* [Patch net] net_sched: fix a use-after-free in tc_ctl_tfilter()
@ 2015-05-05 22:22 Cong Wang
2015-05-06 21:24 ` Jamal Hadi Salim
2015-05-09 20:14 ` David Miller
0 siblings, 2 replies; 3+ messages in thread
From: Cong Wang @ 2015-05-05 22:22 UTC (permalink / raw)
To: netdev; +Cc: Cong Wang, Jamal Hadi Salim
When tcf_destroy() returns true, tp could be already destroyed,
we should not use tp->next after that.
For long term, we probably should move tp list to list_head.
Fixes: 1e052be69d04 ("net_sched: destroy proto tp when all filters are gone")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
net/sched/cls_api.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 8b0470e..b6ef9a0 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -308,12 +308,11 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n)
case RTM_DELTFILTER:
err = tp->ops->delete(tp, fh);
if (err == 0) {
- tfilter_notify(net, skb, n, tp, fh, RTM_DELTFILTER);
- if (tcf_destroy(tp, false)) {
- struct tcf_proto *next = rtnl_dereference(tp->next);
+ struct tcf_proto *next = rtnl_dereference(tp->next);
+ tfilter_notify(net, skb, n, tp, fh, RTM_DELTFILTER);
+ if (tcf_destroy(tp, false))
RCU_INIT_POINTER(*back, next);
- }
}
goto errout;
case RTM_GETTFILTER:
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Patch net] net_sched: fix a use-after-free in tc_ctl_tfilter()
2015-05-05 22:22 [Patch net] net_sched: fix a use-after-free in tc_ctl_tfilter() Cong Wang
@ 2015-05-06 21:24 ` Jamal Hadi Salim
2015-05-09 20:14 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: Jamal Hadi Salim @ 2015-05-06 21:24 UTC (permalink / raw)
To: Cong Wang, netdev
On 05/05/15 18:22, Cong Wang wrote:
> When tcf_destroy() returns true, tp could be already destroyed,
> we should not use tp->next after that.
>
> For long term, we probably should move tp list to list_head.
>
> Fixes: 1e052be69d04 ("net_sched: destroy proto tp when all filters are gone")
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
cheers,
jamal
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Patch net] net_sched: fix a use-after-free in tc_ctl_tfilter()
2015-05-05 22:22 [Patch net] net_sched: fix a use-after-free in tc_ctl_tfilter() Cong Wang
2015-05-06 21:24 ` Jamal Hadi Salim
@ 2015-05-09 20:14 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2015-05-09 20:14 UTC (permalink / raw)
To: xiyou.wangcong; +Cc: netdev, jhs
From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Tue, 5 May 2015 15:22:02 -0700
> When tcf_destroy() returns true, tp could be already destroyed,
> we should not use tp->next after that.
>
> For long term, we probably should move tp list to list_head.
>
> Fixes: 1e052be69d04 ("net_sched: destroy proto tp when all filters are gone")
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Applied, thank you.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-05-09 20:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-05 22:22 [Patch net] net_sched: fix a use-after-free in tc_ctl_tfilter() Cong Wang
2015-05-06 21:24 ` Jamal Hadi Salim
2015-05-09 20:14 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).