From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:57174 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932290AbdJJOKf (ORCPT ); Tue, 10 Oct 2017 10:10:35 -0400 Subject: Patch "net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker" has been added to the 4.9-stable tree To: jiri@mellanox.com, davem@davemloft.net, gregkh@linuxfoundation.org Cc: , From: Date: Tue, 10 Oct 2017 16:10:24 +0200 Message-ID: <150764462423138@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-sched-fix-use-after-free-in-tcf_action_destroy-and-tcf_del_walker.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Tue Oct 10 16:09:22 CEST 2017 From: Jiri Pirko Date: Wed, 13 Sep 2017 17:32:37 +0200 Subject: net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker From: Jiri Pirko [ Upstream commit 255cd50f207ae8ec7b22663246c833407744e634 ] Recent commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") removed freeing in call_rcu, which changed already existing hard-to-hit race condition into 100% hit: [ 598.599825] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [ 598.607782] IP: tcf_action_destroy+0xc0/0x140 Or: [ 40.858924] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [ 40.862840] IP: tcf_generic_walker+0x534/0x820 Fix this by storing the ops and use them directly for module_put call. Fixes: a85a970af265 ("net_sched: move tc_action into tcf_common") Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sched/act_api.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/net/sched/act_api.c +++ b/net/sched/act_api.c @@ -141,7 +141,7 @@ static int tcf_del_walker(struct tcf_has hlist_for_each_entry_safe(p, n, head, tcfa_head) { ret = __tcf_hash_release(p, false, true); if (ret == ACT_P_DELETED) { - module_put(p->ops->owner); + module_put(ops->owner); n_i++; } else if (ret < 0) goto nla_put_failure; @@ -450,13 +450,15 @@ EXPORT_SYMBOL(tcf_action_exec); int tcf_action_destroy(struct list_head *actions, int bind) { + const struct tc_action_ops *ops; struct tc_action *a, *tmp; int ret = 0; list_for_each_entry_safe(a, tmp, actions, list) { + ops = a->ops; ret = __tcf_hash_release(a, bind, true); if (ret == ACT_P_DELETED) - module_put(a->ops->owner); + module_put(ops->owner); else if (ret < 0) return ret; } Patches currently in stable-queue which might be from jiri@mellanox.com are queue-4.9/net-sched-fix-use-after-free-in-tcf_action_destroy-and-tcf_del_walker.patch queue-4.9/mlxsw-spectrum-prevent-mirred-related-crash-on-removal.patch