Re: [PATCH net v4] cls_u32: fix use after free in u32_destroy_key()

From: Paolo Abeni Date: Mon, 5 Feb 2018 22:23:01 +0100 > Li Shuang reported an Oops with cls_u32 due to an use-after-free > in u32_destroy_key(). The use-after-free can be triggered with: > > dev=lo > tc qdisc add dev $dev root handle 1: htb default 10 > tc filter add dev $dev parent 1: prio 5

Re: [PATCH net v4] cls_u32: fix use after free in u32_destroy_key()

On Mon, Feb 5, 2018 at 1:23 PM, Paolo Abeni wrote: > The problem is that the htnode is freed before the linked knodes and the > latter will try to access the first at u32_destroy_key() time. > This change addresses the issue using the htnode refcnt to guarantee > the correct free order. While at i

[PATCH net v4] cls_u32: fix use after free in u32_destroy_key()

Li Shuang reported an Oops with cls_u32 due to an use-after-free in u32_destroy_key(). The use-after-free can be triggered with: dev=lo tc qdisc add dev $dev root handle 1: htb default 10 tc filter add dev $dev parent 1: prio 5 handle 1: protocol ip u32 divisor 256 tc filter add dev $dev protocol