From patchwork Wed Sep 13 15:32:37 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiri Pirko X-Patchwork-Id: 813489 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=resnulli-us.20150623.gappssmtp.com header.i=@resnulli-us.20150623.gappssmtp.com header.b="g+16YrGt"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3xslzK6GKnz9s7v for ; Thu, 14 Sep 2017 01:32:45 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751253AbdIMPcm (ORCPT ); Wed, 13 Sep 2017 11:32:42 -0400 Received: from mail-wr0-f194.google.com ([209.85.128.194]:35253 "EHLO mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751010AbdIMPck (ORCPT ); Wed, 13 Sep 2017 11:32:40 -0400 Received: by mail-wr0-f194.google.com with SMTP id n64so293724wrb.2 for ; Wed, 13 Sep 2017 08:32:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=resnulli-us.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=tGX/rbEJU3dk5xbvB1rOhRFsG4PC2btrnMMr47Cj/Ng=; b=g+16YrGtWXM1VfDnQYt8ru8GdJTgSE7D41YWUgbZxCLtTIpOPXtw25B6a1AmZRYJBz 55cMjHrqnVF3nPmrD/Vf74NouNbQ0PWsgNniJVbLckqGr25dCn1A/YbFMde4Ku2DD0O9 5D11iOi4CV+cDnUPs2gqXNl8JKvCGwTHo3ffGZMW5A7VPzjJA5hxBMvkysrd7vcHQCW7 DxUEdNmxah/TzOdo9SLGY98nMMITGt99bAMIs98Ky2IdI6vECHqy4SH+f9imqVRNMM7J TB+UOz2f/nLm9n3RJHyuOI24/WpCm0W2382BLAxGaymEt0QbDcrUahwTXqyYb0rVijk+ 4GiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=tGX/rbEJU3dk5xbvB1rOhRFsG4PC2btrnMMr47Cj/Ng=; b=Fv+Q0lfVqk1Hhm2POCBAZ9HcyZjR15zNk/paqQguXQO4q/9aUZ/kXYULYihcaadu55 daegRwgTpPOd0TrH4kZmrdJx+g0kZ9fHQsQLoL8j7nS5ffvhTs8WV2Hv436mTmLEXGEz BuumW6liWt6LPcZ+0Okb20OUc3AXWsGponNFvnv96s/Pva6JjYKoHrqJ2L5rh49t0ouc RVOfE/xcUUFbp8n/puYOn4vCYZLusRw9BgvkwRAPvz1OoMxuJ0fFcGKtTkXS7lMZVYPN 8MluaDRGw9muqABxUlWgoMl8088aCjtSBZH6XHLf239rVU5N5aVyIoTb7prI/SQl+0Tr sYLA== X-Gm-Message-State: AHPjjUjYe2A4Wlmeoq56Lk8OF761t9leNKNZr/oWXpPUMJ4fOKYQCQZN 4XPgSylyDadNLCpAlI8= X-Google-Smtp-Source: ADKCNb4yc2QitHi5/pgSW8W+DcT/tC6wXXjNElXxOqhWu0vv39wNEWperML4JBGFoScWbmTzZMNnSw== X-Received: by 10.223.195.108 with SMTP id e41mr15045010wrg.51.1505316759151; Wed, 13 Sep 2017 08:32:39 -0700 (PDT) Received: from localhost (ip-89-177-125-82.net.upcbroadband.cz. [89.177.125.82]) by smtp.gmail.com with ESMTPSA id y5sm1566542wmg.6.2017.09.13.08.32.38 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 13 Sep 2017 08:32:38 -0700 (PDT) From: Jiri Pirko To: netdev@vger.kernel.org Cc: davem@davemloft.net, jhs@mojatatu.com, xiyou.wangcong@gmail.com, kubakici@wp.pl, mlxsw@mellanox.com Subject: [patch net] net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker Date: Wed, 13 Sep 2017 17:32:37 +0200 Message-Id: <20170913153237.26408-1-jiri@resnulli.us> X-Mailer: git-send-email 2.9.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Jiri Pirko Recent commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") removed freeing in call_rcu, which changed already existing hard-to-hit race condition into 100% hit: [ 598.599825] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [ 598.607782] IP: tcf_action_destroy+0xc0/0x140 Or: [ 40.858924] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [ 40.862840] IP: tcf_generic_walker+0x534/0x820 Fix this by storing the ops and use them directly for module_put call. Fixes: a85a970af265 ("net_sched: move tc_action into tcf_common") Signed-off-by: Jiri Pirko --- net/sched/act_api.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/sched/act_api.c b/net/sched/act_api.c index fcd7dc7..da6fa82 100644 --- a/net/sched/act_api.c +++ b/net/sched/act_api.c @@ -180,7 +180,7 @@ static int tcf_del_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb, idr_for_each_entry_ext(idr, p, id) { ret = __tcf_idr_release(p, false, true); if (ret == ACT_P_DELETED) { - module_put(p->ops->owner); + module_put(ops->owner); n_i++; } else if (ret < 0) { goto nla_put_failure; @@ -514,13 +514,15 @@ EXPORT_SYMBOL(tcf_action_exec); int tcf_action_destroy(struct list_head *actions, int bind) { + const struct tc_action_ops *ops; struct tc_action *a, *tmp; int ret = 0; list_for_each_entry_safe(a, tmp, actions, list) { + ops = a->ops; ret = __tcf_idr_release(a, bind, true); if (ret == ACT_P_DELETED) - module_put(a->ops->owner); + module_put(ops->owner); else if (ret < 0) return ret; }