git.baikalelectronics.ru Git - kernel.git/commit

author	Roman Kapl <code@rkapl.cz>
	Fri, 24 Nov 2017 11:27:58 +0000 (12:27 +0100)
committer	David S. Miller <davem@davemloft.net>
	Sat, 25 Nov 2017 14:57:20 +0000 (23:57 +0900)
commit	10f6aabe7ca2015818d0401d7744fab21bc2966a
tree	704071b30c9bb4a5fa8658d05961653625bb3651	tree \| snapshot
parent	f21a1935e5999b6fcea5945e1f1fa1c846cc7b9b	commit \| diff

net: sched: crash on blocks with goto chain action

tcf_block_put_ext has assumed that all filters (and thus their goto
actions) are destroyed in RCU callback and thus can not race with our
list iteration. However, that is not true during netns cleanup (see
tcf_exts_get_net comment).

Prevent the user after free by holding all chains (except 0, that one is
already held). foreach_safe is not enough in this case.

To reproduce, run the following in a netns and then delete the ns:
    ip link add dtest type dummy
    tc qdisc add dev dtest ingress
    tc filter add dev dtest chain 1 parent ffff: handle 1 prio 1 flower action goto chain 2

Fixes: ab03774e90 ("net_sched: remove tcf_block_put_deferred()")
Signed-off-by: Roman Kapl <code@rkapl.cz>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>