From nobody Sat Jun 13 23:09:14 2026 Received: from mail-ot1-f52.google.com (mail-ot1-f52.google.com [209.85.210.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A5BE8406276 for ; Tue, 5 May 2026 10:42:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777977751; cv=none; b=PvUMSLd12R5bEiQvSUyIu3nqV2uN92TZ6DVajLFXP4+BFlpf2NgHz2HViYRjplONXCLkW+OdlpbqjkwcuZ9Y9+tbIEQ8lXu9xO7obvqvhj1pDDwjluZYZswR1a6aIx9FuFj/UaMiTtix6bnYUnjY9bdj5n2Lh19hNjEJA3+Ysto= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777977751; c=relaxed/simple; bh=YhZwMUTRyWyfrMMn0VOaBy9tmw60nL85T+/PZnWnELM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=gxUClDGt/yHJWc3PlMZsekQOiNzcUMcAk7knIYBsrAXH6ZeNjxyX0OgEhRYo7WXU68y6dCTuUOAE1wsCW5imeiVvUja5RSDP8/pJci427Ewj4Y+KolhygJnqK6dMcnpPo3MnBivLM2k84Jl4CKZtUmCSzJyXPUWet6U7CMHQ30s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mNfz4V1a; arc=none smtp.client-ip=209.85.210.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mNfz4V1a" Received: by mail-ot1-f52.google.com with SMTP id 46e09a7af769-7de7c57b52cso4331109a34.3 for ; Tue, 05 May 2026 03:42:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777977748; x=1778582548; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=bEctwiaijkDd1U8s8JRDXgY/saaQUbwV6xXhN/X+GFE=; b=mNfz4V1abHYFWnV3lRnsHz55KiRyL7IlkoKrZnGGT2T5QHNFgTsahIJgGuBoMyENE0 WU84FymeAHfmam7YZz3L6o7bHR2hK1f0ADBBfwMVu93No8Ql/RkBCAXU2NlmFHhoOIBK U7SibIomCy0ImJjbuyRnS2jIY48cFqooSYiwA1iJwMs73KdAqlgPwQFoOU3kN1043DBb U51Bs49tNzThQpZE0N3r2oAkersDV2jywW/IYENxE+erJd6VnOeOj5H76RKzLQ8RraqJ s6aM4aak5I/LVxINi4EEBaYkZtft8nOTyRp0DcGh1kBtpkWHFrwvY2LmM3i0QbByhXL/ dU7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777977748; x=1778582548; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=bEctwiaijkDd1U8s8JRDXgY/saaQUbwV6xXhN/X+GFE=; b=TrhM/I29zobTTmSy/+/2Erhc/RWivEXF05vIlEQs87IXiADKAZWVXBEx82rBnVZr0K Cd/0In9M3KKuBFRqBxQ3P5UQwodmzW+3l8ncYfjO0PHKkAGZERStzwl6vgIyCtmmNDzj TjdBq055oc4iXVdOxMdV1pulCHECwl4Hse6o+05DCPIfMV61NUcVC1Oa5T3SiAaRGwnG Yg5JXU/dknh2bXTvkf5heD1T/larlCNlDBKbvpQFyyi6a7sOvWktzK1LI+NbIBJ4wXbJ bXNCQdpd8Bm8nYCMK8GkXVNvRztuusdFSWYuqjF3rR9C1BTkeYvIexU2a9cXU/k1EFWs FkVQ== X-Forwarded-Encrypted: i=1; AFNElJ8Cal1VQBnkOUr1BKAqd86QxnsOR41BdD4/FaKYpKGZGhO8A6IIsVM3kkwtECfN/5dEb3Uhw35P3EKMpac=@vger.kernel.org X-Gm-Message-State: AOJu0YzHjpWcuae+BDk7kgOaE01fP8+vtfMi/GMR6oo0vnM0euuPK9BR r6225r7tIYRE5trnpf/lCBkvDAypUV17nM/AEqDb6Fl4Hbl7M2Qp6qlE X-Gm-Gg: AeBDieuc6i31w13xVvDDzl+amL7DFA4tevhfmY3cMbO2AAr+htDBkV4O/IWDDnbdA9U 8oEk6P+L7RDa/Gt5sL8ZMcoMtwyoN9MwV8knx9oXAjlYfW1rbHxA3gaLWiCQxWmlyNiQQgjAXwt VHYFwTOQIuxxMf0QOmZcTvKU9Gk5hatFYltrOIFpVxw6dWHJg7cjDOdjtbVo6ZATQtyL+aIIZm8 jgEIyH5MJXxm0e5wYLVMmsWFNHreU3BUaIVCgFPzyrC66kzY9uXRUmKCO3FXXEcbkwzrSvnXd1P 9EN5yo07lBX9142mUQ2ccfQAIZqIx06Xs3hbBijVF5mhwGP+6/8QxrMEBiX8i700zI6CcTfjj7t aonVSkGbAoXYWhgNNXbRhLoysMjTiJFflPzFEPd1tg3C8IApS5hNCGppJXrBM61hPLu3ko4ANci ohdxNg9X3qjHiixGE/v4OjrNQupf2IyWrn+wQSZdJRcuxanwkfAoigitobKro3CiO7014PalTdc Q== X-Received: by 2002:a05:6830:67c5:b0:7de:a2cc:9da2 with SMTP id 46e09a7af769-7dee13a4e13mr7989212a34.15.1777977748655; Tue, 05 May 2026 03:42:28 -0700 (PDT) Received: from localhost ([2a03:2880:10ff:70::]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7decac26330sm9525858a34.13.2026.05.05.03.42.