net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker - linux.git

diff options

author	Jiri Pirko	2017-09-13 17:32:37 +0200
committer	David S. Miller	2017-09-13 09:34:08 -0700
commit	255cd50f207ae8ec7b22663246c833407744e634 (patch)
tree	8c98c50e192e780bfa9d845b4c7e416cb3ae9d3a /ipc/sem.c
parent	822f8565c93949fb2d31502d595c8bc45629c9b7 (diff)

net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker

Recent commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") removed freeing in call_rcu, which changed already existing hard-to-hit race condition into 100% hit: [ 598.599825] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [ 598.607782] IP: tcf_action_destroy+0xc0/0x140 Or: [ 40.858924] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [ 40.862840] IP: tcf_generic_walker+0x534/0x820 Fix this by storing the ops and use them directly for module_put call. Fixes: a85a970af265 ("net_sched: move tc_action into tcf_common") Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'ipc/sem.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: