From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiri Pirko <jiri@mellanox.com>,
"David S. Miller" <davem@davemloft.net>,
Cong Wang <xiyou.wangcong@gmail.com>
Subject: [PATCH 4.14 115/115] net: sched: fix use-after-free in tcf_block_put_ext
Date: Fri, 2 Mar 2018 09:51:58 +0100 [thread overview]
Message-ID: <20180302084508.490842564@linuxfoundation.org> (raw)
In-Reply-To: <20180302084503.856536800@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Pirko <jiri@mellanox.com>
commit df45bf84e4f5a48f23d4b1a07d21d566e8b587b2 upstream.
Since the block is freed with last chain being put, once we reach the
end of iteration of list_for_each_entry_safe, the block may be
already freed. I'm hitting this only by creating and deleting clsact:
[ 202.171952] ==================================================================
[ 202.180182] BUG: KASAN: use-after-free in tcf_block_put_ext+0x240/0x390
[ 202.187590] Read of size 8 at addr ffff880225539a80 by task tc/796
[ 202.194508]
[ 202.196185] CPU: 0 PID: 796 Comm: tc Not tainted 4.15.0-rc2jiri+ #5
[ 202.203200] Hardware name: Mellanox Technologies Ltd. "MSN2100-CB2F"/"SA001017", BIOS 5.6.5 06/07/2016
[ 202.213613] Call Trace:
[ 202.216369] dump_stack+0xda/0x169
[ 202.220192] ? dma_virt_map_sg+0x147/0x147
[ 202.224790] ? show_regs_print_info+0x54/0x54
[ 202.229691] ? tcf_chain_destroy+0x1dc/0x250
[ 202.234494] print_address_description+0x83/0x3d0
[ 202.239781] ? tcf_block_put_ext+0x240/0x390
[ 202.244575] kasan_report+0x1ba/0x460
[ 202.248707] ? tcf_block_put_ext+0x240/0x390
[ 202.253518] tcf_block_put_ext+0x240/0x390
[ 202.258117] ? tcf_chain_flush+0x290/0x290
[ 202.262708] ? qdisc_hash_del+0x82/0x1a0
[ 202.267111] ? qdisc_hash_add+0x50/0x50
[ 202.271411] ? __lock_is_held+0x5f/0x1a0
[ 202.275843] clsact_destroy+0x3d/0x80 [sch_ingress]
[ 202.281323] qdisc_destroy+0xcb/0x240
[ 202.285445] qdisc_graft+0x216/0x7b0
[ 202.289497] tc_get_qdisc+0x260/0x560
Fix this by holding the block also by chain 0 and put chain 0
explicitly, out of the list_for_each_entry_safe loop at the very
end of tcf_block_put_ext.
Fixes: efbf78973978 ("net_sched: get rid of rcu_barrier() in tcf_block_put_ext()")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/cls_api.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -290,21 +290,22 @@ void tcf_block_put(struct tcf_block *blo
if (!block)
return;
- /* Hold a refcnt for all chains, except 0, so that they don't disappear
+ /* Hold a refcnt for all chains, so that they don't disappear
* while we are iterating.
*/
list_for_each_entry(chain, &block->chain_list, list)
- if (chain->index)
- tcf_chain_hold(chain);
+ tcf_chain_hold(chain);
list_for_each_entry(chain, &block->chain_list, list)
tcf_chain_flush(chain);
- /* At this point, all the chains should have refcnt >= 1. Block will be
- * freed after all chains are gone.
