system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-09-20 02:57:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
Jiri Pirko 744a4cf63e net: sched: fix use after free when tcf_chain_destroy is called multiple times 
The goto_chain termination action takes a reference of a chain. In that
case, there is an issue when block_put is called tcf_chain_destroy
directly. The follo-up call of tcf_chain_put by goto_chain action free
works with memory that is already freed. This was caught by kasan:

[  220.337908] BUG: KASAN: use-after-free in tcf_chain_put+0x1b/0x50
[  220.344103] Read of size 4 at addr ffff88036d1f2cec by task systemd-journal/261
[  220.353047] CPU: 0 PID: 261 Comm: systemd-journal Not tainted 4.13.0-rc5jiri+ #54
[  220.360661] Hardware name: Mellanox Technologies Ltd. Mellanox switch/Mellanox x86 mezzanine board, BIOS 4.6.5 08/02/2016
[  220.371784] Call Trace:
[  220.374290]  <IRQ>
[  220.376355]  dump_stack+0xd5/0x150
[  220.391485]  print_address_description+0x86/0x410
[  220.396308]  kasan_report+0x181/0x4c0
[  220.415211]  tcf_chain_put+0x1b/0x50
[  220.418949]  free_tcf+0x95/0xc0

So allow tcf_chain_destroy to be called multiple times, free only in
case the reference count drops to 0.

Fixes: 5bc1701881 ("net: sched: introduce multichain support for filters")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-22 14:39:58 -07:00
..
6lowpan 6lowpan: Don't set IFF_NO_QUEUE 2017-04-12 22:02:40 +02:00
9p Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-15 12:00:42 -07:00
802 net: introduce __skb_put_[zero, data, u8] 2017-06-20 13:30:14 -04:00
8021q net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
appletalk networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
atm net, atm: convert eg_cache_entry.use from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
ax25 net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t 2017-07-04 22:35:19 +01:00
batman-adv batman-adv: fix TT sync flag inconsistencies 2017-07-31 11:17:38 +02:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
bpf bpf: Align packet data properly in program testing framework. 2017-05-02 11:46:28 -04:00
bridge net: bridge: fix dest lookup when vlan proto doesn't match 2017-07-14 08:19:23 -07:00
caif net: convert sock.sk_wmem_alloc from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
can networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
ceph libceph: make RECOVERY_DELETES feature create a new interval 2017-08-01 16:46:45 +02:00
core udp: on peeking bad csum, drop packets even if not at head 2017-08-22 14:27:58 -07:00
dcb dcb: enforce minimum length on IEEE_APPS attribute 2017-05-21 13:42:33 -04:00
dccp dccp: defer ccid_hc_tx_delete() at dismantle time 2017-08-16 14:26:26 -07:00
decnet net, decnet: convert dn_fib_info.fib_clntref from atomic_t to refcount_t 2017-07-04 22:35:15 +01:00
dns_resolver Merge branch 'WIP.sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-03-03 10:16:38 -08:00
dsa net: dsa: ksz: fix skb freeing 2017-08-11 13:57:08 -07:00
ethernet networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
hsr net/hsr: Check skb_put_padto() return value 2017-08-22 13:40:23 -07:00
ieee802154 net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ife
ipv4 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2017-08-22 10:27:26 -07:00
ipv6 ipv6: add rcu grace period before freeing fib6_node 2017-08-22 11:03:19 -07:00
ipx net, ipx: convert ipx_route.refcnt from atomic_t to refcount_t 2017-07-04 22:35:17 +01:00
irda irda: do not leak initialized list.dev to userspace 2017-08-18 16:21:51 -07:00
iucv iucv: Convert sk_wmem_alloc accesses to refcount_t. 2017-07-03 02:31:22 -07:00
kcm net: convert sock.sk_wmem_alloc from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
key af_key: do not use GFP_KERNEL in atomic contexts 2017-08-14 22:18:12 -07:00
l2tp net, l2tp: convert l2tp_session.ref_count from atomic_t to refcount_t 2017-07-04 22:35:15 +01:00
l3mdev
lapb net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
llc net, llc: convert llc_sap.refcnt from atomic_t to refcount_t 2017-07-04 22:35:15 +01:00
mac80211 mac80211: add api to start ba session timer expired flow 2017-08-09 09:49:42 +03:00
mac802154 net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
mpls mpls: fix uninitialized in_label var warning in mpls_getroute 2017-07-08 11:26:41 +01:00
ncsi networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-07-20 16:33:39 -07:00
netlabel netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
netlink net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
netrom net, netrom: convert nr_node.refcount from atomic_t to refcount_t 2017-07-04 22:35:17 +01:00
nfc NFC: Add sockaddr length checks before accessing sa_family in bind handlers 2017-06-23 00:38:31 +02:00
openvswitch openvswitch: fix skb_panic due to the incorrect actions attrlen 2017-08-16 14:12:37 -07:00
packet packet: fix tp_reserve race in packet_set_ring 2017-08-10 09:52:12 -07:00
phonet net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
psample networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
qrtr networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
rds rds: Reintroduce statistics counting 2017-08-08 21:03:47 -07:00
rfkill net: rfkill: gpio: Switch to devm_acpi_dev_add_driver_gpios() 2017-06-13 11:07:51 +02:00
rose net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
rxrpc rxrpc: Fix oops when discarding a preallocated service call 2017-08-18 16:23:23 -07:00
sched net: sched: fix use after free when tcf_chain_destroy is called multiple times 2017-08-22 14:39:58 -07:00
sctp sctp: fully initialize the IPv6 address in sctp_v6_to_addr() 2017-08-18 16:00:47 -07:00
smc net/smc: Add warning about remote memory exposure 2017-05-16 14:49:43 -04:00
strparser strparser: destroy workqueue on module exit 2017-03-03 20:43:26 -08:00
sunrpc NFS client bugfixes for 4.13 2017-07-21 16:26:01 -07:00
switchdev net: switchdev: Change notifier chain to be atomic 2017-06-08 14:16:24 -04:00
tipc tipc: fix a race condition of releasing subscriber object 2017-08-22 14:25:02 -07:00
tls TLS: Fix length check in do_tls_getsockopt_tx() 2017-07-06 10:58:19 +01:00
unix datagram: When peeking datagrams with offset < 0 don't skip empty skbs 2017-08-18 15:12:54 -07:00
vmw_vsock net: manual clean code which call skb_put_[data:zero] 2017-06-20 13:30:15 -04:00
wimax
wireless netlink validation fixes for nl80211 2017-07-07 11:35:55 +01:00
x25 net, x25: convert x25_neigh.refcnt from atomic_t to refcount_t 2017-07-04 22:35:18 +01:00
xfrm xfrm: policy: check policy direction value 2017-08-03 10:15:22 +02:00
compat.c get_compat_bpf_fprog(): don't copyin field-by-field 2017-07-04 13:14:34 -04:00
Kconfig tls: kernel TLS support 2017-06-15 12:12:40 -04:00
Makefile tls: kernel TLS support 2017-06-15 12:12:40 -04:00
socket.c net/socket: fix type in assignment and trim long line 2017-07-24 14:17:01 -07:00
sysctl_net.c sysctl: Remove dead register_sysctl_root 2017-04-16 23:42:49 -05:00