[PATCH net] net: cls_flower: Remove filter from mask before freeing it

[PATCH net] net: cls_flower: Remove filter from mask before freeing it

[Petr Machata]

In fl_change(), when adding a new rule (i.e. fold == NULL), a driver may
reject the new rule, for example due to resource exhaustion. By that
point, the new rule was already assigned a mask, and it was added to
that mask's hash table. The clean-up path that's invoked as a result of
the rejection however neglects to undo the hash table addition, and
proceeds to free the new rule, thus leaving a dangling pointer in the
hash table.

Fix by removing fnew from the mask's hash table before it is freed.

Fixes: 35cc3cefc4de ("net/sched: cls_flower: Reject duplicated rules
also under skip_sw")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Reviewed-by: Ido Schimmel <idosch@mellanox.com>
---

Notes:
    Note that this is covered by mirror_gre_scale test in
    tools/testing/selftests/drivers/net/mlxsw/spectrum/resource_scale.sh

 net/sched/cls_flower.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index f6aa57fbbbaf..12ca9d13db83 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -1371,7 +1371,7 @@ static int fl_change(struct net *net, struct sk_buff *in_skb,
 	if (!tc_skip_hw(fnew->flags)) {
 		err = fl_hw_replace_filter(tp, fnew, extack);
 		if (err)
-			goto errout_mask;
+			goto errout_mask_ht;
 	}
 
 	if (!tc_in_hw(fnew->flags))
@@ -1401,6 +1401,10 @@ static int fl_change(struct net *net, struct sk_buff *in_skb,
 	kfree(mask);
 	return 0;
 
+errout_mask_ht:
+	rhashtable_remove_fast(&fnew->mask->ht, &fnew->ht_node,
+			       fnew->mask->filter_ht_params);
+
 errout_mask:
 	fl_mask_put(head, fnew->mask, false);
 
-- 
2.4.11

Re: [PATCH net] net: cls_flower: Remove filter from mask before freeing it

[David Miller]

From: Petr Machata <petrm@mellanox.com>
Date: Mon, 4 Feb 2019 14:50:38 +0000

> In fl_change(), when adding a new rule (i.e. fold == NULL), a driver may
> reject the new rule, for example due to resource exhaustion. By that
> point, the new rule was already assigned a mask, and it was added to
> that mask's hash table. The clean-up path that's invoked as a result of
> the rejection however neglects to undo the hash table addition, and
> proceeds to free the new rule, thus leaving a dangling pointer in the
> hash table.
> 
> Fix by removing fnew from the mask's hash table before it is freed.
> 
> Fixes: 35cc3cefc4de ("net/sched: cls_flower: Reject duplicated rules
> also under skip_sw")

Please do not break up lone Fixes: tag lines in the future, I fixed it
up for you this time.

> Signed-off-by: Petr Machata <petrm@mellanox.com>
> Acked-by: Jiri Pirko <jiri@mellanox.com>
> Reviewed-by: Ido Schimmel <idosch@mellanox.com>

Applied and queued up for -stable.

Re: [PATCH net] net: cls_flower: Remove filter from mask before freeing it

[Petr Machata]

David Miller <davem@davemloft.net> writes:

> From: Petr Machata <petrm@mellanox.com>
> Date: Mon, 4 Feb 2019 14:50:38 +0000
>
>> In fl_change(), when adding a new rule (i.e. fold == NULL), a driver may
>> reject the new rule, for example due to resource exhaustion. By that
>> point, the new rule was already assigned a mask, and it was added to
>> that mask's hash table. The clean-up path that's invoked as a result of
>> the rejection however neglects to undo the hash table addition, and
>> proceeds to free the new rule, thus leaving a dangling pointer in the
>> hash table.
>> 
>> Fix by removing fnew from the mask's hash table before it is freed.
>> 
>> Fixes: 35cc3cefc4de ("net/sched: cls_flower: Reject duplicated rules
>> also under skip_sw")
>
> Please do not break up lone Fixes: tag lines in the future, I fixed it
> up for you this time.

Sorry about that and thanks.