Re: [PATCH net 1/2] net: airoha: Fix use-after-free in metadata dst teardown

public inbox for linux-arm-kernel@lists.infradead.org 
 help / color / mirror / Atom feed

From: Jacob Keller <jacob.e.keller@intel•com>
To: Lorenzo Bianconi <lorenzo@kernel•org>,
	Andrew Lunn <andrew+netdev@lunn•ch>,
	"David S. Miller" <davem@davemloft•net>,
	"Eric Dumazet" <edumazet@google•com>,
	Jakub Kicinski <kuba@kernel•org>, Paolo Abeni <pabeni@redhat•com>,
	Felix Fietkau <nbd@nbd•name>,
	Matthias Brugger <matthias.bgg@gmail•com>,
	AngeloGioacchino Del Regno
	<angelogioacchino.delregno@collabora•com>
Cc: Florian Westphal <fw@strlen•de>,
	<linux-arm-kernel@lists•infradead.org>,
	<linux-mediatek@lists•infradead.org>, <netdev@vger•kernel.org>
Subject: Re: [PATCH net 1/2] net: airoha: Fix use-after-free in metadata dst teardown
Date: Thu, 4 Jun 2026 10:38:33 -0700	[thread overview]
Message-ID: <21810a20-abe6-4490-969c-cfd62c4c082a@intel.com> (raw)
In-Reply-To: <20260602-airoha-mtk-metadata-uaf-fix-v1-1-3aaa99d83351@kernel.org>

On 6/2/2026 2:21 AM, Lorenzo Bianconi wrote:
> airoha_metadata_dst_free() runs metadata_dst_free() which frees the
> metadata_dst with kfree() immediately, bypassing the RCU grace period.
> In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from
> the skb to the metadata_dst. This function requires RCU read-side
> protection and the dst must remain valid until all RCU readers complete.
> Since metadata_dst_free() calls kfree() directly, an use-after-free can
> occur if any skb still holds a noref pointer to the dst when the driver
> tears it down.
> Replace metadata_dst_free() with dst_release() which properly goes
> through the refcount path: when the refcount drops to zero, it schedules
> the actual free via call_rcu_hurry(), ensuring all RCU readers have
> completed before the memory is freed.
> 
> Fixes: af3cf757d5c9 ("net: airoha: Move DSA tag in DMA descriptor")
> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel•org>
> ---
>  drivers/net/ethernet/airoha/airoha_eth.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
> index cecd66251dba..eab6a98d62b9 100644
> --- a/drivers/net/ethernet/airoha/airoha_eth.c
> +++ b/drivers/net/ethernet/airoha/airoha_eth.c
> @@ -2936,7 +2936,7 @@ static void airoha_metadata_dst_free(struct airoha_gdm_port *port)
>  		if (!port->dsa_meta[i])
>  			continue;
>  
> -		metadata_dst_free(port->dsa_meta[i]);
> +		dst_release(&port->dsa_meta[i]->dst);
>  	}
>  }
>  
> 

the port->dsa_meta is allocated using metadata_dst_alloc().. how is it
safe to use dst_release here? Seems like we should be calling dst_alloc
instead of metadata_dst_alloc in order to use dst_release??

metadata_dst_alloc does call __metadata_dst_init which calls dst_init..

I guess the start of the metadata_dst structure is also the same address
as the internal dst_entry struct...

But dst_destroy does a whole lot more than metadata_dst_release so I
don't feel confident in this actually being a drop-in replacement... It
calls netdev_put, it calls the dst->ops->destroy, it releases child
refs.. Or for metadata dst entries is that all basically a no-op??

I feel like I'm missing something here.. The driver also calls
metadata_dst_free in the remove path and that wasn't changed by this
patch either.

Generally it seems like we should be using the same API to allocate as
to release the object... This is confusing. What am I missing?

next prev parent reply	other threads:[~2026-06-04 17:38 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-02  9:21 [PATCH net 0/2] Fix use-after-free in metadata dst teardown in airoha_eth and mtk_eth_soc drivers Lorenzo Bianconi
2026-06-02  9:21 ` [PATCH net 1/2] net: airoha: Fix use-after-free in metadata dst teardown Lorenzo Bianconi
2026-06-04 17:38   ` Jacob Keller [this message]
2026-06-04 21:23     ` Lorenzo Bianconi
2026-06-04 21:53       ` Jacob Keller
2026-06-02  9:21 ` [PATCH net 2/2] net: ethernet: mtk_eth_soc: " Lorenzo Bianconi
2026-06-04  2:30 ` [PATCH net 0/2] Fix use-after-free in metadata dst teardown in airoha_eth and mtk_eth_soc drivers patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=21810a20-abe6-4490-969c-cfd62c4c082a@intel.com \
    --to=jacob.e.keller@intel$(echo .)com \
    --cc=andrew+netdev@lunn$(echo .)ch \
    --cc=angelogioacchino.delregno@collabora$(echo .)com \
    --cc=davem@davemloft$(echo .)net \
    --cc=edumazet@google$(echo .)com \
    --cc=fw@strlen$(echo .)de \
    --cc=kuba@kernel$(echo .)org \
    --cc=linux-arm-kernel@lists$(echo .)infradead.org \
    --cc=linux-mediatek@lists$(echo .)infradead.org \
    --cc=lorenzo@kernel$(echo .)org \
    --cc=matthias.bgg@gmail$(echo .)com \
    --cc=nbd@nbd$(echo .)name \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=pabeni@redhat$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox