Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp116224pxb; Fri, 29 Oct 2021 06:49:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw7DSzIAR+jP81wWq6+0iqs1jX3chkUrIOTEfIWzub9d3FYWn13TKvGQLsKXkcn+plXtVzv X-Received: by 2002:a05:6402:2884:: with SMTP id eg4mr15405324edb.254.1635515392630; Fri, 29 Oct 2021 06:49:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635515392; cv=none; d=google.com; s=arc-20160816; b=R6PkHdYZxU7OvFp/4Tmqi27+KMTVIBuXWV2ZheyjiV+uDVKO4HiXoPY7PbBbgsGAsx D7lp0N7ocOpR4ppr1EdnPFlYVJvsz8HPEP8N0eNzWIPL/6WmPtn89KJF4YJMA6H0fTsr +RLTPduFzFcyLAD/S9Uo4/wXVQG+FzstkuJbjX3YRFfa9XeNgVx/IXViVGrrEy4q4/Ux hQzz6DQRcBJS0fh57NdJuMR1eIMvJeiN+GWc/kGer1rMubSKPWjsTl6Sd/QEb+Kay8BA UgoQk+h0+rgYfTaNsJ8UXZV0NnNZLYy1tFHsU+PnzgIDoCo7Of7HEM0vijKvmBZWH38Q VsFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=3amabRN0J9EI2ey2xTBcHBAuO/FPePPq+Bws3o8xa/E=; b=S9iFEh+QYpLTvf+4nFWIN5atmdcRM11zf7f+90xsDRqzYNQK8n2Xj/XGnaPKvoV0pi /avi9Wfqo73kX1OaDXzAIdKACRMf5yP2LJQVKaZQ08be/6Ngvfm5YOPretKjAu+ED7lY ChfGIxcSJYHOS8ndyqTnSynWamuFduw8socPBFNVNSWJSAaEC9yazESKYiElHnmK9jS6 j0QaV5q+X6wUEe4unlaXo+j3jkRbjd5FmyCwBp/OAlv/RykqoAaZtyDwzPcai5a3GpFQ 4eyYGIve6cF088ihh1iZV3H4p+iwcPQnIXFleOADyW2Wub0p1V+ve1lDBDCglxhL4U6v LcGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="hT/9stuC"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dn18si9785513ejc.274.2021.10.29.06.49.03; Fri, 29 Oct 2021 06:49:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="hT/9stuC"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231602AbhJ2Nsm (ORCPT + 99 others); Fri, 29 Oct 2021 09:48:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:52420 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231589AbhJ2Nsk (ORCPT ); Fri, 29 Oct 2021 09:48:40 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id BDC0661100; Fri, 29 Oct 2021 13:46:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1635515172; bh=3amabRN0J9EI2ey2xTBcHBAuO/FPePPq+Bws3o8xa/E=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=hT/9stuCw2TBWC+WQlNMsEPUyDuT82VSj9AwkcURueLyoJuaYcaA/LjPKa1zwKoDv ix42QS26dAHMtYYOOW+KPlbU4KBHJ4mwNTa4WN43nPQRGSXhBZSUOiiU9gKDwSgKOe +mkIgEDaiAQI3yzkG89/QxYVbGCo4fR25ogeldYBYpjzss0+3muVH0cwlrrR/qedd5 b/zUaEdNq7CClthfU5UjrVwT/0SN1WOnu5PP5IfqBFhBIFPdx26R24HnmhsQFUCPWI MN6uLQZuXQhZg7ydYVL8azE932lAQ+DpjxBDFhh0T2QZcy040jjMCMw87UHOWB20XF nUTmGWw3xJ8ig== Date: Fri, 29 Oct 2021 06:46:10 -0700 From: Jakub Kicinski To: Jason Gunthorpe Cc: "Ziyang Xuan (William)" , davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org Subject: Re: [PATCH net] net: vlan: fix a UAF in vlan_dev_real_dev() Message-ID: <20211029064610.18daa788@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> In-Reply-To: <20211029121324.GT2744544@nvidia.com> References: <20211027121606.3300860-1-william.xuanziyang@huawei.com> <20211027184640.7955767e@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> <20211028114503.GM2744544@nvidia.com> <20211028070050.6ca7893b@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> <20211029121324.GT2744544@nvidia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 29 Oct 2021 09:13:24 -0300 Jason Gunthorpe wrote: > Jakub's path would be to test vlan_dev->reg_state != NETREG_REGISTERED > in the work queue, but that feels pretty hacky to me as the main point > of the UNREGISTERING state is to keep the object alive enough that > those with outstanding gets can compelte their work and release the > get. Leaving a wrecked object in UNREGISTERING is a bad design. That or we should investigate if we could hold the ref for real_dev all the way until vlan_dev_free().