| Message ID | 1526063733-7813-1-git-send-email-mrv@mojatatu.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net,1/1] net sched actions: fix refcnt leak in skbmod | expand |
On Fri, May 11, 2018 at 11:35 AM, Roman Mashak <mrv@mojatatu.com> wrote: > When application fails to pass flags in netlink TLV when replacing > existing skbmod action, the kernel will leak refcnt: > > $ tc actions get action skbmod index 1 > total acts 0 > > action order 0: skbmod pipe set smac 00:11:22:33:44:55 > index 1 ref 1 bind 0 > > For example, at this point a buggy application replaces the action with > index 1 with new smac 00:aa:22:33:44:55, it fails because of zero flags, > however refcnt gets bumped: > > $ tc actions get actions skbmod index 1 > total acts 0 > > action order 0: skbmod pipe set smac 00:11:22:33:44:55 > index 1 ref 2 bind 0 > $ > > Tha patch fixes this by calling tcf_idr_release() on existing actions. > > Fixes: 86da71b57383d ("net_sched: Introduce skbmod action") > Signed-off-by: Roman Mashak <mrv@mojatatu.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
From: Roman Mashak <mrv@mojatatu.com> Date: Fri, 11 May 2018 14:35:33 -0400 > When application fails to pass flags in netlink TLV when replacing > existing skbmod action, the kernel will leak refcnt: > > $ tc actions get action skbmod index 1 > total acts 0 > > action order 0: skbmod pipe set smac 00:11:22:33:44:55 > index 1 ref 1 bind 0 > > For example, at this point a buggy application replaces the action with > index 1 with new smac 00:aa:22:33:44:55, it fails because of zero flags, > however refcnt gets bumped: > > $ tc actions get actions skbmod index 1 > total acts 0 > > action order 0: skbmod pipe set smac 00:11:22:33:44:55 > index 1 ref 2 bind 0 > $ > > Tha patch fixes this by calling tcf_idr_release() on existing actions. > > Fixes: 86da71b57383d ("net_sched: Introduce skbmod action") > Signed-off-by: Roman Mashak <mrv@mojatatu.com> Applied and queued up for -stable, thanks.
diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c index bbcbdce732cc..ad050d7d4b46 100644 --- a/net/sched/act_skbmod.c +++ b/net/sched/act_skbmod.c @@ -131,8 +131,11 @@ static int tcf_skbmod_init(struct net *net, struct nlattr *nla, if (exists && bind) return 0; - if (!lflags) + if (!lflags) { + if (exists) + tcf_idr_release(*a, bind); return -EINVAL; + } if (!exists) { ret = tcf_idr_create(tn, parm->index, est, a,
When application fails to pass flags in netlink TLV when replacing existing skbmod action, the kernel will leak refcnt: $ tc actions get action skbmod index 1 total acts 0 action order 0: skbmod pipe set smac 00:11:22:33:44:55 index 1 ref 1 bind 0 For example, at this point a buggy application replaces the action with index 1 with new smac 00:aa:22:33:44:55, it fails because of zero flags, however refcnt gets bumped: $ tc actions get actions skbmod index 1 total acts 0 action order 0: skbmod pipe set smac 00:11:22:33:44:55 index 1 ref 2 bind 0 $ Tha patch fixes this by calling tcf_idr_release() on existing actions. Fixes: 86da71b57383d ("net_sched: Introduce skbmod action") Signed-off-by: Roman Mashak <mrv@mojatatu.com> --- net/sched/act_skbmod.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)