Commit 0fedc63f authored by Cong Wang's avatar Cong Wang Committed by David S. Miller
Browse files

net_sched: commit action insertions together 



syzbot is able to trigger a failure case inside the loop in
tcf_action_init(), and when this happens we clean up with
tcf_action_destroy(). But, as these actions are already inserted
into the global IDR, other parallel process could free them
before tcf_action_destroy(), then we will trigger a use-after-free.

Fix this by deferring the insertions even later, after the loop,
and committing all the insertions in a separate loop, so we will
never fail in the middle of the insertions any more.

One side effect is that the window between alloction and final
insertion becomes larger, now it is more likely that the loop in
tcf_del_walker() sees the placeholder -EBUSY pointer. So we have
to check for error pointer in tcf_del_walker().

Reported-and-tested-by: default avatar <syzbot+2287853d392e4b42374a@syzkaller.appspotmail.com>
Fixes: 0190c1d4 ("net: sched: atomically check-allocate action")
Cc: Vlad Buslov <vladbu@mellanox.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent e49d8c22

net/sched/act_api.c

+23 −9
Original line number Diff line number Diff line
@@ -307,6 +307,8 @@ static int tcf_del_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb, 


	mutex_lock(&idrinfo->lock);

	idr_for_each_entry_ul(idr, p, tmp, id) {

		if (IS_ERR(p))

			continue;

		ret = tcf_idr_release_unsafe(p);

		if (ret == ACT_P_DELETED) {

			module_put(ops->owner);
@@ -891,15 +893,25 @@ static const struct nla_policy tcf_action_policy[TCA_ACT_MAX + 1] = { 
	[TCA_ACT_HW_STATS]	= NLA_POLICY_BITFIELD32(TCA_ACT_HW_STATS_ANY),

};



static void tcf_idr_insert(struct tc_action *a)

static void tcf_idr_insert_many(struct tc_action *actions[])

{

	struct tcf_idrinfo *idrinfo = a->idrinfo;

	int i;



	for (i = 0; i < TCA_ACT_MAX_PRIO; i++) {

		struct tc_action *a = actions[i];

		struct tcf_idrinfo *idrinfo;



		if (!a)

			continue;

		idrinfo = a->idrinfo;

		mutex_lock(&idrinfo->lock);

	/* Replace ERR_PTR(-EBUSY) allocated by tcf_idr_check_alloc */

	WARN_ON(!IS_ERR(idr_replace(&idrinfo->action_idr, a, a->tcfa_index)));

		/* Replace ERR_PTR(-EBUSY) allocated by tcf_idr_check_alloc if

		 * it is just created, otherwise this is just a nop.

		 */

		idr_replace(&idrinfo->action_idr, a, a->tcfa_index);

		mutex_unlock(&idrinfo->lock);

	}

}



struct tc_action *tcf_action_init_1(struct net *net, struct tcf_proto *tp,

				    struct nlattr *nla, struct nlattr *est,
@@ -995,9 +1007,6 @@ struct tc_action *tcf_action_init_1(struct net *net, struct tcf_proto *tp, 
		return ERR_PTR(-EINVAL);

	}



	if (err == ACT_P_CREATED)

		tcf_idr_insert(a);



	if (!name && tb[TCA_ACT_COOKIE])

		tcf_set_action_cookie(&a->act_cookie, cookie);
@@ -1053,6 +1062,11 @@ int tcf_action_init(struct net *net, struct tcf_proto *tp, struct nlattr *nla, 
		actions[i - 1] = act;

	}



	/* We have to commit them all together, because if any error happened in

	 * between, we could not handle the failure gracefully.

	 */

	tcf_idr_insert_many(actions);



	*attr_size = tcf_action_full_attrs_size(sz);

	return i - 1;

CRA Git | Maintained and supported by SUSTech CRA and CCSE