Re: [PATCH net v2] cls_u32: fix use after free in u32_destroy_key()

On Fri, 2018-02-02 at 15:30 +0100, Paolo Abeni wrote: > Li Shuang reported an Oops with cls_u32 due to an use-after-free > in u32_destroy_key(). The use-after-free can be triggered with: > > dev=lo > tc qdisc add dev $dev root handle 1: htb default 10 > tc filter add dev $dev parent 1: prio 5

Re: [PATCH net v2] cls_u32: fix use after free in u32_destroy_key()

Hi, On Fri, 2018-02-02 at 13:52 -0800, Cong Wang wrote: > On Fri, Feb 2, 2018 at 6:30 AM, Paolo Abeni wrote: > > The problem is that the htnode is freed before the linked knodes and the > > latter will try to access the first at u32_destroy_key() time. > > This change addresses

Re: [PATCH net v2] cls_u32: fix use after free in u32_destroy_key()

On Fri, Feb 2, 2018 at 6:30 AM, Paolo Abeni wrote: > The problem is that the htnode is freed before the linked knodes and the > latter will try to access the first at u32_destroy_key() time. > This change addresses the issue using the htnode refcnt to guarantee > the correct

Re: [PATCH net v2] cls_u32: fix use after free in u32_destroy_key()

On 2.2.2018 15:30, Paolo Abeni wrote: > Li Shuang reported an Oops with cls_u32 due to an use-after-free > in u32_destroy_key(). The use-after-free can be triggered with: > > dev=lo > tc qdisc add dev $dev root handle 1: htb default 10 > tc filter add dev $dev parent 1: prio 5 handle 1: protocol

[PATCH net v2] cls_u32: fix use after free in u32_destroy_key()

Li Shuang reported an Oops with cls_u32 due to an use-after-free in u32_destroy_key(). The use-after-free can be triggered with: dev=lo tc qdisc add dev $dev root handle 1: htb default 10 tc filter add dev $dev parent 1: prio 5 handle 1: protocol ip u32 divisor 256 tc filter add dev $dev protocol