From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Dumazet Subject: Re: [PATCH net-next] net: sched: fix unprotected access to rcu cookie pointer Date: Mon, 9 Jul 2018 13:51:41 -0700 Message-ID: <2859e5ba-7d4f-a5eb-1360-979c09b7f71c@gmail.com> References: <1531157207-10850-1-git-send-email-vladbu@mellanox.com> <20180709203415.GB10923@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, davem@davemloft.net, jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us To: Marcelo Ricardo Leitner , Vlad Buslov Return-path: Received: from mail-pg1-f196.google.com ([209.85.215.196]:43605 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932928AbeGIUvs (ORCPT ); Mon, 9 Jul 2018 16:51:48 -0400 Received: by mail-pg1-f196.google.com with SMTP id v13-v6so1498322pgr.10 for ; Mon, 09 Jul 2018 13:51:47 -0700 (PDT) In-Reply-To: <20180709203415.GB10923@localhost.localdomain> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 07/09/2018 01:34 PM, Marcelo Ricardo Leitner wrote: > I am not sure if this is enough to fix the entire issue. Now it will > fetch the length correctly but, what guarantees that when it tries to > actually copy the key (tcf_action_dump_1), the same act_cookie pointer > will be used? As in, can't the new re-fetch be different/smaller than > the object used here? > Yes, this presumably should use rtnl_dereference() RTNL should be held between tcf_action_shared_attrs_size() and tcf_action_dump_1() Although it might not be the case anymore, we keep changing this RTNL requirement in dump operations ;)