be gone at this point.
*/
netdev_unlock_ops(dev);
rtnl_unlock();
request_module(NET_SCH_ALIAS_PREFIX "%s", name);
rtnl_lock();
- netdev_lock_ops(dev);
ops = qdisc_lookup_ops(kind);
if (ops != NULL) {
/* We will try again qdisc_lookup_ops,
@@ -1837,9 +1838,10 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
replay = false;
netdev_lock_ops(dev);
err = __tc_modify_qdisc(skb, n, extack, dev, tca, tcm, &replay);
- netdev_unlock_ops(dev);
+ /* __tc_modify_qdisc returns with unlocked dev in case of replay */
if (replay)
goto replay;
+ netdev_unlock_ops(dev);
return err;
}
--
2.48.1
Powered by blists - more mailing lists