From: Greg KH <gregkh@linuxfoundation.org>
To: Rishabh Bhatnagar <risbhat@amazon.com>
Cc: lee@kernel.org, davem@davemloft.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Eric Dumazet <edumazet@google.com>,
Jamal Hadi Salim <jhs@mojatatu.com>
Subject: Re: [PATCH 4.14] net/sched: cls_u32: Fix reference counter leak leading to overflow
Date: Tue, 1 Aug 2023 10:24:32 +0200 [thread overview]
Message-ID: <2023080102-certified-unrivaled-a048@gregkh> (raw)
In-Reply-To: <20230727191554.21333-1-risbhat@amazon.com>
On Thu, Jul 27, 2023 at 07:15:54PM +0000, Rishabh Bhatnagar wrote:
> From: Lee Jones <lee@kernel.org>
>
> Upstream commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
>
> In the event of a failure in tcf_change_indev(), u32_set_parms() will
> immediately return without decrementing the recently incremented
> reference counter. If this happens enough times, the counter will
> rollover and the reference freed, leading to a double free which can be
> used to do 'bad things'.
>
> In order to prevent this, move the point of possible failure above the
> point where the reference counter is incremented. Also save any
> meaningful return values to be applied to the return data at the
> appropriate point in time.
>
> This issue was caught with KASAN.
>
> Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct")
> Suggested-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Lee Jones <lee@kernel.org>
> Reviewed-by: Eric Dumazet <edumazet@google.com>
> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Rishabh Bhatnagar <risbhat@amazon.com>
> ---
> net/sched/cls_u32.c | 21 ++++++++++++++-------
> 1 file changed, 14 insertions(+), 7 deletions(-)
We need a 4.19.y backport before we can apply a 4.14.y version, as you
do not want to upgrade and have a regression.
thanks,
greg k-h
prev parent reply other threads:[~2023-08-01 8:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-27 19:15 [PATCH 4.14] net/sched: cls_u32: Fix reference counter leak leading to overflow Rishabh Bhatnagar
2023-07-27 21:32 ` SeongJae Park
2023-08-01 8:24 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2023080102-certified-unrivaled-a048@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=risbhat@amazon.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.