From b7f0a7453e4f32ff4d3f17228db241b354020b98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Tue, 4 Jul 2023 15:23:43 +0200
Subject: [PATCH] net/sched: tcindex: Do not use perfect hashing
Patch-mainline: Never, upstream deleted tcindex entirely
References: bsc#1210335 CVE-2023-1829

There is a reported bug in the tcindex_delete handling of perfect hash
buckets (double free). Instead of reworking this part (perfect hashes
release path), simply avoid usage of perfect hashing.
tcindex will use only imperfect hashing (even when mask>>shift size would allow
perfect hashing). Thath should not affect correctness but performance.
A better solution for the buggy perfect release path may be conceived in
the future.
---
 net/sched/cls_tcindex.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index 25d759110e94..fb01e1c06577 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -255,10 +255,14 @@ static void tcindex_destroy_work(struct work_struct *work)
 	tcindex_data_put(p);
 }
 
+/* Perfect hashed filters release path is not correct (CVE-2023-1829), so
+ * always use imperfect hashing (even when unnecessary given hash size and
+ * range of mask>>shift).
+ */
 static inline int
 valid_perfect_hash(struct tcindex_data *p)
 {
-	return  p->hash > (p->mask >> p->shift);
+	return false;
 }
 
 static const struct nla_policy tcindex_policy[TCA_TCINDEX_MAX + 1] = {
-- 
2.41.0