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 03:42:27 -0700 (PDT) From: Daniel Zahka Date: Tue, 05 May 2026 03:42:23 -0700 Subject: [PATCH net 1/3] netdevsim: psp: only call nsim_psp_uninit() on PFs Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-psd-rcu-v1-1-a8f69ec1ab96@gmail.com> References: <20260505-psd-rcu-v1-0-a8f69ec1ab96@gmail.com> In-Reply-To: <20260505-psd-rcu-v1-0-a8f69ec1ab96@gmail.com> To: Jakub Kicinski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Paolo Abeni , Willem de Bruijn , Willem de Bruijn Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org X-Mailer: b4 0.13.0 VFs go through nsim_init_netdevsim_vf() which never calls nsim_psp_init(), so ns->psp.dev stays NULL. nsim_psp_uninit() guards with !IS_ERR(ns->psp.dev), so destroying a VF reaches psp_dev_unregister(NULL) and dereferences NULL on the first mutex_lock(&psd->lock): BUG: kernel NULL pointer dereference, address: 0000000000000020 RIP: 0010:mutex_lock+0x1c/0x30 Call Trace: psp_dev_unregister+0x2a/0x1a0 nsim_psp_uninit+0x1f/0x40 [netdevsim] nsim_destroy+0x61/0x1e0 [netdevsim] __nsim_dev_port_del+0x47/0x90 [netdevsim] nsim_drv_configure_vfs+0xc9/0x130 [netdevsim] nsim_bus_dev_numvfs_store+0x79/0xb0 [netdevsim] Gate nsim_psp_uninit() on nsim_dev_port_is_pf(), matching the pattern already used for nsim_exit_netdevsim() and the bpf/ipsec/macsec/queue teardowns. Reproducer: modprobe netdevsim echo "10 1" > /sys/bus/netdevsim/new_device echo 1 > /sys/bus/netdevsim/devices/netdevsim10/sriov_numvfs devlink dev eswitch set netdevsim/netdevsim10 mode switchdev echo 0 > /sys/bus/netdevsim/devices/netdevsim10/sriov_numvfs Fixes: f857478d6206 ("netdevsim: a basic test PSP implementation") Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Daniel Zahka Reviewed-by: Willem de Bruijn --- drivers/net/netdevsim/netdev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/netdevsim/netdev.c b/drivers/net/netdevsim/netdev.c index a05af192caf3..a750768912b5 100644 --- a/drivers/net/netdevsim/netdev.c +++ b/drivers/net/netdevsim/netdev.c @@ -1182,7 +1182,8 @@ void nsim_destroy(struct netdevsim *ns) unregister_netdevice_notifier_dev_net(ns->netdev, &ns->nb, &ns->nn); =20 - nsim_psp_uninit(ns); + if (nsim_dev_port_is_pf(ns->nsim_dev_port)) + nsim_psp_uninit(ns); =20 rtnl_lock(); peer =3D rtnl_dereference(ns->peer); --=20 2.52.0 From nobody Sat Jun 13 23:09:14 2026 Received: from mail-oa1-f43.google.com (mail-oa1-f43.google.com [209.85.160.