From: Paolo Abeni <pab...@redhat.com> Date: Mon, 5 Feb 2018 22:23:01 +0100
> Li Shuang reported an Oops with cls_u32 due to an use-after-free > in u32_destroy_key(). The use-after-free can be triggered with: > > dev=lo > tc qdisc add dev $dev root handle 1: htb default 10 > tc filter add dev $dev parent 1: prio 5 handle 1: protocol ip u32 divisor 256 > tc filter add dev $dev protocol ip parent 1: prio 5 u32 ht 800:: match ip dst\ > 10.0.0.0/8 hashkey mask 0x0000ff00 at 16 link 1: > tc qdisc del dev $dev root > > Which causes the following kasan splat: ... > The problem is that the htnode is freed before the linked knodes and the > latter will try to access the first at u32_destroy_key() time. > This change addresses the issue using the htnode refcnt to guarantee > the correct free order. While at it also add a RCU annotation, > to keep sparse happy. > > v1 -> v2: use rtnl_derefence() instead of RCU read locks > v2 -> v3: > - don't check refcnt in u32_destroy_hnode() > - cleaned-up u32_destroy() implementation > - cleaned-up code comment > v3 -> v4: > - dropped unneeded comment > > Reported-by: Li Shuang <shu...@redhat.com> > Fixes: c0d378ef1266 ("net_sched: use tcf_queue_work() in u32 filter") > Signed-off-by: Paolo Abeni <pab...@redhat.com> Applied and queued up for -stable, thanks!