net_sched: fix a use-after-free in tc_ctl_tfilter()

When tcf_destroy() returns true, tp could be already destroyed, we should not use tp->next after that. For long term, we probably should move tp list to list_head. Fixes: 1e052be6 ("net_sched: destroy proto tp when all filters are gone") Cc: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: N Cong Wang <xiyou.wangcong@gmail.com> Acked-by: N Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

net_sched: fix a use-after-free in tc_ctl_tfilter()
When tcf_destroy() returns true, tp could be already destroyed, we should not use tp->next after that. For long term, we probably should move tp list to list_head. Fixes: 1e052be6 ("net_sched: destroy proto tp when all filters are gone") Cc: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: N Cong Wang <xiyou.wangcong@gmail.com> Acked-by: N Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
d7443185 · WANG Cong · David S. Miller · 1006da19 · d7443185
隐藏空白更改
内联并排

Showing with 3 addition and 4 deletion

net/sched/cls_api.c net/sched/cls_api.c +3 -4

未找到文件。
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -308,12 +308,11 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n)
 		case RTM_DELTFILTER:
 			err = tp->ops->delete(tp, fh);
 			if (err == 0) {
-				tfilter_notify(net, skb, n, tp, fh, RTM_DELTFILTER);
-				if (tcf_destroy(tp, false)) {
-					struct tcf_proto *next = rtnl_dereference(tp->next);
+				struct tcf_proto *next = rtnl_dereference(tp->next);

+				tfilter_notify(net, skb, n, tp, fh, RTM_DELTFILTER);
+				if (tcf_destroy(tp, false))
 					RCU_INIT_POINTER(*back, next);
-				}
 			}
 			goto errout;
 		case RTM_GETTFILTER: