diff options
| author |  Pedro Tammela <pctammela@mojatatu.com>
| 2023-02-09 11:37:39 -0300 |
|---|---|---|
| committer |  Jakub Kicinski <kuba@kernel.org>
| 2023-02-10 19:38:27 -0800 |
| commit | ee059170b1f7e94e55fa6cadee544e176a6e59c2 (patch) | |
| tree | 5f80bebda9f0f2e6e73dce02aebaddde6075fcec /scripts | |
| parent | sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list (diff) | |
| download | linux-ee059170b1f7e94e55fa6cadee544e176a6e59c2.tar.gz linux-ee059170b1f7e94e55fa6cadee544e176a6e59c2.tar.bz2 linux-ee059170b1f7e94e55fa6cadee544e176a6e59c2.zip | |
net/sched: tcindex: update imperfect hash filters respecting rcu
The imperfect hash area can be updated while packets are traversing,
which will cause a use-after-free when 'tcf_exts_exec()' is called
with the destroyed tcf_ext.
CPU 0: CPU 1:
tcindex_set_parms tcindex_classify
tcindex_lookup
tcindex_lookup
tcf_exts_change
tcf_exts_exec [UAF]
Stop operating on the shared area directly, by using a local copy,
and update the filter with 'rcu_replace_pointer()'. Delete the old
filter version only after a rcu grace period elapsed.
Fixes: 9b0d4446b569 ("net: sched: avoid atomic swap in tcf_exts_change")
Reported-by: valis <sec@valis.email>
Suggested-by: valis <sec@valis.email>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Link: https://lore.kernel.org/r/20230209143739.279867-1-pctammela@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions