net_shaper_lookup() and the GET dump path traverse shaper state under rcu_read_lock() without taking the shaper lock. During teardown, net_shaper_flush() freed both the shapers and the hierarchy with kfree(), but netdev->net_shaper_hierarchy still pointed at the freed hierarchy. This lets GET readers race netdevice teardown and walk freed xarray state or freed shaper objects. Detach the hierarchy pointer from the netdevice under the shaper lock before teardown and switch the shaper and hierarchy frees in flush to kfree_rcu(). Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation") Cc: stable@vger.kernel.org Signed-off-by: Paul Moses --- net/shaper/shaper.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c index 005bfc766e22d..3ad5a2d621a91 100644 --- a/net/shaper/shaper.c +++ b/net/shaper/shaper.c @@ -23,6 +23,7 @@ struct net_shaper_hierarchy { struct xarray shapers; + struct rcu_head rcu; }; struct net_shaper_nl_ctx { @@ -1352,23 +1353,28 @@ int net_shaper_nl_cap_get_dumpit(struct sk_buff *skb, static void net_shaper_flush(struct net_shaper_binding *binding) { - struct net_shaper_hierarchy *hierarchy = net_shaper_hierarchy(binding); + struct net_shaper_hierarchy *hierarchy; struct net_shaper *cur; unsigned long index; - if (!hierarchy) + net_shaper_lock(binding); + hierarchy = net_shaper_hierarchy(binding); + if (!hierarchy) { + net_shaper_unlock(binding); return; + } + + WRITE_ONCE(binding->netdev->net_shaper_hierarchy, NULL); - net_shaper_lock(binding); xa_lock(&hierarchy->shapers); xa_for_each(&hierarchy->shapers, index, cur) { __xa_erase(&hierarchy->shapers, index); - kfree(cur); + kfree_rcu(cur, rcu); } xa_unlock(&hierarchy->shapers); net_shaper_unlock(binding); - kfree(hierarchy); + kfree_rcu(hierarchy, rcu); } void net_shaper_flush_netdev(struct net_device *dev) -- 2.53.GIT