summaryrefslogtreecommitdiff
path: root/net/ipv6
diff options
context:
space:
mode:
authorPedro Tammela <pctammela@mojatatu.com>2023-02-09 17:37:39 +0300
committerJakub Kicinski <kuba@kernel.org>2023-02-11 06:38:27 +0300
commitee059170b1f7e94e55fa6cadee544e176a6e59c2 (patch)
tree5f80bebda9f0f2e6e73dce02aebaddde6075fcec /net/ipv6
parenta1221703a0f75a9d81748c516457e0fc76951496 (diff)
downloadlinux-ee059170b1f7e94e55fa6cadee544e176a6e59c2.tar.xz
net/sched: tcindex: update imperfect hash filters respecting rcu
The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. CPU 0: CPU 1: tcindex_set_parms tcindex_classify tcindex_lookup tcindex_lookup tcf_exts_change tcf_exts_exec [UAF] Stop operating on the shared area directly, by using a local copy, and update the filter with 'rcu_replace_pointer()'. Delete the old filter version only after a rcu grace period elapsed. Fixes: 9b0d4446b569 ("net: sched: avoid atomic swap in tcf_exts_change") Reported-by: valis <sec@valis.email> Suggested-by: valis <sec@valis.email> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Pedro Tammela <pctammela@mojatatu.com> Link: https://lore.kernel.org/r/20230209143739.279867-1-pctammela@mojatatu.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/ipv6')
0 files changed, 0 insertions, 0 deletions