]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit
projects / mirror_ubuntu-artful-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: beb6ce6) | patch
net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
authorJiri Pirko <jiri@mellanox.com>
Wed, 13 Sep 2017 15:32:37 +0000 (17:32 +0200)
committerSeth Forshee <seth.forshee@canonical.com>
Thu, 19 Oct 2017 14:48:22 +0000 (09:48 -0500)
commitea638ae1670d68be685faca8b8fe5b0085767dd9
tree4fc471e3d115b80af332004d1627962afae1f35etree
parentbeb6ce6d95c7cd31b1c44c5f5a47cf205f2c806fcommit | diff
net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker

BugLink: http://bugs.launchpad.net/bugs/1723145
[ Upstream commit 255cd50f207ae8ec7b22663246c833407744e634 ]

Recent commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") removed
freeing in call_rcu, which changed already existing hard-to-hit
race condition into 100% hit:

[  598.599825] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[  598.607782] IP: tcf_action_destroy+0xc0/0x140

Or:

[   40.858924] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[   40.862840] IP: tcf_generic_walker+0x534/0x820

Fix this by storing the ops and use them directly for module_put call.

Fixes: a85a970af265 ("net_sched: move tc_action into tcf_common")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
net/sched/act_api.c diff | blob | blame | history
Ubuntu Artful kernel mirror