From mboxrd@z Thu Jan 1 00:00:00 1970 From: Cong Wang Subject: [Patch net-next] net_sched: fix a crash in tc_new_tfilter() Date: Thu, 27 Sep 2018 13:42:19 -0700 Message-ID: <20180927204219.17846-2-xiyou.wangcong@gmail.com> References: <20180927204219.17846-1-xiyou.wangcong@gmail.com> Cc: jiri@resnulli.us, jhs@mojatatu.com, vladbu@mellanox.com, Cong Wang To: netdev@vger.kernel.org Return-path: Received: from mail-pg1-f196.google.com ([209.85.215.196]:36353 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727295AbeI1DCv (ORCPT ); Thu, 27 Sep 2018 23:02:51 -0400 Received: by mail-pg1-f196.google.com with SMTP id d1-v6so2794073pgo.3 for ; Thu, 27 Sep 2018 13:42:45 -0700 (PDT) In-Reply-To: <20180927204219.17846-1-xiyou.wangcong@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: When tcf_block_find() fails, it already rollbacks the qdisc refcnt, so its caller doesn't need to clean up this again. Avoid calling qdisc_put() again by resetting qdisc to NULL for callers. Reported-by: syzbot+37b8770e6d5a8220a039@syzkaller.appspotmail.com Fixes: e368fdb61d8e ("net: sched: use Qdisc rcu API instead of relying on rtnl lock") Signed-off-by: Cong Wang --- net/sched/cls_api.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 8dd7f8af6d54..a4167ec0a220 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -717,8 +717,10 @@ static struct tcf_block *tcf_block_find(struct net *net, struct Qdisc **q, errout_rcu: rcu_read_unlock(); errout_qdisc: - if (*q) + if (*q) { qdisc_put(*q); + *q = NULL; + } return ERR_PTR(err); } -- 2.14.4