diff mbox series

[net,1/2] net: sched: fix clsact init error path

Message ID 20171215114013.6425-2-jiri@resnulli.us
State Accepted, archived
Delegated to: David Miller
Headers show
Series net: sched: couple of fixes on ingress/clsact init error path | expand

Commit Message

Jiri Pirko Dec. 15, 2017, 11:40 a.m. UTC
From: Jiri Pirko <jiri@mellanox.com>

Since in qdisc_create, the destroy op is called when init fails, we
don't do cleanup in init and leave it up to destroy.
This fixes use-after-free when trying to put already freed block.

Fixes: 6e40cf2d4dee ("net: sched: use extended variants of block_get/put in ingress and clsact qdiscs")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
---
 net/sched/cls_api.c     | 4 ++--
 net/sched/sch_ingress.c | 6 +-----
 2 files changed, 3 insertions(+), 7 deletions(-)

Comments

Cong Wang Dec. 15, 2017, 7:17 p.m. UTC | #1
On Fri, Dec 15, 2017 at 3:40 AM, Jiri Pirko <jiri@resnulli.us> wrote:
> From: Jiri Pirko <jiri@mellanox.com>
>
> Since in qdisc_create, the destroy op is called when init fails, we
> don't do cleanup in init and leave it up to destroy.
> This fixes use-after-free when trying to put already freed block.
>
> Fixes: 6e40cf2d4dee ("net: sched: use extended variants of block_get/put in ingress and clsact qdiscs")
> Signed-off-by: Jiri Pirko <jiri@mellanox.com>

Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
David Miller Dec. 15, 2017, 8:44 p.m. UTC | #2
From: Jiri Pirko <jiri@resnulli.us>
Date: Fri, 15 Dec 2017 12:40:12 +0100

> From: Jiri Pirko <jiri@mellanox.com>
> 
> Since in qdisc_create, the destroy op is called when init fails, we
> don't do cleanup in init and leave it up to destroy.
> This fixes use-after-free when trying to put already freed block.
> 
> Fixes: 6e40cf2d4dee ("net: sched: use extended variants of block_get/put in ingress and clsact qdiscs")
> Signed-off-by: Jiri Pirko <jiri@mellanox.com>

Applied.
diff mbox series

Patch

diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index f40256a..b91ea03 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -351,6 +351,8 @@  void tcf_block_put_ext(struct tcf_block *block, struct Qdisc *q,
 {
 	struct tcf_chain *chain;
 
+	if (!block)
+		return;
 	/* Hold a refcnt for all chains, except 0, so that they don't disappear
 	 * while we are iterating.
 	 */
@@ -377,8 +379,6 @@  void tcf_block_put(struct tcf_block *block)
 {
 	struct tcf_block_ext_info ei = {0, };
 
-	if (!block)
-		return;
 	tcf_block_put_ext(block, block->q, &ei);
 }
 
diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
index 5ecc38f..5e1cd2e 100644
--- a/net/sched/sch_ingress.c
+++ b/net/sched/sch_ingress.c
@@ -190,7 +190,7 @@  static int clsact_init(struct Qdisc *sch, struct nlattr *opt)
 
 	err = tcf_block_get_ext(&q->egress_block, sch, &q->egress_block_info);
 	if (err)
-		goto err_egress_block_get;
+		return err;
 
 	net_inc_ingress_queue();
 	net_inc_egress_queue();
@@ -198,10 +198,6 @@  static int clsact_init(struct Qdisc *sch, struct nlattr *opt)
 	sch->flags |= TCQ_F_CPUSTATS;
 
 	return 0;
-
-err_egress_block_get:
-	tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info);
-	return err;
 }
 
 static void clsact_destroy(struct Qdisc *sch)