linux/net/sched
Jiri Pirko 255cd50f20 net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
Recent commit d7fb60b9ca ("net_sched: get rid of tcfa_rcu") removed
freeing in call_rcu, which changed already existing hard-to-hit
race condition into 100% hit:

[  598.599825] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[  598.607782] IP: tcf_action_destroy+0xc0/0x140

Or:

[   40.858924] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[   40.862840] IP: tcf_generic_walker+0x534/0x820

Fix this by storing the ops and use them directly for module_put call.

Fixes: a85a970af2 ("net_sched: move tc_action into tcf_common")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-13 09:34:08 -07:00
..
act_api.c net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker 2017-09-13 09:34:08 -07:00
act_bpf.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_connmark.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_csum.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_gact.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_ife.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_ipt.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_meta_mark.c Support to encoding decoding skb mark on IFE action 2016-03-01 17:15:23 -05:00
act_meta_skbprio.c Support to encoding decoding skb prio on IFE action 2016-03-01 17:15:23 -05:00
act_meta_skbtcindex.c net sched ife action: Introduce skb tcindex metadata encap decap 2016-09-19 21:55:28 -04:00
act_mirred.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_nat.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_pedit.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_police.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_sample.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_simple.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_skbedit.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_skbmod.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_tunnel_key.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_vlan.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
cls_api.c net_sched: carefully handle tcf_block_put() 2017-09-12 20:41:02 -07:00
cls_basic.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_bpf.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_cgroup.c net_sched: use void pointer for filter handle 2017-08-07 14:12:17 -07:00
cls_flow.c net_sched: use void pointer for filter handle 2017-08-07 14:12:17 -07:00
cls_flower.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_fw.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_matchall.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_route.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_rsvp6.c
cls_rsvp.c
cls_rsvp.h net/sched: fix pointer check in gen_handle 2017-09-11 14:34:52 -07:00
cls_tcindex.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_u32.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
em_canid.c net: sched: remove tcf_proto from ematch calls 2014-10-06 18:02:32 -04:00
em_cmp.c
em_ipset.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
em_meta.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
em_nbyte.c net: sched: remove tcf_proto from ematch calls 2014-10-06 18:02:32 -04:00
em_text.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
em_u32.c
ematch.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
Kconfig net: sched: select cls when cls_act is enabled 2017-06-05 10:56:36 -04:00
Makefile net/sched: Introduce sample tc action 2017-01-24 13:44:28 -05:00
sch_api.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_atm.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_blackhole.c net_sched: drop packets after root qdisc lock is released 2016-06-25 12:19:35 -04:00
sch_cbq.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_choke.c treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
sch_codel.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_drr.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_dsmark.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_fifo.c sched: don't use skb queue helpers 2016-09-19 01:47:18 -04:00
sch_fq_codel.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_fq.c mm, tree wide: replace __GFP_REPEAT by __GFP_RETRY_MAYFAIL with more useful semantic 2017-07-12 16:26:03 -07:00
sch_generic.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_gred.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_hfsc.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_hhf.c sch_hhf: fix null pointer dereference on init failure 2017-08-30 15:26:11 -07:00
sch_htb.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_ingress.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_mq.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_mqprio.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_multiq.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_netem.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_pie.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_plug.c net_sched: drop packets after root qdisc lock is released 2016-06-25 12:19:35 -04:00
sch_prio.c sched: Use __qdisc_drop instead of kfree_skb in sch_prio and sch_qfq 2017-09-06 21:20:07 -07:00
sch_qfq.c sched: Use __qdisc_drop instead of kfree_skb in sch_prio and sch_qfq 2017-09-06 21:20:07 -07:00
sch_red.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_sfb.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_sfq.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_tbf.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_teql.c net: make ndo_get_stats64 a void function 2017-01-08 17:51:44 -05:00