linux_dsm_epyc7002/net/sched
Jiri Pirko df45bf84e4 net: sched: fix use-after-free in tcf_block_put_ext
Since the block is freed with last chain being put, once we reach the
end of iteration of list_for_each_entry_safe, the block may be
already freed. I'm hitting this only by creating and deleting clsact:

[  202.171952] ==================================================================
[  202.180182] BUG: KASAN: use-after-free in tcf_block_put_ext+0x240/0x390
[  202.187590] Read of size 8 at addr ffff880225539a80 by task tc/796
[  202.194508]
[  202.196185] CPU: 0 PID: 796 Comm: tc Not tainted 4.15.0-rc2jiri+ #5
[  202.203200] Hardware name: Mellanox Technologies Ltd. "MSN2100-CB2F"/"SA001017", BIOS 5.6.5 06/07/2016
[  202.213613] Call Trace:
[  202.216369]  dump_stack+0xda/0x169
[  202.220192]  ? dma_virt_map_sg+0x147/0x147
[  202.224790]  ? show_regs_print_info+0x54/0x54
[  202.229691]  ? tcf_chain_destroy+0x1dc/0x250
[  202.234494]  print_address_description+0x83/0x3d0
[  202.239781]  ? tcf_block_put_ext+0x240/0x390
[  202.244575]  kasan_report+0x1ba/0x460
[  202.248707]  ? tcf_block_put_ext+0x240/0x390
[  202.253518]  tcf_block_put_ext+0x240/0x390
[  202.258117]  ? tcf_chain_flush+0x290/0x290
[  202.262708]  ? qdisc_hash_del+0x82/0x1a0
[  202.267111]  ? qdisc_hash_add+0x50/0x50
[  202.271411]  ? __lock_is_held+0x5f/0x1a0
[  202.275843]  clsact_destroy+0x3d/0x80 [sch_ingress]
[  202.281323]  qdisc_destroy+0xcb/0x240
[  202.285445]  qdisc_graft+0x216/0x7b0
[  202.289497]  tc_get_qdisc+0x260/0x560

Fix this by holding the block also by chain 0 and put chain 0
explicitly, out of the list_for_each_entry_safe loop at the very
end of tcf_block_put_ext.

