lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260119191238.1240882-1-kuba@kernel.org>
Date: Mon, 19 Jan 2026 11:12:38 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: p@....org
Cc: Jakub Kicinski <kuba@...nel.org>,
	stable@...r.kernel.org,
	netdev@...r.kernel.org
Subject: Re: [net,v1,2/3] net/sched: act_gate: fix schedule updates with RCU swap

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.

For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
net/sched: act_gate: fix schedule updates with RCU swap

This patch switches act_gate parameters to an RCU-protected pointer and
uses prepare-then-swap to avoid races during schedule updates.

> diff --git a/net/sched/act_gate.c b/net/sched/act_gate.c
> index c1f75f272757..6934df233df5 100644
> --- a/net/sched/act_gate.c
> +++ b/net/sched/act_gate.c

[ ... ]

> +	if (!list_empty(&newp.entries)) {
> +		list_splice_init(&newp.entries, &p->entries);
> +		p->num_entries = newp.num_entries;
> +	} else if (ret != ACT_P_CREATED) {
> +		struct tcfg_gate_entry *entry, *ne;
> +
> +		list_for_each_entry(entry, &oldp->entries, list) {
> +			ne = kmemdup(entry, sizeof(*ne), GFP_KERNEL);
> +			if (!ne) {
> +				err = -ENOMEM;
> +				goto free_p;
> +			}
> +			INIT_LIST_HEAD(&ne->list);
> +			list_add_tail(&ne->list, &p->entries);
> +		}
> +		p->num_entries = oldp->num_entries;
> +	}

[ ... ]

> +free_p:
> +	kfree(p);

When kmemdup() fails partway through the loop copying entries from
oldp->entries to p->entries, can the entries already added to p->entries
be leaked? The jump to free_p calls kfree(p) but p->entries may contain
allocated entries that are not released first.

The release_entry_list() call at release_new_entries releases newp.entries
rather than p->entries:

> +release_new_entries:
> +	release_entry_list(&newp.entries);

It looks like release_entry_list(&p->entries) should be called before
kfree(p) at the free_p label.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