From: Greg KH <gregkh@linuxfoundation.org>
To: Rishabh Bhatnagar <risbhat@amazon.com>
Cc: lee@kernel.org, davem@davemloft.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Eric Dumazet <edumazet@google.com>,
Jamal Hadi Salim <jhs@mojatatu.com>
Subject: Re: [PATCH 4.14] net/sched: cls_u32: Fix reference counter leak leading to overflow
Date: Tue, 1 Aug 2023 10:24:32 +0200 [thread overview]
Message-ID: <2023080102-certified-unrivaled-a048@gregkh> (raw)
In-Reply-To: <20230727191554.21333-1-risbhat@amazon.com>
On Thu, Jul 27, 2023 at 07:15:54PM +0000, Rishabh Bhatnagar wrote:
> From: Lee Jones <lee@kernel.org>
>
> Upstream commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
>
> In the event of a failure in tcf_change_indev(), u32_set_parms() will
> immediately return without decrementing the recently incremented
> reference counter. If this happens enough times, the counter will
> rollover and the reference freed, leading to a double free which can be
> used to do 'bad things'.
>
> In order to prevent this, move the point of possible failure above the
> point where the reference counter is incremented. Also save any
> meaningful return values to be applied to the return data at the
> appropriate point in time.
>
> This issue was caught with KASAN.
>
> Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct")
> Suggested-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Lee Jones <lee@kernel.org>
> Reviewed-by: Eric Dumazet <edumazet@google.com>
> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Rishabh Bhatnagar <risbhat@amazon.com>
> ---
> net/sched/cls_u32.c | 21 ++++++++++++++-------
> 1 file changed, 14 insertions(+), 7 deletions(-)
We need a 4.19.y backport before we can apply a 4.14.y version, as you
do not want to upgrade and have a regression.
thanks,
greg k-h
prev parent reply other threads:[~2023-08-01 8:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-27 19:15 [PATCH 4.14] net/sched: cls_u32: Fix reference counter leak leading to overflow Rishabh Bhatnagar
2023-07-27 21:32 ` SeongJae Park
2023-08-01 8:24 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2023080102-certified-unrivaled-a048@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=risbhat@amazon.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).