From: Jiri Pirko <jiri@resnulli.us>
To: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org, Jamal Hadi Salim <jhs@mojatatu.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
Paul Blakey <paulb@mellanox.com>
Subject: Re: [PATCH net v2] cls_flower: fix use after free in flower S/W path
Date: Thu, 21 Jun 2018 20:16:50 +0200 [thread overview]
Message-ID: <20180621181650.GE2104@nanopsycho> (raw)
In-Reply-To: <fd96de4e9dc358e3982922ae681fdb1b9d8ae72a.1529603970.git.pabeni@redhat.com>
Thu, Jun 21, 2018 at 08:02:16PM CEST, pabeni@redhat.com wrote:
>If flower filter is created without the skip_sw flag, fl_mask_put()
>can race with fl_classify() and we can destroy the mask rhashtable
>while a lookup operation is accessing it.
>
> BUG: unable to handle kernel paging request at 00000000000911d1
> PGD 0 P4D 0
> SMP PTI
> CPU: 3 PID: 5582 Comm: vhost-5541 Not tainted 4.18.0-rc1.vanilla+ #1950
> Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.1.7 06/16/2016
> RIP: 0010:rht_bucket_nested+0x20/0x60
> Code: 31 c8 c1 c1 18 29 c8 c3 66 90 8b 4f 04 ba 01 00 00 00 8b 07 48 8b bf 80 00 00 0
> RSP: 0018:ffffafc5cfbb7a48 EFLAGS: 00010206
> RAX: 0000000000001978 RBX: ffff9f12dff88a00 RCX: 00000000ffff9f12
> RDX: 00000000000911d1 RSI: 0000000000000148 RDI: 0000000000000001
> RBP: ffff9f12dff88a00 R08: 000000005f1cc119 R09: 00000000a715fae2
> R10: ffffafc5cfbb7aa8 R11: ffff9f1cb4be804e R12: ffff9f1265e13000
> R13: 0000000000000000 R14: ffffafc5cfbb7b48 R15: ffff9f12dff88b68
> FS: 0000000000000000(0000) GS:ffff9f1d3f0c0000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000000911d1 CR3: 0000001575a94006 CR4: 00000000001626e0
> Call Trace:
> fl_lookup+0x134/0x140 [cls_flower]
> fl_classify+0xf3/0x180 [cls_flower]
> tcf_classify+0x78/0x150
> __netif_receive_skb_core+0x69e/0xa50
> netif_receive_skb_internal+0x42/0xf0
> tun_get_user+0xdd5/0xfd0 [tun]
> tun_sendmsg+0x52/0x70 [tun]
> handle_tx+0x2b3/0x5f0 [vhost_net]
> vhost_worker+0xab/0x100 [vhost]
> kthread+0xf8/0x130
> ret_from_fork+0x35/0x40
> Modules linked in: act_mirred act_gact cls_flower vhost_net vhost tap sch_ingress
> CR2: 00000000000911d1
>
>Fix the above waiting for a RCU grace period before destroying the
>rhashtable: we need to use tcf_queue_work(), as rhashtable_destroy()
>must run in process context, as pointed out by Cong Wang.
>
>v1 -> v2: use tcf_queue_work to run rhashtable_destroy().
>
>Fixes: 05cd271fd61a ("cls_flower: Support multiple masks per priority")
>Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
next prev parent reply other threads:[~2018-06-21 18:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-21 18:02 [PATCH net v2] cls_flower: fix use after free in flower S/W path Paolo Abeni
2018-06-21 18:16 ` Jiri Pirko [this message]
2018-06-21 22:25 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180621181650.GE2104@nanopsycho \
--to=jiri@resnulli.us \
--cc=jhs@mojatatu.com \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=paulb@mellanox.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.