From: Paolo Abeni <pab...@redhat.com>
Date: Mon, 5 Feb 2018 22:23:01 +0100
> Li Shuang reported an Oops with cls_u32 due to an use-after-free
> in u32_destroy_key(). The use-after-free can be triggered with:
>
> dev=lo
> tc qdisc add dev $dev root handle 1: htb default 10
> tc filter add dev $dev parent 1: prio 5 handle 1: protocol ip u32 divisor 256
> tc filter add dev $dev protocol ip parent 1: prio 5 u32 ht 800:: match ip dst\
> 10.0.0.0/8 hashkey mask 0x0000ff00 at 16 link 1:
> tc qdisc del dev $dev root
>
> Which causes the following kasan splat:
...
> The problem is that the htnode is freed before the linked knodes and the
> latter will try to access the first at u32_destroy_key() time.
> This change addresses the issue using the htnode refcnt to guarantee
> the correct free order. While at it also add a RCU annotation,
> to keep sparse happy.
>
> v1 -> v2: use rtnl_derefence() instead of RCU read locks
> v2 -> v3:
> - don't check refcnt in u32_destroy_hnode()
> - cleaned-up u32_destroy() implementation
> - cleaned-up code comment
> v3 -> v4:
> - dropped unneeded comment
>
> Reported-by: Li Shuang <shu...@redhat.com>
> Fixes: c0d378ef1266 ("net_sched: use tcf_queue_work() in u32 filter")
> Signed-off-by: Paolo Abeni <pab...@redhat.com>
Applied and queued up for -stable, thanks!
