Message ID | 1553258255-9230-1-git-send-email-john.hurley@netronome.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net,v2,1/1] net: sched: fix cleanup NULL pointer exception in act_mirr | expand |
On Fri, Mar 22, 2019 at 5:37 AM John Hurley <john.hurley@netronome.com> wrote: > > A new mirred action is created by the tcf_mirred_init function. This > contains a list head struct which is inserted into a global list on > successful creation of a new action. However, after a creation, it is > still possible to error out and call the tcf_idr_release function. This, > in turn, calls the act_mirr cleanup function via __tcf_idr_release and > __tcf_action_put. This cleanup function tries to delete the list entry > which is as yet uninitialised, leading to a NULL pointer exception. > > Fix this by initialising the list entry on creation of a new action. ... > > Fixes: 4e232818bd32 ("net: sched: act_mirred: remove dependency on rtnl lock") > Signed-off-by: John Hurley <john.hurley@netronome.com> > Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Thanks for the update!
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c index cd712e4..17cc6bd 100644 --- a/net/sched/act_mirred.c +++ b/net/sched/act_mirred.c @@ -159,12 +159,15 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla, tcf_idr_release(*a, bind); return -EEXIST; } + + m = to_mirred(*a); + if (ret == ACT_P_CREATED) + INIT_LIST_HEAD(&m->tcfm_list); + err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack); if (err < 0) goto release_idr; - m = to_mirred(*a); - spin_lock_bh(&m->tcf_lock); if (parm->ifindex) {