diff options
author | Cong Wang <xiyou.wangcong@gmail.com> | 2020-10-02 21:13:34 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2020-10-04 23:53:06 +0200 |
commit | 580e4273d7a883ececfefa692c1f96bdbacb99b5 (patch) | |
tree | 094b0f1cde71ff222877ed9f94175f474c387696 /net/sched/act_api.c | |
parent | net: team: fix memory leak in __team_options_register (diff) | |
download | linux-580e4273d7a883ececfefa692c1f96bdbacb99b5.tar.xz linux-580e4273d7a883ececfefa692c1f96bdbacb99b5.zip |
net_sched: check error pointer in tcf_dump_walker()
Although we take RTNL on dump path, it is possible to
skip RTNL on insertion path. So the following race condition
is possible:
rtnl_lock() // no rtnl lock
mutex_lock(&idrinfo->lock);
// insert ERR_PTR(-EBUSY)
mutex_unlock(&idrinfo->lock);
tc_dump_action()
rtnl_unlock()
So we have to skip those temporary -EBUSY entries on dump path
too.
Reported-and-tested-by: syzbot+b47bc4f247856fb4d9e1@syzkaller.appspotmail.com
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Cc: Vlad Buslov <vladbu@mellanox.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched/act_api.c')
-rw-r--r-- | net/sched/act_api.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/sched/act_api.c b/net/sched/act_api.c index 5612b336e18e..798430e1a79f 100644 --- a/net/sched/act_api.c +++ b/net/sched/act_api.c @@ -235,6 +235,8 @@ static int tcf_dump_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb, index++; if (index < s_i) continue; + if (IS_ERR(p)) + continue; if (jiffy_since && time_after(jiffy_since, |