| Message ID | 20230729123202.72406-1-jhs@mojatatu.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | net/sched Bind logic fixes for cls_fw, cls_u32 and cls_route | expand |
On 29/07/2023 09:31, Jamal Hadi Salim wrote: > From: valis <sec@valis.email> > > Three classifiers (cls_fw, cls_u32 and cls_route) always copy > tcf_result struct into the new instance of the filter on update. > > This causes a problem when updating a filter bound to a class, > as tcf_unbind_filter() is always called on the old instance in the > success path, decreasing filter_cnt of the still referenced class > and allowing it to be deleted, leading to a use-after-free. > > This patch set fixes this issue in all affected classifiers by no longer > copying the tcf_result struct from the old filter. > > v1 -> v2: > - Resubmission and SOB by Jamal > > valis (3): > net/sched: cls_u32: No longer copy tcf_result on update to avoid > use-after-free > net/sched: cls_fw: No longer copy tcf_result on update to avoid > use-after-free > net/sched: cls_route: No longer copy tcf_result on update to avoid > use-after-free > > net/sched/cls_fw.c | 1 - > net/sched/cls_route.c | 1 - > net/sched/cls_u32.c | 1 - > 3 files changed, 3 deletions(-) For the series, Reviewed-by: Victor Nogueira <victor@mojatatu.com>
On 29/07/2023 09:31, Jamal Hadi Salim wrote: > From: valis <sec@valis.email> > > Three classifiers (cls_fw, cls_u32 and cls_route) always copy > tcf_result struct into the new instance of the filter on update. > > This causes a problem when updating a filter bound to a class, > as tcf_unbind_filter() is always called on the old instance in the > success path, decreasing filter_cnt of the still referenced class > and allowing it to be deleted, leading to a use-after-free. > > This patch set fixes this issue in all affected classifiers by no longer > copying the tcf_result struct from the old filter. > > v1 -> v2: > - Resubmission and SOB by Jamal > > valis (3): > net/sched: cls_u32: No longer copy tcf_result on update to avoid > use-after-free > net/sched: cls_fw: No longer copy tcf_result on update to avoid > use-after-free > net/sched: cls_route: No longer copy tcf_result on update to avoid > use-after-free > > net/sched/cls_fw.c | 1 - > net/sched/cls_route.c | 1 - > net/sched/cls_u32.c | 1 - > 3 files changed, 3 deletions(-) > > -- > 2.34.1 For the series, Reviewed-by: Pedro Tammela <pctammela@mojatatu.com> Tested-by: Pedro Tammela <pctammela@mojatatu.com>
On Sat, Jul 29, 2023 at 7:32 PM Jamal Hadi Salim <jhs@mojatatu.com> wrote: > > From: valis <sec@valis.email> > > Three classifiers (cls_fw, cls_u32 and cls_route) always copy > tcf_result struct into the new instance of the filter on update. > > This causes a problem when updating a filter bound to a class, > as tcf_unbind_filter() is always called on the old instance in the > success path, decreasing filter_cnt of the still referenced class > and allowing it to be deleted, leading to a use-after-free. > > This patch set fixes this issue in all affected classifiers by no longer > copying the tcf_result struct from the old filter. > > v1 -> v2: > - Resubmission and SOB by Jamal > > valis (3): > net/sched: cls_u32: No longer copy tcf_result on update to avoid > use-after-free > net/sched: cls_fw: No longer copy tcf_result on update to avoid > use-after-free > net/sched: cls_route: No longer copy tcf_result on update to avoid > use-after-free > > net/sched/cls_fw.c | 1 - > net/sched/cls_route.c | 1 - > net/sched/cls_u32.c | 1 - > 3 files changed, 3 deletions(-) > For the series, Tested-by: M A Ramdhan <ramdhan@starlabs.sg> Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg> > -- > 2.34.1
Hello: This series was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Sat, 29 Jul 2023 08:31:59 -0400 you wrote: > From: valis <sec@valis.email> > > Three classifiers (cls_fw, cls_u32 and cls_route) always copy > tcf_result struct into the new instance of the filter on update. > > This causes a problem when updating a filter bound to a class, > as tcf_unbind_filter() is always called on the old instance in the > success path, decreasing filter_cnt of the still referenced class > and allowing it to be deleted, leading to a use-after-free. > > [...] Here is the summary with links: - [net,v2,1/3] net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free https://git.kernel.org/netdev/net/c/3044b16e7c6f - [net,v2,2/3] net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free https://git.kernel.org/netdev/net/c/76e42ae83199 - [net,v2,3/3] net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free https://git.kernel.org/netdev/net/c/b80b829e9e2c You are awesome, thank you!
From: valis <sec@valis.email> Three classifiers (cls_fw, cls_u32 and cls_route) always copy tcf_result struct into the new instance of the filter on update. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. This patch set fixes this issue in all affected classifiers by no longer copying the tcf_result struct from the old filter. v1 -> v2: - Resubmission and SOB by Jamal valis (3): net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free net/sched/cls_fw.c | 1 - net/sched/cls_route.c | 1 - net/sched/cls_u32.c | 1 - 3 files changed, 3 deletions(-) -- 2.34.1