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4789A40F8E0 for ; Tue, 5 May 2026 10:42:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777977752; cv=none; b=mZOlEQ2Fmf9jsFzJ+PKbMsYfmKl2p2RSOfntlkNie0aZERzQ9KI3ruEplm06HegQ1iSLaMsci8iBL1t7Ase/2UUvTMk4PbjRQmM/pbhNmXW7g0jhzm10UyVN5V7ou5/gXtggFDCKD7Hpebg/uAAb28CYLf2X1l4CpwAvLFNlzNQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777977752; c=relaxed/simple; bh=2yxca9KdGpxlKDUxXsYOrQhJn56phQUvzHUfWjqzioE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fQysJKkKqCQ8FcJCNorHxJjm4iI+x4ombf3N5e84xpAOMhhvbTQdWKAvVFUbkEXKG3Li0UA35l86o6MA7Y4VC/uLZ8kxvCY6rGaYqbwIT+5fTgTaaWtNMpXacZjoP08m9Sin0PyrB/MPnOqX9YhbEoF/H1/XmKzgBve9NJrHkqI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=m/QJZ+18; arc=none smtp.client-ip=209.85.160.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="m/QJZ+18" Received: by mail-oa1-f43.google.com with SMTP id 586e51a60fabf-40efc77933fso2991148fac.3 for ; Tue, 05 May 2026 03:42:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777977750; x=1778582550; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=zWd8Hd1knCnGyBHNHqboksALRLBY693aSCfFmusPC8U=; b=m/QJZ+18KYgcyAatjejG1jXrUVV0DDDt2XVv3mMtROnRbeZZUqa7RdV6pw8BHcMrE2 szO48wTq86ajP0COSy/Y2ey5Bjj6eBbZD8v0D0/0chmWqUeDTyoStzIX3DYUEN9C0Bvf m1NCjrYnG/2d+bMPGr1uuV9RegTo13zmaTcM9BscFNIOMP8r4WWT4OX/dW7zqklETkdf BwS3tEY392EmoH04s8ff9wM6SeCC2WkA7bc+n8+BXrRyYOhz39BqzIhD54VS57wYaJH6 Sqr/+UFGl1zUj8JQCR5qpbqETcc1XPNt85TcCI1JIxtLpEZJuuHOksvTSJsfdsjYZK+I IaVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777977750; x=1778582550; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=zWd8Hd1knCnGyBHNHqboksALRLBY693aSCfFmusPC8U=; b=kENRqlpV/Eci89OM48InPYVjpWEe4/weQZOWezXDglWGpPD5a/uqWwqdqrtoTdE8hF oLgjiZX0ePtlxEn4yqqbiFFvGd1feMQaq399cXQrAC+rFsjupZOjeRVTeT2sxpw9Xd5f rCM7GSpJ6yecn1pjJ+nCausuPwu5WTO4DwPeMBkT7bMHrYhC9MN1/WnKeMiyV7rweWTl iDD+Ofsu4LJJEHXGH9QxczTDfcTMh1Vnm2Q1Dgs4g+Gg+MbdxP0M8lo7awzYeyeF6aSG YEgC7KkMlJyaD+zdPYf1hpq2SVgTtxAy6kOFzSAz4gW3NLekQVc2d8StV8D71IAtcbQs HMNQ== X-Forwarded-Encrypted: i=1; AFNElJ8rDqZoG7zZWnrX1M4fOaRp0EdkvaY+08dxpbiSLDRxvLgrK664o+n5Nd/BKMP9oWNM/GNbBntckGL+i54=@vger.kernel.org X-Gm-Message-State: AOJu0YzAQ3BWZVKT97DKI8RoXeDWy3V6DWS0gK2g9vMCN0sIOtUY/Ejr iIdOQF1HNc8MZonGriVkJYhaDBR748ZCxZSogXt1AXUUrh151a9zTXVX X-Gm-Gg: AeBDieuOAObBqHW4STnWsLz5LxZBqh4MONkBeJlvOBcrBEew7lQSlnnhwXingV36rpT QyhbmF2z90w8x3PjeU8vQNg/wPYCtDzwAtBejBHTTcCVzPQOkcnA0rPXo4wohxzi41o+dbhBLnq OgZdj52FlbLFiQTYt9w8+kT8GKfFsz0No2Bo7mvHlS25e6GLmm9WT+FDB45wLtq8ZmARBIHkuS+ cvK4q+AzEVZQdHra9wVcDwuh2pRMBHPzy08zvlvA6t+eR9qj9M4e+hc3n45braNAMFgebV5cSyw sDePb2ttUc+k199LoCnoRJyxGel7krz9bcizOSuvU9snPlGVKIQEowFup6/sMfLzei6ZZAuQ7Eq kWYXogmnQy0P8c/v9oDL3ic2iSGSUh4RGxVnM62f7a+iW8QZnrq0IBigLR3blE6+T1g+nF5Lmem aydd4bsVCcdJpyFc4hNfWVEN8pUCxfjBAQX3iGJ/xym45hbZ0qD6kM32Sc5Mb7JQ== X-Received: by 2002:a05:6870:31cb:b0:42c:2042:1652 with SMTP id 586e51a60fabf-434d4168e24mr1321010fac.24.1777977750153; Tue, 05 May 2026 03:42:30 -0700 (PDT) Received: from localhost ([2a03:2880:10ff:5::]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-43454cbd8dbsm13463281fac.11.2026.05.05.03.42.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 03:42:29 -0700 (PDT) From: Daniel Zahka Date: Tue, 05 May 2026 03:42:24 -0700 Subject: [PATCH net 2/3] netdevsim: psp: serialize calls to nsim_psp_uninit() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-psd-rcu-v1-2-a8f69ec1ab96@gmail.com> References: <20260505-psd-rcu-v1-0-a8f69ec1ab96@gmail.com> In-Reply-To: <20260505-psd-rcu-v1-0-a8f69ec1ab96@gmail.com> To: Jakub Kicinski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Paolo Abeni , Willem de Bruijn , Willem de Bruijn Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org X-Mailer: b4 0.13.0 The debugfs write handler, nsim_psp_rereg_write(), can race against nsim_destroy() and against itself, causing nsim_psp_uninit() to run more than once concurrently. Two complementary changes serialize all callers: 1. Delete the psp_rereg debugfs file from nsim_psp_uninit() before doing the actual teardown. debugfs_remove() drains any in-flight writers and prevents new ones from starting. 2. Add a mutex around the body of nsim_psp_rereg_write() so that two concurrent userspace writers cannot both enter the teardown path at once. The teardown work itself is moved into a new __nsim_psp_uninit() that the rereg handler calls under the mutex, while the public nsim_psp_uninit() wraps it with the debugfs_remove()/mutex_destroy() pair so nsim_destroy() doesn't have to know about the psp internals. Fixes: f857478d6206 ("netdevsim: a basic test PSP implementation") Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Daniel Zahka Reviewed-by: Willem de Bruijn --- drivers/net/netdevsim/netdevsim.h | 2 ++ drivers/net/netdevsim/psp.c | 17 ++++++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netd= evsim.h index 7e129dddbbe7..e373ffc26b0c 100644 --- a/drivers/net/netdevsim/netdevsim.h +++ b/drivers/net/netdevsim/netdevsim.h @@ -121,6 +121,8 @@ struct netdevsim { u64_stats_t tx_bytes; struct u64_stats_sync syncp; struct psp_dev *dev; + struct dentry *rereg; + struct mutex rereg_lock; u32 spi; u32 assoc_cnt; } psp; diff --git a/drivers/net/netdevsim/psp.c b/drivers/net/netdevsim/psp.c index 0b4d717253b0..86d84b7e566b 100644 --- a/drivers/net/netdevsim/psp.c +++ b/drivers/net/netdevsim/psp.c @@ -209,13 +209,20 @@ static struct psp_dev_caps nsim_psp_caps =3D { .assoc_drv_spc =3D sizeof(void *), }; =20 -void nsim_psp_uninit(struct netdevsim *ns) +static void __nsim_psp_uninit(struct netdevsim *ns) { if (!IS_ERR(ns->psp.dev)) psp_dev_unregister(ns->psp.dev); WARN_ON(ns->psp.assoc_cnt); } =20 +void nsim_psp_uninit(struct netdevsim *ns) +{ + debugfs_remove(ns->psp.rereg); + mutex_destroy(&ns->psp.rereg_lock); + __nsim_psp_uninit(ns); +} + static ssize_t nsim_psp_rereg_write(struct file *file, const char __user *data, size_t co= unt, loff_t *ppos) @@ -223,11 +230,13 @@ nsim_psp_rereg_write(struct file *file, const char __= user *data, size_t count, struct netdevsim *ns =3D file->private_data; int err; =20 - nsim_psp_uninit(ns); + mutex_lock(&ns->psp.rereg_lock); + __nsim_psp_uninit(ns); =20 ns->psp.dev =3D psp_dev_create(ns->netdev, &nsim_psp_ops, &nsim_psp_caps, ns); err =3D PTR_ERR_OR_ZERO(ns->psp.dev); + mutex_unlock(&ns->psp.rereg_lock); return err ?: count; } =20 @@ -249,6 +258,8 @@ int nsim_psp_init(struct netdevsim *ns) if (err) return err; =20 - debugfs_create_file("psp_rereg", 0200, ddir, ns, &nsim_psp_rereg_fops); + mutex_init(&ns->psp.rereg_lock); + ns->psp.rereg =3D debugfs_create_file("psp_rereg", 0200, ddir, ns, + &nsim_psp_rereg_fops); return 0; } --=20 2.52.0 From nobody Sat Jun 13 23:09:14 2026 Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C697741C2E5 for ; Tue, 5 May 2026 10:42:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777977754; cv=none; b=sFOFG5FnCRwTUdD4YYObMWLmb3bUWFDfFzEX/KEi6LxfS0lHL0jpYWjldyhV8pQ5FoZDPbgZ8CnD7kTE3UyN1QywOdqioyzOh3o3szzjJeTy0d5SaWJal2PWu5x5A5hFxlJ+kACI585RDPmgg2/YQZ8Z+LiFFrtU/rqODx9n1M4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777977754; c=relaxed/simple; bh=o/fdDuj13DezIE/QZ1qrUVLrHNJZmXLCTspiSJLqqFA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=XxbhJ6YEHkKfhDkIbg6pkE6FLxrVJ4bEZGdeJJFeNAlsWa4KVscE6Me/EF+nZ1CmWT6+vIhFhUSs+sfxO0tcNWu8rE9PUl9VcQp1LSFjlqtK7Sm4ULxvh8zvL977I4X8w469bambIN0YGoNicvTx6eLJIL51PGYZV85X0UNCp1c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QbZdqdan; arc=none smtp.client-ip=209.85.210.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QbZdqdan" Received: by mail-ot1-f48.google.com with SMTP id 46e09a7af769-7d1872504cbso4268730a34.0 for ; Tue, 05 May 2026 03:42:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777977752; x=1778582552; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=9/rnAy8c7VOZeC96peJUKWIb1u1SKIdNjE6+t94e9qE=; b=QbZdqdanrawcY2xhujlHBakyrhrFk9auUZezF250fydcTDDxeT7vALrUuWxwoPTrgM QHEeSWjX0IlX028eSem3jyd+OR5ow2ggxTBltkKZbm2277Gg/Kw2IyI278+Z1F3SUQem /5E+qOPQ8ezy1BO9pOMt2RPVTSRQpUUdo5ccUp24Tr/5F+2nB66oOpGmR4hok/E3ww7n 4lJ2OK98k0cAX0QrsqqlW/vON26s1hmnj9ZqsI55RDskwNgdwtDLVDki0sNj/LeExuDz Joo3gYJx6qLng3i4fkLkrDyAKdL1Q4kU2MIdTSI1G4mh1vSw0vxTeMFUEvl+pJEtHE0t C3qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777977752; x=1778582552; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=9/rnAy8c7VOZeC96peJUKWIb1u1SKIdNjE6+t94e9qE=; b=KmhYg2c5yTsUegrHWZHhxC5sPaLynfQ4QTP5rziuXo8/KtUqMK+fXqSYsUc+uFl25G wSfyl31VmOILHxXmFmAtpwcxMhfvEHIzUhW4bCjty21MxrAMWGbVANEuX9oe2VGzbRjW yeWfu9e1vsbEukZE1Z3TLuGnsf2GceQyghVWOeFLP07mmBZ27+WWhVnt0Lq3WSz8LQ4q xZUv4K+gNPYIkcxIXqv7nnH6K8C/ZLEzmeLgKkfYReXT2PVc11LYxoXbP0EhMg4mq3w+ Q9nk4W2FaelXBaK4UKjIMTxdORRa8P0N/o/8w54QoP3O2NO1k5r82tJnfmnKUYA8B6Zf +dbQ== X-Forwarded-Encrypted: i=1; AFNElJ8H+8aP5CyezRTBewyNhHelStdEnbnbRcacwrU31jlouolXdeNrjmtqMvnrBpFQeGeAvpEFxzBF53XZx9E=@vger.kernel.org X-Gm-Message-State: AOJu0Yx01E9GttXUfeCAPz3SJqljLu3HiMI++LM5LZw6ts2+tqB6LYSX