- */
+ /* At this point, all the chains should have refcnt >= 1. */
list_for_each_entry_safe(chain, tmp, &block->chain_list, list)
tcf_chain_put(chain);
+
+ /* Finally, put chain 0 and allow block to be freed. */
+ chain = list_first_entry(&block->chain_list, struct tcf_chain, list);
+ tcf_chain_put(chain);
}
EXPORT_SYMBOL(tcf_block_put);
next prev parent reply other threads:[~2018-03-02 9:05 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-02 8:50 [PATCH 4.14 000/115] 4.14.24-stable review Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 001/115] hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 002/115] exec: avoid gcc-8 warning for get_task_comm Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 003/115] mm/frame_vector.c: release a semaphore in get_vaddr_frames() Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 004/115] scsi: aacraid: Fix I/O drop during reset Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 005/115] dmaengine: fsl-edma: disable clks on all error paths Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 006/115] phy: cpcap-usb: Fix platform_get_irq_bynames error checking Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 007/115] nvme-fc: remove double put reference if admin connect fails Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 008/115] nvme: check hw sectors before setting chunk sectors Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 009/115] net: aquantia: Fix actual speed capabilities reporting Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 010/115] net: aquantia: Fix hardware DMA stream overload on large MRRS Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 012/115] mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 013/115] mtd: nand: brcmnand: Zero bitflip is not an error Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 014/115] ipv6: icmp6: Allow icmp messages to be looped back Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 015/115] parisc: Reduce thread stack to 16 kb Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 016/115] ARM: 8731/1: Fix csum_partial_copy_from_user() stack mismatch Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 017/115] x86/asm: Allow again using asm.h when building for the bpf clang target Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 018/115] sctp: fix the issue that a __u16 variable may overflow in sctp_ulpq_renege Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 019/115] sget(): handle failures of register_shrinker() Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 020/115] net: phy: xgene: disable clk on error paths Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 021/115] drm/nouveau/pci: do a msi rearm on init Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 022/115] xfrm: Reinject transport-mode packets through tasklet Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 023/115] x86/stacktrace: Make zombie stack traces reliable Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 024/115] mac80211_hwsim: Fix a possible sleep-in-atomic bug in hwsim_get_radio_nl Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 025/115] spi: atmel: fixed spin_lock usage inside atmel_spi_remove Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 026/115] ASoC: nau8825: fix issue that pop noise when start capture Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 027/115] cgroup: Fix deadlock in cpu hotplug path Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 028/115] staging: ion: Fix ion_cma_heap allocations Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 029/115] x86-64/Xen: eliminate W+X mappings Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 030/115] net: mediatek: setup proper state for disabled GMAC on the default Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 031/115] net: arc_emac: fix arc_emac_rx() error paths Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 032/115] vxlan: update skb dst pmtu on tx path Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 033/115] ip_gre: remove the incorrect mtu limit for ipgre tap Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 034/115] ip6_gre: " Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 035/115] ip6_tunnel: get the min mtu properly in ip6_tnl_xmit Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 036/115] net: stmmac: Fix TX timestamp calculation Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 037/115] net: stmmac: Fix bad RX timestamp extraction Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 038/115] net/mlx5e: Fix ETS BW check Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 039/115] net/mlx5: Cleanup IRQs in case of unload failure Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 040/115] net/mlx5: Stay in polling mode when command EQ destroy fails Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 041/115] ASoC: rsnd: fixup ADG register mask Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 042/115] xen/balloon: Mark unallocated host memory as UNUSABLE Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 043/115] netfilter: nf_tables: fix chain filter in nf_tables_dump_rules() Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 044/115] scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 045/115] netfilter: uapi: correct UNTRACKED conntrack state bit number Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 046/115] i915: Reject CCS modifiers for pipe C on Geminilake Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 047/115] RDMA/vmw_pvrdma: Call ib_umem_release on destroy QP path Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 048/115] ARM: dts: ls1021a: fix incorrect clock references Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 049/115] crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 050/115] lib/mpi: Fix umul_ppmm() for MIPS64r6 Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 051/115] arm64: dts: renesas: ulcb: Remove renesas, no-ether-link property Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 052/115] crypto: inside-secure - per request invalidation Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 055/115] netfilter: nf_tables: fix potential NULL-ptr deref in nf_tables_dump_obj_done() Greg Kroah-Hartman
