Re: [PATCH net v3] cls_u32: fix use after free in u32_destroy_key()

2018-02-05 Thread Cong Wang
On Mon, Feb 5, 2018 at 1:20 AM, Paolo Abeni wrote: > @@ -625,6 +627,8 @@ static int u32_destroy_hnode(struct tcf_proto *tp, struct > tc_u_hnode *ht, > idr_destroy(>handle_idr); > idr_remove_ext(_c->handle_idr, ht->handle); >

[PATCH net v3] cls_u32: fix use after free in u32_destroy_key()

2018-02-05 Thread Paolo Abeni
Li Shuang reported an Oops with cls_u32 due to an use-after-free in u32_destroy_key(). The use-after-free can be triggered with: dev=lo tc qdisc add dev $dev root handle 1: htb default 10 tc filter add dev $dev parent 1: prio 5 handle 1: protocol ip u32 divisor 256 tc filter add dev $dev protocol