From: Jiri Pirko <jiri@mellanox.com>
Date: Fri, 15 Dec 2017 12:40:12 +0100
Subject: net: sched: fix clsact init error path
Patch-mainline: v4.15-rc4
Git-commit: 343723dd51ef1025a860e54df9472b5ba21ee3d9
References: bsc#1109837
Since in qdisc_create, the destroy op is called when init fails, we
don't do cleanup in init and leave it up to destroy.
This fixes use-after-free when trying to put already freed block.
Fixes: 6e40cf2d4dee ("net: sched: use extended variants of block_get/put in ingress and clsact qdiscs")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
net/sched/cls_api.c | 4 ++--
net/sched/sch_ingress.c | 6 +-----
2 files changed, 3 insertions(+), 7 deletions(-)
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -383,6 +383,8 @@ void tcf_block_put_ext(struct tcf_block
{
struct tcf_chain *chain;
+ if (!block)
+ return;
/* Hold a refcnt for all chains, except 0, so that they don't disappear
* while we are iterating.
*/
@@ -409,8 +411,6 @@ void tcf_block_put(struct tcf_block *blo
{
struct tcf_block_ext_info ei = {0, };
- if (!block)
- return;
tcf_block_put_ext(block, block->q, &ei);
}
EXPORT_SYMBOL(tcf_block_put);
--- a/net/sched/sch_ingress.c
+++ b/net/sched/sch_ingress.c
@@ -190,7 +190,7 @@ static int clsact_init(struct Qdisc *sch
err = tcf_block_get_ext(&q->egress_block, sch, &q->egress_block_info);
if (err)
- goto err_egress_block_get;
+ return err;
net_inc_ingress_queue();
net_inc_egress_queue();
@@ -198,10 +198,6 @@ static int clsact_init(struct Qdisc *sch
sch->flags |= TCQ_F_CPUSTATS;
return 0;
-
-err_egress_block_get:
- tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info);
- return err;
}
static void clsact_destroy(struct Qdisc *sch)