net/shaper/shaper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
net_shaper_rollback() removes NET_SHAPER_NOT_VALID entries and frees
them using kfree(), which can race with net_shaper_nl_get_dumpit() and
lead to a use-after-free in net_shaper_fill_one().
Use kfree_rcu() instead of kfree() to free rollback entries, since
net_shaper_nl_get_dumpit() protects shaper access with rcu_read_lock().
Cc: stable@vger.kernel.org
Fixes: 93954b40f6a4 ("net-shapers: implement NL set and delete operations")
Signed-off-by: Kangzheng Gu <xiaoguai0992@gmail.com>
---
net/shaper/shaper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c
index 94bc9c7382ea..8922f7f64768 100644
--- a/net/shaper/shaper.c
+++ b/net/shaper/shaper.c
@@ -434,7 +434,7 @@ static void net_shaper_rollback(struct net_shaper_binding *binding)
xa_for_each_marked(&hierarchy->shapers, index, cur,
NET_SHAPER_NOT_VALID) {
__xa_erase(&hierarchy->shapers, index);
- kfree(cur);
+ kfree_rcu(cur, rcu);
}
xa_unlock(&hierarchy->shapers);
}
--
2.50.1On Sat, 28 Mar 2026 18:58:04 +0000 Kangzheng Gu wrote: > net_shaper_rollback() removes NET_SHAPER_NOT_VALID entries and frees > them using kfree(), which can race with net_shaper_nl_get_dumpit() and > lead to a use-after-free in net_shaper_fill_one(). > > Use kfree_rcu() instead of kfree() to free rollback entries, since > net_shaper_nl_get_dumpit() protects shaper access with rcu_read_lock(). If dump can see NOT_VALID entries we have a bigger problem than a UAF don't you think? :/
Hi,
Jakub Kicinski <kuba@kernel.org> 于2026年3月31日周二 09:15写道:
> If dump can see NOT_VALID entries we have a bigger problem than a UAF
> don't you think? :/
I am not sure. My concern is whether the NOT_VALID can be exposed to
user by design.
I find that NOT_VALID is used in limited place.
A representative one is that net_shaper_nl_get_doit calling
net_shaper_lookup to check the NOT_VALID flag.
If it is a problem, maybe there are more paths that should be guarded
with NOT_VALID check.
I use the kfree_rcu since net_shaper_pre_insert has another failing
path like this:
xa_lock(&hierarchy->shapers);
prev = __xa_store(&hierarchy->shapers, index, cur, GFP_KERNEL);
__xa_set_mark(&hierarchy->shapers, index, NET_SHAPER_NOT_VALID);
xa_unlock(&hierarchy->shapers);
if (xa_err(prev)) {
NL_SET_ERR_MSG(extack, "Can't insert shaper into device store");
kfree_rcu(cur, rcu);
ret = xa_err(prev);
goto free_id;
}
Beside rollback, I also find another kfree(cur) in net_shaper_flush,
which I reported several weeks ago to security@kernel:
<CAKvcANOZufuVeDqPAuMWh0GCiV5pGmmZHrRo_V+_8YSG7Cs_ag@mail.gmail.com>
It involves another free of shaper using kfree instead of kfree_rcu, I
think it is also a problem.
I noticed this patch
https://patchwork.kernel.org/project/netdevbpf/patch/20260309173450.538026-1-p@1g4.org/,
but it seems that there is no further progress on it.
Except in rollback and flush, all other frees of shaper uses
kfree_rcu, so I think that it maybe just the problem of free rather
than the flag.
Best Regards,
Kangzheng
On Tue, 31 Mar 2026 15:41:28 +0800 Kangzheng Gu wrote: > Jakub Kicinski <kuba@kernel.org> 于2026年3月31日周二 09:15写道: > > If dump can see NOT_VALID entries we have a bigger problem than a UAF > > don't you think? :/ > I am not sure. Please experiment and return once you are sure. netdevsim (netdev simulator) driver supports net_shapers, so you can easily exercise this code in a VM.
> I noticed this patch > https://patchwork.kernel.org/project/netdevbpf/patch/20260309173450.538026-1-p@1g4.org/, > but it seems that there is no further progress on it. > Please experiment and return once you are sure. > netdevsim (netdev simulator) driver supports net_shapers, so you can > easily exercise this code in a VM. > Unfortunately in the case of shaper.c, netdevsim only implemented stubs that return 0, so it's a not a 1:1 representation of the physical drivers. The rollback path specifically is not reliably reachable with netdevsim, whereas it looks like a proper trigger with real hardware.
© 2016 - 2026 Red Hat, Inc.