Vlad Buslov 275a2c08c3 net: sched: flower: insert new filter to idr after setting its mask ... [ Upstream commit ecb3dea400 ] When adding new filter to flower classifier, fl_change() inserts it to handle_idr before initializing filter extensions and assigning it a mask. Normally this ordering doesn't matter because all flower classifier ops callbacks assume rtnl lock protection. However, when filter has an action that doesn't have its kernel module loaded, rtnl lock is released before call to request_module(). During this time the filter can be accessed bu concurrent task before its initialization is completed, which can lead to a crash. Example case of NULL pointer dereference in concurrent dump: Task 1 Task 2 tc_new_tfilter() fl_change() idr_alloc_u32(fnew) fl_set_parms() tcf_exts_validate() tcf_action_init() tcf_action_init_1() rtnl_unlock() request_module() ... rtnl_lock() tc_dump_tfilter() tcf_chain_dump() fl_walk() idr_get_next_ul() tcf_node_dump() tcf_fill_node() fl_dump() mask = &f->mask->key; <- NULL ptr rtnl_lock() Extension initialization and mask assignment don't depend on fnew->handle that is allocated by idr_alloc_u32(). Move idr allocation code after action creation and mask assignment in fl_change() to prevent concurrent access to not fully initialized filter when rtnl lock is released to load action module. Fixes: 01683a1469 ("net: sched: refactor flower walk to iterate over idr") Signed-off-by: Vlad Buslov <vladbu@mellanox.com> Reviewed-by: Roi Dayan <roid@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2019-03-19 13:12:41 +01:00
..
act_api.c	net: sched: null actions array pointer before releasing action	2018-09-03 21:47:33 -07:00
act_bpf.c	net_sched: remove unnecessary ops->delete()	2018-08-21 12:45:44 -07:00
act_connmark.c	net_sched: remove unnecessary ops->delete()	2018-08-21 12:45:44 -07:00
act_csum.c	net_sched: remove unnecessary ops->delete()	2018-08-21 12:45:44 -07:00
act_gact.c	net_sched: remove unnecessary ops->delete()	2018-08-21 12:45:44 -07:00
act_ife.c	net: sched: action_ife: take reference to meta module	2018-09-04 12:20:21 -07:00
act_ipt.c	net/sched: act_ipt: fix refcount leak when replace fails	2019-03-10 07:17:20 +01:00
act_meta_mark.c	net: remove duplicate includes	2017-12-13 13:18:46 -05:00
act_meta_skbprio.c	net sched actions: change IFE modules alias names	2017-10-12 22:13:20 -07:00
act_meta_skbtcindex.c	net: remove duplicate includes	2017-12-13 13:18:46 -05:00
act_mirred.c	net_sched: remove unnecessary ops->delete()	2018-08-21 12:45:44 -07:00
act_nat.c	net_sched: remove unnecessary ops->delete()	2018-08-21 12:45:44 -07:00
act_pedit.c	net/sched: act_pedit: fix memory leak when IDR allocation fails	2018-11-23 08:17:03 +01:00
act_police.c	net_sched: remove unnecessary ops->delete()	2018-08-21 12:45:44 -07:00
act_sample.c	net/sched: act_sample: fix NULL dereference in the data path	2018-09-14 08:46:28 -07:00
act_simple.c	net_sched: remove unnecessary ops->delete()	2018-08-21 12:45:44 -07:00
act_skbedit.c	net/sched: act_skbedit: fix refcount leak when replace fails	2019-03-10 07:17:20 +01:00
act_skbmod.c	net_sched: remove unnecessary ops->delete()	2018-08-21 12:45:44 -07:00
act_tunnel_key.c	net: sched: act_tunnel_key: fix NULL pointer dereference during init	2019-03-10 07:17:20 +01:00
act_vlan.c	net_sched: remove unnecessary ops->delete()	2018-08-21 12:45:44 -07:00
cls_api.c	net_sched: refetch skb protocol for each filter	2019-01-31 08:14:31 +01:00
cls_basic.c	sched: fix trailing whitespace	2018-07-24 14:10:42 -07:00
cls_bpf.c	cls_bpf: Use kmemdup instead of duplicating it in cls_bpf_prog_from_ops	2018-07-29 13:19:49 -07:00
cls_cgroup.c	net_sched: switch to rcu_work	2018-05-24 22:56:15 -04:00
cls_flow.c	net_sched: switch to rcu_work	2018-05-24 22:56:15 -04:00
cls_flower.c	net: sched: flower: insert new filter to idr after setting its mask	2019-03-19 13:12:41 +01:00
cls_fw.c	net_sched: switch to rcu_work	2018-05-24 22:56:15 -04:00
cls_matchall.c	cls_matchall: fix tcf_unbind_filter missing	2018-08-16 12:08:26 -07:00
