From patchwork Fri Dec 15 11:40:12 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiri Pirko X-Patchwork-Id: 849101 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=resnulli-us.20150623.gappssmtp.com header.i=@resnulli-us.20150623.gappssmtp.com header.b="PuecMcbD"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yypQP1TWYz9t3t for ; Fri, 15 Dec 2017 22:40:29 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755297AbdLOLkX (ORCPT ); Fri, 15 Dec 2017 06:40:23 -0500 Received: from mail-wm0-f68.google.com ([74.125.82.68]:45207 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754389AbdLOLkR (ORCPT ); Fri, 15 Dec 2017 06:40:17 -0500 Received: by mail-wm0-f68.google.com with SMTP id 9so16859425wme.4 for ; Fri, 15 Dec 2017 03:40:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=resnulli-us.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=DTl2O4lbvWVsELay4hzGth2y3ut6TcpT/j2L2HdIfTQ=; b=PuecMcbDYcT5QM4xpgGjC9wXcDjEN96V/Uk7fU6hMRrUbS7oegUVwd+lzuKzNdDdL8 vybIj5/oJrcx3XCM+QE+DqAvqzZxZaQWI8gI8k6nrHIdy1bomgQYlHks+XLxcwlYr5Ai wCVoML70iWjCfnovF9lTAQYPNGOa/OFUG0RJZ8lz12kbnde397mEmqEskwKd5kXQL5JN DEP9pice1AdPp+DzMVK+5VLyjTANkeIJKA8aBMmQYdUG6CeAyPU+ui5Z+y32cQ1l6/Uj jImOnMIVdHf3AG2iFfY9D1VS/McRAenhCNYlYpavgL6XBbjuwaDz+rp1bz0dYRFLhEzS 8i6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=DTl2O4lbvWVsELay4hzGth2y3ut6TcpT/j2L2HdIfTQ=; b=BDG+sSAf7yV8GzQUpKE7dEyAJXRdJazM9JhY4iquLLAaWxavyrujNlsZEmQxqfIQfC PPxYX6NdyNjFKZfVgz0S22x41P+qRrtQ9gSiNHn6uJ/uoN3X0L6i7nyav2kXqTkMQ7BT PzhwIbpwqrto/sEiIQjehAHPFH1SYbtaiHDEk8k4Lk1y3z9H9G4mL66/q2+SzGBvqq0q Pvg+crLEyFFSeKPFd6X3HxQvCrVhRX+SxxlRj3LOUOB7umIRrnMISnUAptKP/lEs5NiZ BvKwGWL8Ra4V8JXahDmwwcTsNaX34FhDP5HpG/OxgxMCRRsuZKKuuuS1fUAcZ7i1UyhY heig== X-Gm-Message-State: AKGB3mLq0VFPry+kI5U41rsUjGJzHPQhUDGH3nJHOuYb0fJCuXGJ15QB IitRD/HRSa/NiNDYd17CsBCKBag2 X-Google-Smtp-Source: ACJfBovMmj8+s8TMWE+CTtB55rtWs4Tlw1TyMasoVV5jF9NEmhrMXDbpIKtXLPqT7ND0JMiJAkXl7w== X-Received: by 10.28.48.1 with SMTP id w1mr4645402wmw.119.1513338015862; Fri, 15 Dec 2017 03:40:15 -0800 (PST) Received: from localhost (f190.dkm.cz. [62.24.70.190]) by smtp.gmail.com with ESMTPSA id f18sm4246029wrg.66.2017.12.15.03.40.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 15 Dec 2017 03:40:15 -0800 (PST) From: Jiri Pirko To: netdev@vger.kernel.org Cc: davem@davemloft.net, jhs@mojatatu.com, xiyou.wangcong@gmail.com, mlxsw@mellanox.com, daniel@iogearbox.net Subject: [patch net 1/2] net: sched: fix clsact init error path Date: Fri, 15 Dec 2017 12:40:12 +0100 Message-Id: <20171215114013.6425-2-jiri@resnulli.us> X-Mailer: git-send-email 2.9.5 In-Reply-To: <20171215114013.6425-1-jiri@resnulli.us> References: <20171215114013.6425-1-jiri@resnulli.us> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Jiri Pirko Since in qdisc_create, the destroy op is called when init fails, we don't do cleanup in init and leave it up to destroy. This fixes use-after-free when trying to put already freed block. Fixes: 6e40cf2d4dee ("net: sched: use extended variants of block_get/put in ingress and clsact qdiscs") Signed-off-by: Jiri Pirko Acked-by: Cong Wang --- net/sched/cls_api.c | 4 ++-- net/sched/sch_ingress.c | 6 +----- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index f40256a..b91ea03 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -351,6 +351,8 @@ void tcf_block_put_ext(struct tcf_block *block, struct Qdisc *q, { struct tcf_chain *chain; + if (!block) + return; /* Hold a refcnt for all chains, except 0, so that they don't disappear * while we are iterating. */ @@ -377,8 +379,6 @@ void tcf_block_put(struct tcf_block *block) { struct tcf_block_ext_info ei = {0, }; - if (!block) - return; tcf_block_put_ext(block, block->q, &ei); } diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c index 5ecc38f..5e1cd2e 100644 --- a/net/sched/sch_ingress.c +++ b/net/sched/sch_ingress.c @@ -190,7 +190,7 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt) err = tcf_block_get_ext(&q->egress_block, sch, &q->egress_block_info); if (err) - goto err_egress_block_get; + return err; net_inc_ingress_queue(); net_inc_egress_queue(); @@ -198,10 +198,6 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt) sch->flags |= TCQ_F_CPUSTATS; return 0; - -err_egress_block_get: - tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info); - return err; } static void clsact_destroy(struct Qdisc *sch)