diff mbox series

[net,2/2] net/sched: cls_u32: fix possible leak in u32_init_knode()

Message ID 20220413173542.533060-3-eric.dumazet@gmail.com (mailing list archive)
State Accepted
Commit ec5b0f605b105457f257f2870acad4a5d463984b
Delegated to: Netdev Maintainers
Headers show
Series net/sched: two fixes for cls_u32 | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Series has a cover letter
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 20 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Eric Dumazet April 13, 2022, 5:35 p.m. UTC 
From: Eric Dumazet <edumazet@google.com>

While investigating a related syzbot report,
I found that whenever call to tcf_exts_init()
from u32_init_knode() is failing, we end up
with an elevated refcount on ht->refcnt

To avoid that, only increase the refcount after
all possible errors have been evaluated.

Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Jiri Pirko <jiri@resnulli.us>
---
 net/sched/cls_u32.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Jamal Hadi Salim April 14, 2022, 4:03 p.m. UTC | #1 
On 2022-04-13 13:35, Eric Dumazet wrote:
> From: Eric Dumazet<edumazet@google.com>
> 
> While investigating a related syzbot report,
> I found that whenever call to tcf_exts_init()
> from u32_init_knode() is failing, we end up
> with an elevated refcount on ht->refcnt
> 
> To avoid that, only increase the refcount after
> all possible errors have been evaluated.
> 
> Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()")
> Signed-off-by: Eric Dumazet<edumazet@google.com>
> Cc: Jamal Hadi Salim<jhs@mojatatu.com>
> Cc: Cong Wang<xiyou.wangcong@gmail.com>
> Cc: Jiri Pirko<jiri@resnulli.us>


Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>


cheers,
jamal
diff mbox series

Patch

diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index fcba6c43ba509a069c593d525daf2943b4079538..4d27300c287c46d11bf9d44f8c66eded9e734581 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -815,10 +815,6 @@  static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
 	new->flags = n->flags;
 	RCU_INIT_POINTER(new->ht_down, ht);
 
-	/* bump reference count as long as we hold pointer to structure */
-	if (ht)
-		ht->refcnt++;
-
 #ifdef CONFIG_CLS_U32_PERF
 	/* Statistics may be incremented by readers during update
 	 * so we must keep them in tact. When the node is later destroyed
@@ -840,6 +836,10 @@  static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
 		return NULL;
 	}
 
+	/* bump reference count as long as we hold pointer to structure */
+	if (ht)
+		ht->refcnt++;
+
 	return new;
 }