On Fri, Jul 28, 2023 at 11:47:17PM +0200, Daniel Borkmann wrote:
> From: Martin KaFai Lau <martin.lau@xxxxxxxxxx>
>
> During unregister_netdevice_many_notify(), the ordering of our concerned
> function calls is like this:
>
> unregister_netdevice_many_notify
> dev_shutdown
> qdisc_put
> clsact_destroy
> tcx_uninstall
>
> The syzbot reproducer triggered a case that the qdisc refcnt is not
> zero during dev_shutdown().
>
> tcx_uninstall() will then WARN_ON_ONCE(tcx_entry(entry)->miniq_active)
> because the miniq is still active and the entry should not be freed.
> The latter assumed that qdisc destruction happens before tcx teardown.
>
> This fix is to avoid tcx_uninstall() doing tcx_entry_free() when the
> miniq is still alive and let the clsact_destroy() do the free later, so
> that we do not assume any specific ordering for either of them.
>
> If still active, tcx_uninstall() does clear the entry when flushing out
> the prog/link. clsact_destroy() will then notice the "!tcx_entry_is_active()"
> and then does the tcx_entry_free() eventually.
>
> Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support")
> Reported-by: syzbot+376a289e86a0fd02b9ba@xxxxxxxxxxxxxxxxxxxxxxxxx
> Reported-by: Leon Romanovsky <leonro@xxxxxxxxxx>
> Signed-off-by: Martin KaFai Lau <martin.lau@xxxxxxxxxx>
> Co-developed-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Tested-by: syzbot+376a289e86a0fd02b9ba@xxxxxxxxxxxxxxxxxxxxxxxxx
> ---
> [ Sending directly to net-next given the issue was reported there by Leon. ]
>
> include/linux/bpf_mprog.h | 16 ++++++++++++++++
> kernel/bpf/tcx.c | 12 ++++++++----
> 2 files changed, 24 insertions(+), 4 deletions(-)
>
Thanks,
Tested-by: Leon Romanovsky <leonro@xxxxxxxxxx>
