| commit | 8935ea9dc29fcbed1b899f88e5d9ba38d6f2e9a0 | [log] [tgz] |
|---|---|---|
| author | Pedro Tammela <[email protected]> | Thu Feb 09 11:37:39 2023 -0300 |
| committer | Robert Kolchmeyer <[email protected]> | Mon Mar 13 17:31:02 2023 +0000 |
| tree | 3b37a5f06543f031c9ed46856cecb01eedfc1fad | |
| parent | 208d6e1a64e623b491a290b6a8ecc563f2b99dde [diff] |
net/sched: tcindex: update imperfect hash filters respecting rcu
commit ee059170b1f7e94e55fa6cadee544e176a6e59c2 upstream.
The imperfect hash area can be updated while packets are traversing,
which will cause a use-after-free when 'tcf_exts_exec()' is called
with the destroyed tcf_ext.
CPU 0: CPU 1:
tcindex_set_parms tcindex_classify
tcindex_lookup
tcindex_lookup
tcf_exts_change
tcf_exts_exec [UAF]
Stop operating on the shared area directly, by using a local copy,
and update the filter with 'rcu_replace_pointer()'. Delete the old
filter version only after a rcu grace period elapsed.
Fixes: 9b0d4446b569 ("net: sched: avoid atomic swap in tcf_exts_change")
Reported-by: valis <[email protected]>
Suggested-by: valis <[email protected]>
Signed-off-by: Jamal Hadi Salim <[email protected]>
Signed-off-by: Pedro Tammela <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit eb8e9d8572d1d9df17272783ad8a84843ce559d4)
Signed-off-by: Robert Kolchmeyer <[email protected]>
BUG=b/272275066
TEST=presubmit
RELEASE_NOTE=Fixed a use-after-free issue in net/sched in the Linux kernel.
cos-patch: bug
Change-Id: I3d70d94547a4d5919632d2b717a7e846e07bdbce
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/44767
Reviewed-by: Oleksandr Tymoshenko <[email protected]>
Tested-by: Cusky Presubmit Bot <[email protected]>