summaryrefslogtreecommitdiff
path: root/security/min_addr.c
diff options
context:
space:
mode:
authorRoman Kapl <code@rkapl.cz>2017-11-24 12:27:58 +0100
committerDavid S. Miller <davem@davemloft.net>2017-11-25 23:57:20 +0900
commita60b3f515d30d0fe8537c64671926879a3548103 (patch)
tree704071b30c9bb4a5fa8658d05961653625bb3651 /security/min_addr.c
parent540c11159dcece5c4a8157a7b39336316085470f (diff)
net: sched: crash on blocks with goto chain action
tcf_block_put_ext has assumed that all filters (and thus their goto actions) are destroyed in RCU callback and thus can not race with our list iteration. However, that is not true during netns cleanup (see tcf_exts_get_net comment). Prevent the user after free by holding all chains (except 0, that one is already held). foreach_safe is not enough in this case. To reproduce, run the following in a netns and then delete the ns: ip link add dtest type dummy tc qdisc add dev dtest ingress tc filter add dev dtest chain 1 parent ffff: handle 1 prio 1 flower action goto chain 2 Fixes: 822e86d997 ("net_sched: remove tcf_block_put_deferred()") Signed-off-by: Roman Kapl <code@rkapl.cz> Acked-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/min_addr.c')
0 files changed, 0 insertions, 0 deletions