diff options
author | Pedro Tammela <pctammela@mojatatu.com> | 2023-02-09 17:37:39 +0300 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2023-02-11 06:38:27 +0300 |
commit | ee059170b1f7e94e55fa6cadee544e176a6e59c2 (patch) | |
tree | 5f80bebda9f0f2e6e73dce02aebaddde6075fcec /net/nsh | |
parent | a1221703a0f75a9d81748c516457e0fc76951496 (diff) | |
download | linux-ee059170b1f7e94e55fa6cadee544e176a6e59c2.tar.xz |
net/sched: tcindex: update imperfect hash filters respecting rcu
The imperfect hash area can be updated while packets are traversing,
which will cause a use-after-free when 'tcf_exts_exec()' is called
with the destroyed tcf_ext.
CPU 0: CPU 1:
tcindex_set_parms tcindex_classify
tcindex_lookup
tcindex_lookup
tcf_exts_change
tcf_exts_exec [UAF]
Stop operating on the shared area directly, by using a local copy,
and update the filter with 'rcu_replace_pointer()'. Delete the old
filter version only after a rcu grace period elapsed.
Fixes: 9b0d4446b569 ("net: sched: avoid atomic swap in tcf_exts_change")
Reported-by: valis <sec@valis.email>
Suggested-by: valis <sec@valis.email>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Link: https://lore.kernel.org/r/20230209143739.279867-1-pctammela@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/nsh')
0 files changed, 0 insertions, 0 deletions