| From 29fab1449162184edd9029e4a1efc1f59f66b446 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Fri, 2 Oct 2020 12:13:34 -0700 |
| Subject: net_sched: check error pointer in tcf_dump_walker() |
| |
| From: Cong Wang <xiyou.wangcong@gmail.com> |
| |
| [ Upstream commit 580e4273d7a883ececfefa692c1f96bdbacb99b5 ] |
| |
| Although we take RTNL on dump path, it is possible to |
| skip RTNL on insertion path. So the following race condition |
| is possible: |
| |
| rtnl_lock() // no rtnl lock |
| mutex_lock(&idrinfo->lock); |
| // insert ERR_PTR(-EBUSY) |
| mutex_unlock(&idrinfo->lock); |
| tc_dump_action() |
| rtnl_unlock() |
| |
| So we have to skip those temporary -EBUSY entries on dump path |
| too. |
| |
| Reported-and-tested-by: syzbot+b47bc4f247856fb4d9e1@syzkaller.appspotmail.com |
| Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together") |
| Cc: Vlad Buslov <vladbu@mellanox.com> |
| Cc: Jamal Hadi Salim <jhs@mojatatu.com> |
| Cc: Jiri Pirko <jiri@resnulli.us> |
| Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/sched/act_api.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/net/sched/act_api.c |
| +++ b/net/sched/act_api.c |
| @@ -231,6 +231,8 @@ static int tcf_dump_walker(struct tcf_id |
| index++; |
| if (index < s_i) |
| continue; |
| + if (IS_ERR(p)) |
| + continue; |
| |
| if (jiffy_since && |
| time_after(jiffy_since, |