cls_route.c	net_sched: switch to rcu_work	2018-05-24 22:56:15 -04:00
cls_rsvp.c
cls_rsvp.h	net_sched: switch to rcu_work	2018-05-24 22:56:15 -04:00
cls_rsvp6.c
cls_tcindex.c	net_sched: fix two more memory leaks in cls_tcindex	2019-02-27 10:08:59 +01:00
cls_u32.c	net: sched: cls_u32: fix hnode refcounting	2018-10-07 21:02:37 -07:00
em_canid.c
em_cmp.c
em_ipset.c	netfilter: x_tables: move hook state into xt_action_param structure	2016-11-03 10:56:21 +01:00
em_ipt.c	net: sched: add em_ipt ematch for calling xtables matches	2018-02-21 13:15:33 -05:00
em_meta.c	net: convert sock.sk_refcnt from atomic_t to refcount_t	2017-07-01 07:39:08 -07:00
em_nbyte.c	net: sched: em_nbyte: don't add the data offset twice	2018-01-24 14:52:40 -05:00
em_text.c
em_u32.c
ematch.c	net: sched: ematch: obtain net pointer from blocks	2017-10-16 21:00:40 +01:00
Kconfig	net/sched: add skbprio scheduler	2018-07-24 14:44:00 -07:00
Makefile	net/sched: add skbprio scheduler	2018-07-24 14:44:00 -07:00
sch_api.c	net: sched: Remove TCA_OPTIONS from policy	2018-11-13 11:09:00 -08:00
sch_atm.c	net: sch: api: add extack support in qdisc_create_dflt	2017-12-21 12:32:51 -05:00
sch_blackhole.c	net_sched: blackhole: tell upper qdisc about dropped packets	2018-06-17 08:42:33 +09:00
sch_cake.c	treewide: Replace more open-coded allocation size multiplications	2018-10-05 18:06:30 -07:00
sch_cbq.c	net: sch: sch_cbq: add extack support	2017-12-21 12:32:51 -05:00
sch_cbs.c	cbs: Add support for the graft function	2018-07-26 13:58:30 -07:00
sch_choke.c	net: sched: sch: add extack for change qdisc ops	2017-12-21 12:32:50 -05:00
sch_codel.c	net: sched: sch: add extack for change qdisc ops	2017-12-21 12:32:50 -05:00
sch_drr.c	net: sch: sch_drr: add extack support	2017-12-21 12:32:51 -05:00
sch_dsmark.c	net: sch: api: add extack support in qdisc_create_dflt	2017-12-21 12:32:51 -05:00
sch_etf.c	net/sched: Make etf report drops on error_queue	2018-07-04 22:30:28 +09:00
sch_fifo.c	net: sch: api: add extack support in qdisc_create_dflt	2017-12-21 12:32:51 -05:00
sch_fq.c	net_sched: fq: take care of throttled flows before reuse	2018-05-02 16:37:38 -04:00
sch_fq_codel.c	sch_fq_codel: zero q->flows_cnt when fq_codel_init fails	2018-07-12 12:32:09 -07:00
sch_generic.c	net: sched: put back q.qlen into a single location	2019-03-10 07:17:16 +01:00
sch_gred.c	net: sched: gred: pass the right attribute to gred_change_table_def()	2018-11-04 14:50:51 +01:00
sch_hfsc.c	net_sched: remove a bogus warning in hfsc	2018-06-23 10:58:46 +09:00
sch_hhf.c	treewide: kvzalloc() -> kvcalloc()	2018-06-12 16:19:22 -07:00
sch_htb.c	net_sched: remove unused htb drop_list	2018-06-24 16:42:46 +09:00
sch_ingress.c	net: sched: allow ingress and clsact qdiscs to share filter blocks	2018-01-17 14:53:57 -05:00
sch_mq.c	net: sched: mq: request stats from offloads	2018-05-29 09:49:16 -04:00
sch_mqprio.c	net: sch: api: add extack support in qdisc_create_dflt	2017-12-21 12:32:51 -05:00
sch_multiq.c	net: sch: api: add extack support in qdisc_create_dflt	2017-12-21 12:32:51 -05:00
sch_netem.c	net: netem: fix skb length BUG_ON in __skb_to_sgvec	2019-03-10 07:17:18 +01:00
sch_pie.c	net: sched: sch: add extack for change qdisc ops	2017-12-21 12:32:50 -05:00
sch_plug.c	net: sched: sch: add extack for change qdisc ops	2017-12-21 12:32:50 -05:00
sch_prio.c	net: sch: prio: Add offload ability for grafting a child	2018-02-28 12:06:01 -05:00
sch_qfq.c	net: sch: api: add extack support in qdisc_create_dflt	2017-12-21 12:32:51 -05:00
sch_red.c	net: sched: red: avoid hashing NULL child	2018-05-18 13:52:32 -04:00
sch_sfb.c	net: sch: api: add extack support in qdisc_create_dflt	2017-12-21 12:32:51 -05:00
sch_sfq.c	net: sch: api: add extack support in tcf_block_get	2017-12-21 12:32:51 -05:00
sch_skbprio.c	net/sched: add skbprio scheduler	2018-07-24 14:44:00 -07:00
sch_tbf.c	net: sched: red: avoid hashing NULL child	2018-05-18 13:52:32 -04:00
sch_teql.c	net: sched: sch: add extack for init callback	2017-12-21 12:32:50 -05:00