summaryrefslogtreecommitdiffstats
path: root/net/sched/act_pedit.c
diff options
context:
space:
mode:
authorDmytro Linkin <dmitrolin@mellanox.com>2019-08-01 13:02:51 +0000
committerDavid S. Miller <davem@davemloft.net>2019-08-05 10:59:14 -0700
commit7be8ef2cdbfe41a2e524b7c6cc3f8e6cfaa906e4 (patch)
tree42b36459934917001e8ed83595d238924120b3c9 /net/sched/act_pedit.c
parent7fb5a711545d7d25fe9726a9ad277474dd83bd06 (diff)
downloadlinux-stable-7be8ef2cdbfe41a2e524b7c6cc3f8e6cfaa906e4.tar.gz
linux-stable-7be8ef2cdbfe41a2e524b7c6cc3f8e6cfaa906e4.tar.bz2
linux-stable-7be8ef2cdbfe41a2e524b7c6cc3f8e6cfaa906e4.zip
net: sched: use temporary variable for actions indexes
Currently init call of all actions (except ipt) init their 'parm' structure as a direct pointer to nla data in skb. This leads to race condition when some of the filter actions were initialized successfully (and were assigned with idr action index that was written directly into nla data), but then were deleted and retried (due to following action module missing or classifier-initiated retry), in which case action init code tries to insert action to idr with index that was assigned on previous iteration. During retry the index can be reused by another action that was inserted concurrently, which causes unintended action sharing between filters. To fix described race condition, save action idr index to temporary stack-allocated variable instead on nla data. Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action") Signed-off-by: Dmytro Linkin <dmitrolin@mellanox.com> Signed-off-by: Vlad Buslov <vladbu@mellanox.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched/act_pedit.c')
-rw-r--r--net/sched/act_pedit.c10
1 files changed, 6 insertions, 4 deletions
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 45e9d6bfddb3..17360c6faeaa 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -149,6 +149,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
struct tcf_pedit *p;
int ret = 0, err;
int ksize;
+ u32 index;
if (!nla) {
NL_SET_ERR_MSG_MOD(extack, "Pedit requires attributes to be passed");
@@ -179,18 +180,19 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
if (IS_ERR(keys_ex))
return PTR_ERR(keys_ex);
- err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+ index = parm->index;
+ err = tcf_idr_check_alloc(tn, &index, a, bind);
if (!err) {
if (!parm->nkeys) {
- tcf_idr_cleanup(tn, parm->index);
+ tcf_idr_cleanup(tn, index);
NL_SET_ERR_MSG_MOD(extack, "Pedit requires keys to be passed");
ret = -EINVAL;
goto out_free;
}
- ret = tcf_idr_create(tn, parm->index, est, a,
+ ret = tcf_idr_create(tn, index, est, a,
&act_pedit_ops, bind, false);
if (ret) {
- tcf_idr_cleanup(tn, parm->index);
+ tcf_idr_cleanup(tn, index);
goto out_free;
}
ret = ACT_P_CREATED;