q+gZK9wQVhkPLV7iAAgv8ioUEy81NxQvxs+pzZO34kmP5Y2RgVofiSx8 X-Gm-Gg: AeBDieukIXgDrpQIwnaKPGOOjwMkFNW1dRkr1DzUl+nTnaT24Pl/IPhBiYS3qnsjPfB /igXpI59gdwlCqzjfbtvh3FZQiScnuFcp4iFegxI3isirOHUCJSxoccqkSgSOQVDPFEDJx9Ko1I jXmyiSM3scK4WB/7bAmqO5/+g976QaY75sEEOOT/QoKaKAvOzuaJWhC0uq3rQtSeNCKNUlt3L/a UPO0LRAXa33OzbD44efxtSCyJsCgfhFo6XlVIUQ+bqDeVJFkqP+Nmj56/mLT1a0tW/99fSZlpp3 J9Fw3zxsuGPziO2hzAoFR1fzVrR3vagetccB0IQAO0qPjMduf3QtEMvO5plFgZ3FtUjHQojI+BN ziu88J+lumILcdxUSaQ1/9ftK7HGmaPRsfJsUp9w5557/v6vj9ntSqPZKerKQo2/ed0UPHlV80T VWxShpJrcJ0NF2A93EKj7CBgnLHJu+LEC7/Fpo9f9YSyG+odGX2HwZhoOJ5Kq90ss= X-Received: by 2002:a05:6830:4128:b0:7dc:1bcd:43be with SMTP id 46e09a7af769-7e0bfce59fbmr1833181a34.5.1777977751857; Tue, 05 May 2026 03:42:31 -0700 (PDT) Received: from localhost ([2a03:2880:10ff:4e::]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7deca7a902asm9925444a34.5.2026.05.05.03.42.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 03:42:31 -0700 (PDT) From: Daniel Zahka Date: Tue, 05 May 2026 03:42:25 -0700 Subject: [PATCH net 3/3] netdevsim: psp: rcu protect psp_dev reference Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-psd-rcu-v1-3-a8f69ec1ab96@gmail.com> References: <20260505-psd-rcu-v1-0-a8f69ec1ab96@gmail.com> In-Reply-To: <20260505-psd-rcu-v1-0-a8f69ec1ab96@gmail.com> To: Jakub Kicinski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Paolo Abeni , Willem de Bruijn , Willem de Bruijn Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org X-Mailer: b4 0.13.0 There are two issues with the way psp_dev is used in nsim_do_psp(): 1. There is no check for IS_ERR() on the peers psp_dev, before dereferencing. 2. The refcount on this psp_dev can be dropped by nsim_psp_rereg_write() To fix this, we can make netdevsim's reference to its psp_dev an rcu reference, and then nsim_do_psp() can read the fields it needs from an rcu critical section. Fixes: f857478d6206 ("netdevsim: a basic test PSP implementation") Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Daniel Zahka Reviewed-by: Willem de Bruijn --- drivers/net/netdevsim/netdevsim.h | 2 +- drivers/net/netdevsim/psp.c | 54 +++++++++++++++++++++++++----------= ---- 2 files changed, 36 insertions(+), 20 deletions(-) diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netd= evsim.h index e373ffc26b0c..d909c4160ea1 100644 --- a/drivers/net/netdevsim/netdevsim.h +++ b/drivers/net/netdevsim/netdevsim.h @@ -120,7 +120,7 @@ struct netdevsim { u64_stats_t tx_packets; u64_stats_t tx_bytes; struct u64_stats_sync syncp; - struct psp_dev *dev; + struct psp_dev __rcu *dev; struct dentry *rereg; struct mutex rereg_lock; u32 spi; diff --git a/drivers/net/netdevsim/psp.c b/drivers/net/netdevsim/psp.c index 86d84b7e566b..6936ecb8173e 100644 --- a/drivers/net/netdevsim/psp.c +++ b/drivers/net/netdevsim/psp.c @@ -19,6 +19,7 @@ nsim_do_psp(struct sk_buff *skb, struct netdevsim *ns, struct netdevsim *peer_ns, struct skb_ext **psp_ext) { enum skb_drop_reason rc =3D 0; + struct