• Roman Kapl's avatar
    net: sched: fix crash when deleting secondary chains · d7aa04a5
    Roman Kapl authored
    If you flush (delete) a filter chain other than chain 0 (such as when
    deleting the device), the kernel may run into a use-after-free. The
    chain refcount must not be decremented unless we are sure we are done
    with the chain.
    
    To reproduce the bug, run:
        ip link add dtest type dummy
        tc qdisc add dev dtest ingress
        tc filter add dev dtest chain 1  parent ffff: flower
        ip link del dtest
    
    Introduced in: commit f93e1cdc ("net/sched: fix filter flushing"),
    but unless you have KAsan or luck, you won't notice it until
    commit 0dadc117 ("cls_flower: use tcf_exts_get_net() before call_rcu()")
    
    Fixes: f93e1cdc ("net/sched: fix filter flushing")
    Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
    Signed-off-by: default avatarRoman Kapl <code@rkapl.cz>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    d7aa04a5
cls_api.c 29 KB