| Message ID | 20230721191332.1424997-1-pctammela@mojatatu.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | net/sched: improve class lifetime handling | expand |
On Fri, Jul 21, 2023 at 3:14 PM Pedro Tammela <pctammela@mojatatu.com> wrote: > > Valis says[0]: > ============ > Three classifiers (cls_fw, cls_u32 and cls_route) always copy > tcf_result struct into the new instance of the filter on update. > > This causes a problem when updating a filter bound to a class, > as tcf_unbind_filter() is always called on the old instance in the > success path, decreasing filter_cnt of the still referenced class > and allowing it to be deleted, leading to a use-after-free. > ============ > > Turns out these could have been spotted easily with proper warnings. > Improve the current class lifetime with wrappers that check for > overflow/underflow. > > While at it add an extack for when a class in use is deleted. > > [0] https://lore.kernel.org/all/20230721174856.3045-1-sec@valis.email/ > For the series: Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> cheers, jamal > > Pedro Tammela (5): > net/sched: wrap open coded Qdics class filter counter > net/sched: sch_drr: warn about class in use while deleting > net/sched: sch_hfsc: warn about class in use while deleting > net/sched: sch_htb: warn about class in use while deleting > net/sched: sch_qfq: warn about class in use while deleting > > include/net/sch_generic.h | 1 + > include/net/tc_class.h | 33 +++++++++++++++++++++++++++++++++ > net/sched/sch_drr.c | 12 +++++++----- > net/sched/sch_hfsc.c | 11 +++++++---- > net/sched/sch_htb.c | 11 ++++++----- > net/sched/sch_qfq.c | 11 ++++++----- > 6 files changed, 60 insertions(+), 19 deletions(-) > create mode 100644 include/net/tc_class.h > > -- > 2.39.2 >