psp_dev *peer_psd; struct psp_assoc *pas; struct net *net; void **ptr; @@ -48,7 +49,8 @@ nsim_do_psp(struct sk_buff *skb, struct netdevsim *ns, } =20 /* Now pretend we just received this frame */ - if (peer_ns->psp.dev->config.versions & (1 << pas->version)) { + peer_psd =3D rcu_dereference(peer_ns->psp.dev); + if (peer_psd && peer_psd->config.versions & (1 << pas->version)) { bool strip_icv =3D false; u8 generation; =20 @@ -61,8 +63,7 @@ nsim_do_psp(struct sk_buff *skb, struct netdevsim *ns, =20 skb_ext_reset(skb); skb->mac_len =3D ETH_HLEN; - if (psp_dev_rcv(skb, peer_ns->psp.dev->id, generation, - strip_icv)) { + if (psp_dev_rcv(skb, peer_psd->id, generation, strip_icv)) { rc =3D SKB_DROP_REASON_PSP_OUTPUT; goto out_unlock; } @@ -209,10 +210,18 @@ static struct psp_dev_caps nsim_psp_caps =3D { .assoc_drv_spc =3D sizeof(void *), }; =20 -static void __nsim_psp_uninit(struct netdevsim *ns) +static void __nsim_psp_uninit(struct netdevsim *ns, bool teardown) { - if (!IS_ERR(ns->psp.dev)) - psp_dev_unregister(ns->psp.dev); + struct psp_dev *psd; + + psd =3D rcu_dereference_protected(ns->psp.dev, + teardown || + lockdep_is_held(&ns->psp.rereg_lock)); + if (psd) { + rcu_assign_pointer(ns->psp.dev, NULL); + synchronize_rcu(); + psp_dev_unregister(psd); + } WARN_ON(ns->psp.assoc_cnt); } =20 @@ -220,7 +229,7 @@ void nsim_psp_uninit(struct netdevsim *ns) { debugfs_remove(ns->psp.rereg); mutex_destroy(&ns->psp.rereg_lock); - __nsim_psp_uninit(ns); + __nsim_psp_uninit(ns, true); } =20 static ssize_t @@ -228,16 +237,23 @@ nsim_psp_rereg_write(struct file *file, const char __= user *data, size_t count, loff_t *ppos) { struct netdevsim *ns =3D file->private_data; - int err; + struct psp_dev *psd; + ssize_t ret; =20 mutex_lock(&ns->psp.rereg_lock); - __nsim_psp_uninit(ns); + __nsim_psp_uninit(ns, false); + + psd =3D psp_dev_create(ns->netdev, &nsim_psp_ops, &nsim_psp_caps, ns); + if (IS_ERR(psd)) { + ret =3D PTR_ERR(psd); + goto out; + } =20 - ns->psp.dev =3D psp_dev_create(ns->netdev, &nsim_psp_ops, - &nsim_psp_caps, ns); - err =3D PTR_ERR_OR_ZERO(ns->psp.dev); + rcu_assign_pointer(ns->psp.dev, psd); + ret =3D count; +out: mutex_unlock(&ns->psp.rereg_lock); - return err ?: count; + return ret; } =20 static const struct file_operations nsim_psp_rereg_fops =3D { @@ -250,13 +266,13 @@ static const struct file_operations nsim_psp_rereg_fo= ps =3D { int nsim_psp_init(struct netdevsim *ns) { struct dentry *ddir =3D ns->nsim_dev_port->ddir; - int err; + struct psp_dev *psd; + + psd =3D psp_dev_create(ns->netdev, &nsim_psp_ops, &nsim_psp_caps, ns); + if (IS_ERR(psd)) + return PTR_ERR(psd); =20 - ns->psp.dev =3D psp_dev_create(ns->netdev, &nsim_psp_ops, - &nsim_psp_caps, ns); - err =3D PTR_ERR_OR_ZERO(ns->psp.dev); - if (err) - return err; + rcu_assign_pointer(ns->psp.dev, psd); =20 mutex_init(&ns->psp.rereg_lock); ns->psp.rereg =3D debugfs_create_file("psp_rereg", 0200, ddir, ns, --=20 2.52.0