[v5,net,0/3] net: Fix race of rtnl_net_lock(dev_net(dev)).

Message ID	20250217191129.19967-1-kuniyu@amazon.com (mailing list archive)
Headers	show Received: from smtp-fw-33001.amazon.com (smtp-fw-33001.amazon.com [207.171.190.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2082D1922FA for <netdev@vger.kernel.org>; Mon, 17 Feb 2025 19:11:52 +0000 (UTC) From: Kuniyuki Iwashima <kuniyu@amazon.com> To: "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org> CC: Kuniyuki Iwashima <kuniyu@amazon.com>, Kuniyuki Iwashima <kuni1840@gmail.com>, <netdev@vger.kernel.org> Subject: [PATCH v5 net 0/3] net: Fix race of rtnl_net_lock(dev_net(dev)). Date: Mon, 17 Feb 2025 11:11:26 -0800 Message-ID: <20250217191129.19967-1-kuniyu@amazon.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	net: Fix race of rtnl_net_lock(dev_net(dev)). \| expand [v5,net,0/3] net: Fix race of rtnl_net_lock(dev_net(dev)). [v5,net,1/3] net: Add net_passive_inc() and net_passive_dec(). [v5,net,2/3] net: Fix dev_net(dev) race in unregister_netdevice_notifier_dev_net(). [v5,net,3/3] dev: Use rtnl_net_dev_lock() in unregister_netdev().

Message ID

20250217191129.19967-1-kuniyu@amazon.com (mailing list archive)

Headers

From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: "David S. Miller" <davem@davemloft.net>, Eric Dumazet
	<edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni
	<pabeni@redhat.com>, Simon Horman <horms@kernel.org>
CC: Kuniyuki Iwashima <kuniyu@amazon.com>, Kuniyuki Iwashima
	<kuni1840@gmail.com>, <netdev@vger.kernel.org>
Subject: [PATCH v5 net 0/3] net: Fix race of rtnl_net_lock(dev_net(dev)).
Date: Mon, 17 Feb 2025 11:11:26 -0800
Message-ID: <20250217191129.19967-1-kuniyu@amazon.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

net: Fix race of rtnl_net_lock(dev_net(dev)). | expand

Message

Kuniyuki Iwashima Feb. 17, 2025, 7:11 p.m. UTC

Yael Chemla reported that commit 7fb1073300a2 ("net: Hold rtnl_net_lock()
in (un)?register_netdevice_notifier_dev_net().") started to trigger KASAN's
use-after-free splat.

The problem is that dev_net(dev) fetched before rtnl_net_lock() might be
different after rtnl_net_lock().

The patch 2 fixes the issue by checking dev_net(dev) after rtnl_net_lock(),
and the patch 3 fixes the same potential issue that would emerge once RTNL
is removed.


Changes:
  v5:
    * Use do-while loop instead of goto

  v4: https://lore.kernel.org/netdev/20250212064206.18159-1-kuniyu@amazon.com/
    * Add patch 1
    * Fix build failure for !CONFIG_NET_NS in patch 2

  v3: https://lore.kernel.org/netdev/20250211051217.12613-1-kuniyu@amazon.com/
    * Bump net->passive instead of maybe_get_net()
    * Remove msleep(1) loop
    * Use rcu_access_pointer() instead of rcu_read_lock().

  v2: https://lore.kernel.org/netdev/20250207044251.65421-1-kuniyu@amazon.com/
    * Use dev_net_rcu()
    * Use msleep(1) instead of cond_resched() after maybe_get_net()
    * Remove cond_resched() after net_eq() check

  v1: https://lore.kernel.org/netdev/20250130232435.43622-1-kuniyu@amazon.com/


Kuniyuki Iwashima (3):
  net: Add net_passive_inc() and net_passive_dec().
  net: Fix dev_net(dev) race in unregister_netdevice_notifier_dev_net().
  dev: Use rtnl_net_dev_lock() in unregister_netdev().

 include/net/net_namespace.h | 11 ++++++++
 net/core/dev.c              | 54 +++++++++++++++++++++++++++++++------
 net/core/net_namespace.c    |  8 +++---
 3 files changed, 61 insertions(+), 12 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org Feb. 19, 2025, 2:50 a.m. UTC | #1

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon, 17 Feb 2025 11:11:26 -0800 you wrote:
> Yael Chemla reported that commit 7fb1073300a2 ("net: Hold rtnl_net_lock()
> in (un)?register_netdevice_notifier_dev_net().") started to trigger KASAN's
> use-after-free splat.
> 
> The problem is that dev_net(dev) fetched before rtnl_net_lock() might be
> different after rtnl_net_lock().
> 
> [...]

Here is the summary with links:
  - [v5,net,1/3] net: Add net_passive_inc() and net_passive_dec().
    https://git.kernel.org/netdev/net/c/e57a6320215c
  - [v5,net,2/3] net: Fix dev_net(dev) race in unregister_netdevice_notifier_dev_net().
    https://git.kernel.org/netdev/net/c/65161fb544aa
  - [v5,net,3/3] dev: Use rtnl_net_dev_lock() in unregister_netdev().
    https://git.kernel.org/netdev/net/c/d4c6bfc83936

You are awesome, thank you!