Fixes: efbf789739 ("net_sched: get rid of rcu_barrier() in tcf_block_put_ext()")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:09:08 -05:00
..
act_api.c net_sched: remove unused parameter from act cleanup ops 2017-12-05 18:07:58 -05:00
act_bpf.c net_sched: remove unused parameter from act cleanup ops 2017-12-05 18:07:58 -05:00
act_connmark.c Revert "net_sched: hold netns refcnt for each action" 2017-11-09 10:03:09 +09:00
act_csum.c net: accept UFO datagrams from tuntap and packet 2017-11-24 01:37:35 +09:00
act_gact.c Revert "net_sched: hold netns refcnt for each action" 2017-11-09 10:03:09 +09:00
act_ife.c net_sched: remove unused parameter from act cleanup ops 2017-12-05 18:07:58 -05:00
act_ipt.c net_sched: remove unused parameter from act cleanup ops 2017-12-05 18:07:58 -05:00
act_meta_mark.c net sched actions: change IFE modules alias names 2017-10-12 22:13:20 -07:00
act_meta_skbprio.c net sched actions: change IFE modules alias names 2017-10-12 22:13:20 -07:00
act_meta_skbtcindex.c net sched actions: change IFE modules alias names 2017-10-12 22:13:20 -07:00
act_mirred.c act_mirred: get rid of mirred_list_lock spinlock 2017-12-06 14:50:13 -05:00
act_nat.c Revert "net_sched: hold netns refcnt for each action" 2017-11-09 10:03:09 +09:00
act_pedit.c net_sched: remove unused parameter from act cleanup ops 2017-12-05 18:07:58 -05:00
act_police.c Revert "net_sched: hold netns refcnt for each action" 2017-11-09 10:03:09 +09:00
act_sample.c net_sched: remove unused parameter from act cleanup ops 2017-12-05 18:07:58 -05:00
act_simple.c net_sched: remove unused parameter from act cleanup ops 2017-12-05 18:07:58 -05:00
act_skbedit.c Revert "net_sched: hold netns refcnt for each action" 2017-11-09 10:03:09 +09:00
act_skbmod.c net_sched: remove unused parameter from act cleanup ops 2017-12-05 18:07:58 -05:00
act_tunnel_key.c net_sched: remove unused parameter from act cleanup ops 2017-12-05 18:07:58 -05:00
act_vlan.c net_sched: remove unused parameter from act cleanup ops 2017-12-05 18:07:58 -05:00
cls_api.c net: sched: fix use-after-free in tcf_block_put_ext 2017-12-08 14:09:08 -05:00
cls_basic.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-10 10:00:18 +09:00
cls_bpf.c cls_bpf: don't decrement net's refcount when offload fails 2017-11-28 15:49:44 -05:00
cls_cgroup.c cls_cgroup: use tcf_exts_get_net() before call_rcu() 2017-11-09 10:03:09 +09:00
cls_flow.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-10 10:00:18 +09:00
cls_flower.c flow_dissector: dissect tunnel info outside __skb_flow_dissect() 2017-12-05 12:09:18 -05:00
cls_fw.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-10 10:00:18 +09:00
cls_matchall.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-10 10:00:18 +09:00
cls_route.c cls_route: use tcf_exts_get_net() before call_rcu() 2017-11-09 10:03:10 +09:00
cls_rsvp6.c
cls_rsvp.c
cls_rsvp.h cls_rsvp: use tcf_exts_get_net() before call_rcu() 2017-11-09 10:03:10 +09:00
cls_tcindex.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-10 10:00:18 +09:00
cls_u32.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-10 10:00:18 +09:00
em_canid.c
em_cmp.c
em_ipset.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
em_meta.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
em_nbyte.c
em_text.c
em_u32.c
ematch.c net: sched: ematch: obtain net pointer from blocks 2017-10-16 21:00:40 +01:00
Kconfig net/sched: Introduce Credit Based Shaper (CBS) qdisc 2017-10-27 09:48:02 -07:00
Makefile Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
sch_api.c net: sched: pfifo_fast use skb_array 2017-12-08 13:32:26 -05:00
sch_atm.c net: sched: store Qdisc pointer in struct block 2017-10-16 21:00:40 +01:00
sch_blackhole.c net_sched: drop packets after root qdisc lock is released 2016-06-25 12:19:35 -04:00
sch_cbq.c net: sched: cbq: create block for q->link.block 2017-11-28 16:04:26 -05:00
sch_cbs.c net_sch: cbs: Change TC_SETUP_CBS to TC_SETUP_QDISC_CBS 2017-11-08 12:23:38 +09:00
sch_choke.c treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
sch_codel.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_drr.c net: sched: mark expected switch fall-throughs 2017-10-22 02:07:08 +01:00
sch_dsmark.c net: sched: store Qdisc pointer in struct block 2017-10-16 21:00:40 +01:00
sch_fifo.c sched: don't use skb queue helpers 2016-09-19 01:47:18 -04:00
sch_fq_codel.c net: sched: mark expected switch fall-throughs 2017-10-22 02:07:08 +01:00
sch_fq.c mm, tree wide: replace __GFP_REPEAT by __GFP_RETRY_MAYFAIL with more useful semantic 2017-07-12 16:26:03 -07:00
sch_generic.c net: sched: pfifo_fast use skb_array 2017-12-08 13:32:26 -05:00
sch_gred.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_hfsc.c net: sched: mark expected switch fall-throughs 2017-10-22 02:07:08 +01:00
sch_hhf.c sch_hhf: fix null pointer dereference on init failure 2017-08-30 15:26:11 -07:00
sch_htb.c net: sched: mark expected switch fall-throughs 2017-10-22 02:07:08 +01:00
sch_ingress.c net: core: introduce mini_Qdisc and eliminate usage of tp->q for clsact fastpath 2017-11-03 21:57:24 +09:00
sch_mq.c net: sched: add support for TCQ_F_NOLOCK subqueues to sch_mqprio 2017-12-08 13:32:26 -05:00
sch_mqprio.c net: sched: add support for TCQ_F_NOLOCK subqueues to sch_mqprio 2017-12-08 13:32:26 -05:00
sch_multiq.c net: sched: mark expected switch fall-throughs 2017-10-22 02:07:08 +01:00
sch_netem.c netem: remove unnecessary 64 bit modulus 2017-11-15 14:14:16 +09:00
sch_pie.c net: sched: Convert timers to use timer_setup() 2017-10-18 12:39:54 +01:00
sch_plug.c net_sched: drop packets after root qdisc lock is released 2016-06-25 12:19:35 -04:00
sch_prio.c net: sched: mark expected switch fall-throughs 2017-10-22 02:07:08 +01:00
sch_qfq.c net: sched: mark expected switch fall-throughs 2017-10-22 02:07:08 +01:00
sch_red.c net/sched/sch_red.c: work around gcc-4.4.4 anon union initializer issue 2017-11-13 10:33:07 +09:00
sch_sfb.c net: sched: mark expected switch fall-throughs 2017-10-22 02:07:08 +01:00
sch_sfq.c sch_sfq: fix null pointer dereference at timer expiration 2017-11-28 15:54:05 -05:00
sch_tbf.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_teql.c net: make ndo_get_stats64 a void function 2017-01-08 17:51:44 -05:00