From: Lee Jones <lee@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>,
xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net,
kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, stable@kernel.org
Subject: Re: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow
Date: Thu, 1 Jun 2023 17:48:17 +0100 [thread overview]
Message-ID: <20230601164817.GH449117@google.com> (raw)
In-Reply-To: <CANn89i+j7ymO2-wyZtavCotwODdgOAcJ5O_GFjLkegqAsx4F5A@mail.gmail.com>
On Thu, 01 Jun 2023, Eric Dumazet wrote:
> On Thu, Jun 1, 2023 at 4:06 PM Lee Jones <lee@kernel.org> wrote:
> >
> > On Wed, 31 May 2023, Jamal Hadi Salim wrote:
> >
> > > On Wed, May 31, 2023 at 11:03 AM Eric Dumazet <edumazet@google.com> wrote:
> > > >
> > > > On Wed, May 31, 2023 at 4:16 PM Lee Jones <lee@kernel.org> wrote:
> > > > >
> > > > > In the event of a failure in tcf_change_indev(), u32_set_parms() will
> > > > > immediately return without decrementing the recently incremented
> > > > > reference counter. If this happens enough times, the counter will
> > > > > rollover and the reference freed, leading to a double free which can be
> > > > > used to do 'bad things'.
> > > > >
> > > > > Cc: stable@kernel.org # v4.14+
> > > >
> > > > Please add a Fixes: tag.
> >
> > Why?
>
> How have you identified v4.14+ ?
>
> Probably you did some research/"git archeology".
>
> By adding the Fixes: tag, you allow us to double check immediately,
> and see if other bugs need to be fixed at the same time.
>
> You can also CC blamed patch authors, to get some feedback.
>
> Otherwise, we (people reviewing this patch) have to also do this
> research from scratch.
>
> In this case, it seems bug was added in
>
> commit 705c7091262d02b09eb686c24491de61bf42fdb2
> Author: Jiri Pirko <jiri@resnulli.us>
> Date: Fri Aug 4 14:29:14 2017 +0200
>
> net: sched: cls_u32: no need to call tcf_exts_change for newly
> allocated struct
>
>
> A nice Fixes: tag would then be
>
> Fixes: 705c7091262d ("net: sched: cls_u32: no need to call
> tcf_exts_change for newly allocated struct")
Thanks for digging this out. I will add it.
--
Lee Jones [李琼斯]
next prev parent reply other threads:[~2023-06-01 16:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-31 14:15 [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow Lee Jones
2023-05-31 15:03 ` Eric Dumazet
2023-05-31 15:07 ` Jamal Hadi Salim
2023-06-01 14:06 ` Lee Jones
2023-06-01 15:10 ` Eric Dumazet
2023-06-01 16:48 ` Lee Jones [this message]
2023-06-03 12:35 ` Jamal Hadi Salim
2023-05-31 15:05 ` Jamal Hadi Salim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230601164817.GH449117@google.com \
--to=lee@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.