Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

net_sched: fix a use-after-free in tc_ctl_tfilter()

When tcf_destroy() returns true, tp could be already destroyed,
we should not use tp->next after that.

For long term, we probably should move tp list to list_head.

Fixes: 1e052be69d04 ("net_sched: destroy proto tp when all filters are gone")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
WANG Cong 10 years ago
parent
1006da19ea
commit
d744318574
1 changed files with 3 additions and 4 deletions
Split View Show Diff Stats
  1. 3 4
      net/sched/cls_api.c

+ 3 - 4
net/sched/cls_api.c
View File 

@@ -308,12 +308,11 @@ replay:
 
 		case RTM_DELTFILTER:
 
 			err = tp->ops->delete(tp, fh);
 
 			if (err == 0) {
 
-				tfilter_notify(net, skb, n, tp, fh, RTM_DELTFILTER);
 
-				if (tcf_destroy(tp, false)) {
 
-					struct tcf_proto *next = rtnl_dereference(tp->next);
 
+				struct tcf_proto *next = rtnl_dereference(tp->next);
 
 
+				tfilter_notify(net, skb, n, tp, fh, RTM_DELTFILTER);
 
+				if (tcf_destroy(tp, false))
 
 					RCU_INIT_POINTER(*back, next);
 
-				}
 
 			}
 
 			goto errout;
 
 		case RTM_GETTFILTER: