All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ido Schimmel <idosch@idosch.org>
To: Jiri Pirko <jiri@resnulli.us>
Cc: netdev@vger.kernel.org, davem@davemloft.net, kuba@kernel.org,
	pabeni@redhat.com, edumazet@google.com, tariqt@nvidia.com,
	moshe@nvidia.com, saeedm@nvidia.com, linux-rdma@vger.kernel.org
Subject: Re: [patch net-next v4 05/13] net: devlink: track netdev with devlink_port assigned
Date: Sun, 6 Nov 2022 11:09:42 +0200	[thread overview]
Message-ID: <Y2d51izTZV1rThOc@shredder> (raw)
In-Reply-To: <20221102160211.662752-6-jiri@resnulli.us>

On Wed, Nov 02, 2022 at 05:02:03PM +0100, Jiri Pirko wrote:
> @@ -9645,10 +9649,13 @@ struct devlink *devlink_alloc_ns(const struct devlink_ops *ops,
>  
>  	ret = xa_alloc_cyclic(&devlinks, &devlink->index, devlink, xa_limit_31b,
>  			      &last_id, GFP_KERNEL);
> -	if (ret < 0) {
> -		kfree(devlink);
> -		return NULL;
> -	}
> +	if (ret < 0)
> +		goto err_xa_alloc;
> +
> +	devlink->netdevice_nb.notifier_call = devlink_netdevice_event;
> +	ret = register_netdevice_notifier_net(net, &devlink->netdevice_nb);
> +	if (ret)
> +		goto err_register_netdevice_notifier;
>  
>  	devlink->dev = dev;
>  	devlink->ops = ops;
> @@ -9675,6 +9682,12 @@ struct devlink *devlink_alloc_ns(const struct devlink_ops *ops,
>  	init_completion(&devlink->comp);
>  
>  	return devlink;
> +
> +err_register_netdevice_notifier:
> +	xa_erase(&devlinks, devlink->index);
> +err_xa_alloc:
> +	kfree(devlink);
> +	return NULL;
>  }
>  EXPORT_SYMBOL_GPL(devlink_alloc_ns);
>  
> @@ -9828,6 +9841,10 @@ void devlink_free(struct devlink *devlink)
>  	WARN_ON(!list_empty(&devlink->port_list));
>  
>  	xa_destroy(&devlink->snapshot_ids);
> +
> +	unregister_netdevice_notifier_net(devlink_net(devlink),
> +					  &devlink->netdevice_nb);
> +
>  	xa_erase(&devlinks, devlink->index);
>  
>  	kfree(devlink);

The network namespace of the devlink instance can change throughout the
lifetime of the devlink instance, but the notifier block is always
registered in the initial namespace. This leads to
unregister_netdevice_notifier_net() failing to unregister the notifier
block, which leads to use-after-free. Reproduce (with KASAN enabled):

# echo "10 0" > /sys/bus/netdevsim/new_device
# ip netns add bla
# devlink dev reload netdevsim/netdevsim10 netns bla
# echo 10 > /sys/bus/netdevsim/del_device
# ip link add dummy10 up type dummy

I see two possible solutions:

1. Use register_netdevice_notifier() instead of
register_netdevice_notifier_net().

2. Move the notifier block to the correct namespace in devlink_reload().

  reply	other threads:[~2022-11-06  9:09 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-02 16:01 [patch net-next v4 00/13] net: fix netdev to devlink_port linkage and expose to user Jiri Pirko
2022-11-02 16:01 ` [patch net-next v4 01/13] net: devlink: convert devlink port type-specific pointers to union Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 02/13] net: devlink: move port_type_warn_schedule() call to __devlink_port_type_set() Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 03/13] net: devlink: move port_type_netdev_checks() " Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 04/13] net: devlink: take RTNL in port_fill() function only if it is not held Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 05/13] net: devlink: track netdev with devlink_port assigned Jiri Pirko
2022-11-06  9:09   ` Ido Schimmel [this message]
2022-11-07  7:40     ` Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 06/13] net: make drivers to use SET_NETDEV_DEVLINK_PORT to set devlink_port Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 07/13] net: devlink: remove netdev arg from devlink_port_type_eth_set() Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 08/13] net: devlink: remove net namespace check from devlink_nl_port_fill() Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 09/13] net: devlink: store copy netdevice ifindex and ifname to allow port_fill() without RTNL held Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 10/13] net: devlink: add not cleared type warning to port unregister Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 11/13] net: devlink: use devlink_port pointer instead of ndo_get_devlink_port Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 12/13] net: remove unused ndo_get_devlink_port Jiri Pirko
2022-11-02 16:02 ` [patch net-next v4 13/13] net: expose devlink port over rtnetlink Jiri Pirko
2022-11-04  5:00 ` [patch net-next v4 00/13] net: fix netdev to devlink_port linkage and expose to user patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y2d51izTZV1rThOc@shredder \
    --to=idosch@idosch.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=moshe@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=saeedm@nvidia.com \
    --cc=tariqt@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.