2018-03-02 8:50 ` [PATCH 4.14 056/115] tipc: error path leak fixes in tipc_enable_bearer() Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 057/115] tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 058/115] tg3: Add workaround to restrict 5762 MRRS to 2048 Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 059/115] tg3: Enable PHY reset in MTU change path for 5720 Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 060/115] bnx2x: Improve reliability in case of nested PCI errors Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 061/115] perf/x86/intel: Plug memory leak in intel_pmu_init() Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 062/115] led: core: Fix brightness setting when setting delay_off=0 Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 063/115] IB/mlx5: Fix mlx5_ib_alloc_mr error flow Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 064/115] genirq: Guard handle_bad_irq log messages Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 065/115] afs: Fix missing error handling in afs_write_end() Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 066/115] s390/dasd: fix wrongly assigned configuration data Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 067/115] btrfs: Fix flush bio leak Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 068/115] ip6_tunnel: allow ip6gre dev mtu to be set below 1280 Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 069/115] Input: xen-kbdfront - do not advertise multi-touch pressure support Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 070/115] IB/mlx4: Fix mlx4_ib_alloc_mr error flow Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 071/115] IB/ipoib: Fix race condition in neigh creation Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 072/115] xfs: quota: fix missed destroy of qi_tree_lock Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 073/115] xfs: quota: check result of register_shrinker() Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 074/115] macvlan: Fix one possible double free Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 075/115] e1000: fix disabling already-disabled warning Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 078/115] RDMA/netlink: Fix locking around __ib_get_device_by_index Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 079/115] x86/efi: Fix kernel param add_efi_memmap regression Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 080/115] uapi libc compat: add fallback for unsupported libcs Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 081/115] i40e/i40evf: Account for frags split over multiple descriptors in check linearize Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 082/115] i40e: dont remove netdev->dev_addr when syncing uc list Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 083/115] net: ena: unmask MSI-X only after device initialization is completed Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 084/115] nl80211: Check for the required netlink attribute presence Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 085/115] mac80211: mesh: drop frames appearing to be from us Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 086/115] can: flex_can: Correct the checking for frame length in flexcan_start_xmit() Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 087/115] wcn36xx: Fix dynamic power saving Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 088/115] block: drain queue before waiting for q_usage_counter becoming zero Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 089/115] ia64, sched/cputime: Fix build error if CONFIG_VIRT_CPU_ACCOUNTING_NATIVE=y Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 090/115] bpf: sockmap missing NULL psock check Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 091/115] leds: core: Fix regression caused by commit 2b83ff96f51d Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 092/115] powerpc/pseries: Make RAS IRQ explicitly dependent on DLPAR WQ Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 093/115] nvme-fabrics: initialize default host->id in nvmf_host_default() Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 094/115] x86/platform/intel-mid: Revert "Make bt_sfi_data const" Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 095/115] bnxt_en: Fix population of flow_type in bnxt_hwrm_cfa_flow_alloc() Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 096/115] bnxt_en: Fix the Invalid VF id check in bnxt_vf_ndo_prep routine Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 097/115] xen-netfront: enable device after manual module load Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 098/115] mdio-sun4i: Fix a memory leak Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 099/115] SolutionEngine771x: fix Ether platform data Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 100/115] xen/gntdev: Fix off-by-one error when unmapping with holes Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 101/115] xen/gntdev: Fix partial gntdev_mmap() cleanup Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 102/115] sctp: add a ceiling to optlen in some sockopts Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 103/115] sctp: make use of pre-calculated len Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 104/115] net: gianfar_ptp: move set_fipers() to spinlock protecting area Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 105/115] of_mdio: avoid MDIO bus removal when a PHY is missing Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 106/115] nfp: always unmask aux interrupts at init Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 107/115] mlxsw: pci: Wait after reset before accessing HW Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 108/115] MIPS: Implement __multi3 for GCC7 MIPS64r6 builds Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 109/115] powerpc/pseries: Enable RAS hotplug events later Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 110/115] arm64: dts: marvell: add comphy nodes on cp110 master and slave Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 111/115] arm64: dts: marvell: mcbin: add comphy references to Ethernet ports Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 112/115] net: sched: fix crash when deleting secondary chains Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 113/115] net: sched: crash on blocks with goto chain action Greg Kroah-Hartman
2018-03-02 8:51 ` [PATCH 4.14 114/115] net_sched: get rid of rcu_barrier() in tcf_block_put_ext() Greg Kroah-Hartman
2018-03-02 8:51 ` Greg Kroah-Hartman [this message]
2018-03-02 13:24 ` [PATCH 4.14 000/115] 4.14.24-stable review Dan Murphy
2018-03-02 16:58 ` Greg Kroah-Hartman
2018-03-02 16:58 ` Greg Kroah-Hartman
2018-03-02 17:15 ` Guenter Roeck
2018-03-02 18:53 ` Greg Kroah-Hartman
2018-03-02 18:18 ` Naresh Kamboju
2018-03-02 18:52 ` Greg Kroah-Hartman
2018-03-02 21:29 ` Shuah Khan
2018-03-03 8:59 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180302084508.490842564@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jiri@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).