On Sun, Nov 19, 2017 at 9:36 AM, Roman Kapl <c...@rkapl.cz> wrote:
> If you flush (delete) a filter chain other than chain 0 (such as when
> deleting the device), the kernel may run into a use-after-free. The
> chain refcount must not be decremented unless we are sure we are done
> with the chain.
>
> To reproduce the bug, run:
> ip link add dtest type dummy
> tc qdisc add dev dtest ingress
> tc filter add dev dtest chain 1 parent ffff: flower
> ip link del dtest
>
> Introduced in: commit f93e1cdcf42c ("net/sched: fix filter flushing"),
> but unless you have KAsan or luck, you won't notice it until
> commit 0dadc117ac8b ("cls_flower: use tcf_exts_get_net() before call_rcu()")
>
> Fixes: f93e1cdcf42c ("net/sched: fix filter flushing")
> Acked-by: Jiri Pirko <j...@mellanox.com>
> Signed-off-by: Roman Kapl <c...@rkapl.cz>
Acked-by: Cong Wang <xiyou.wangc...@gmail.com>
