| commit | 6ad610c565f244fe339f5b6b22ee309ed7ae882f | [log] [tgz] |
|---|---|---|
| author | Pedro Tammela <[email protected]> | Thu Feb 09 11:37:39 2023 -0300 |
| committer | Robert Kolchmeyer <[email protected]> | Sat Mar 11 00:29:39 2023 +0000 |
| tree | aeeb880fea8d52f7e5e1bcebe2aaf9c3ad5b7a8e | |
| parent | 6947a95cc7172abca5cceca3ed9454da47dd1407 [diff] |
net/sched: tcindex: update imperfect hash filters respecting rcu
commit ee059170b1f7e94e55fa6cadee544e176a6e59c2 upstream.
The imperfect hash area can be updated while packets are traversing,
which will cause a use-after-free when 'tcf_exts_exec()' is called
with the destroyed tcf_ext.
CPU 0: CPU 1:
tcindex_set_parms tcindex_classify
tcindex_lookup
tcindex_lookup
tcf_exts_change
tcf_exts_exec [UAF]
Stop operating on the shared area directly, by using a local copy,
and update the filter with 'rcu_replace_pointer()'. Delete the old
filter version only after a rcu grace period elapsed.
Fixes: 9b0d4446b569 ("net: sched: avoid atomic swap in tcf_exts_change")
Reported-by: valis <[email protected]>
Suggested-by: valis <[email protected]>
Signed-off-by: Jamal Hadi Salim <[email protected]>
Signed-off-by: Pedro Tammela <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit becf55394f6acb60dd60634a1c797e73c747f9da)
Signed-off-by: Robert Kolchmeyer <[email protected]>
BUG=b/272275066
TEST=presubmit
RELEASE_NOTE=Fixed a use-after-free issue in net/sched in the Linux kernel.
cos-patch: bug
Change-Id: I90db125604863e762c398882d92a4807dd3ee6b1
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/44712
Tested-by: Cusky Presubmit Bot <[email protected]>
Reviewed-by: Oleksandr Tymoshenko <[email protected]>