From: Greg KH <gregkh@linuxfoundation.org>
To: Alex Young <alex000young@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net,
security@kernel.org, xkaneiki@gmail.com,
hackerzheng666@gmail.com
Subject: Re: [PATCH] net: sched: use-after-free in tcf_action_destroy
Date: Sat, 17 Aug 2024 11:35:30 +0200 [thread overview]
Message-ID: <2024081722-reflex-reverend-4916@gregkh> (raw)
In-Reply-To: <CAFC++j15p9Ey3qc4ZsY4CXBsL3LHn7TsFTi6=N9=H+_Yx_k=+Q@mail.gmail.com>
On Sat, Aug 17, 2024 at 05:27:17PM +0800, Alex Young wrote:
> Hi Jamal,
>
> Thanks your mention. I have reviewed the latest kernel code.
> I understand why these two tc function threads can enter the kernel at the same
> time. It's because the request_module[2] function in tcf_action_init_1. When the
> tc_action_init_1 function to add a new action, it will load the action
> module. It will
> call rtnl_unlock to let the Thread2 into the kernel space.
>
> Thread1 Thread2
> rtnetlink_rcv_msg rtnetlink_rcv_msg
> rtnl_lock();
> tcf_action_init
> for(i;i<TCA_ACT_MAX_PRIO;i++)
> act=tcf_action_init_1 //[1]
> if (rtnl_held)
> rtnl_unlock(); //[2]
> request_module("act_%s", act_name);
>
> tcf_del_walker
>
> idr_for_each_entry_ul(idr,p,id)
>
> __tcf_idr_release(p,false,true)
>
> free_tcf(p) //[3]
> if (rtnl_held)
> rtnl_lock();
>
> if(IS_ERR(act))
> goto err
> actions[i] = act
>
> err:
> tcf_action_destroy
> a=actions[i]
> ops = a->ops //[4]
> I know this time window is small, but it can indeed cause the bug. And
> in the latest
> kernel, it have fixed the bug. But version 4.19.x is still a
> maintenance version.
4.19.y is only going to be alive for 4 more months, and anyone still
using it now really should have their plans to move off of it finished
already (or almost finished.)
If this is a request_module issue, and you care about 4.19.y kernels,
just add that module to the modprobe exclude list in userspace which
will prevent it from being loaded automatically. Or load it at boot
time.
And what specific commit resolved this issue in the older kernels? Have
you attempted to just backport that change to 4.19.y?
thanks,
greg k-h
next prev parent reply other threads:[~2024-08-17 9:35 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-16 1:53 [PATCH] net: sched: use-after-free in tcf_action_destroy yangzhuorao
2024-08-16 4:06 ` Jamal Hadi Salim
2024-08-16 5:03 ` Willy Tarreau
2024-08-16 15:04 ` Jamal Hadi Salim
2024-08-17 9:27 ` Alex Young
2024-08-17 9:35 ` Greg KH [this message]
2024-08-17 12:11 ` Jamal Hadi Salim
2024-08-18 10:40 ` Greg KH
2024-08-19 1:10 ` Alex Young
2024-08-19 3:08 ` Greg KH
2024-08-16 7:20 ` Jiri Pirko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024081722-reflex-reverend-4916@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=alex000young@gmail.com \
--cc=davem@davemloft.net \
--cc=hackerzheng666@gmail.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=security@kernel.org \
--cc=xiyou.wangcong@gmail.com \
--cc=xkaneiki@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).