blob: e8a1d5749660595cfdd431c4f2549f1561a175fe [file] [log] [blame]
From c44d51150e6c9f49d31d67636bc1f158bf0eac54 Mon Sep 17 00:00:00 2001
From: Cong Wang <>
Date: Wed, 11 Mar 2020 22:42:28 -0700
Subject: [PATCH] net_sched: keep alloc_hash updated after hash allocation
commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 upstream.
In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex")
I moved cp->hash calculation before the first
tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched.
This difference could lead to another out of bound access.
cp->alloc_hash should always be the size allocated, we should
update it after this tcindex_alloc_perfect_hash().
Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex")
Cc: Jamal Hadi Salim <>
Cc: Jiri Pirko <>
Signed-off-by: Cong Wang <>
Signed-off-by: David S. Miller <>
Signed-off-by: Paul Gortmaker <>
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index 09b7dc5fe7e0..ab95bbe20e3d 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -357,6 +357,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
if (tcindex_alloc_perfect_hash(net, cp) < 0)
goto errout;
+ cp->alloc_hash = cp->hash;
for (i = 0; i < min(cp->hash, p->hash); i++)
cp->perfect[i].res = p->perfect[i].res;
balloc = 1;