[PATCH 3.16.y-ckt 100/165] net: cls_bpf: fix auto generation of per list handles

From: Luis Henriques
Date: Wed Mar 25 2015 - 10:26:00 EST

Next message: Luis Henriques: "[PATCH 3.16.y-ckt 096/165] svcrpc: fix memory leak in gssp_accept_sec_context_upcall"
Previous message: Luis Henriques: "[PATCH 3.16.y-ckt 084/165] x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization"
In reply to: Luis Henriques: "[PATCH 3.16.y-ckt 084/165] x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization"
Next in thread: Luis Henriques: "[PATCH 3.16.y-ckt 096/165] svcrpc: fix memory leak in gssp_accept_sec_context_upcall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.16.7-ckt9 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <dborkman@xxxxxxxxxx>

commit 3f2ab135946dcd4eb6af92a53d6d4bd35e7526ca upstream.

When creating a bpf classifier in tc with priority collisions and
invoking automatic unique handle assignment, cls_bpf_grab_new_handle()
will return a wrong handle id which in fact is non-unique. Usually
altering of specific filters is being addressed over major id, but
in case of collisions we result in a filter chain, where handle ids
address individual cls_bpf_progs inside the classifier.

Issue is, in cls_bpf_grab_new_handle() we probe for head->hgen handle
in cls_bpf_get() and in case we found a free handle, we're supposed
to use exactly head->hgen. In case of insufficient numbers of handles,
we bail out later as handle id 0 is not allowed.

Fixes: 7d1d65cb84e1 ("net: sched: cls_bpf: add BPF-based classifier")
Signed-off-by: Daniel Borkmann <dborkman@xxxxxxxxxx>
Acked-by: Jiri Pirko <jiri@xxxxxxxxxxx>
Acked-by: Alexei Starovoitov <ast@xxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Luis Henriques <luis.henriques@xxxxxxxxxxxxx>
---
net/sched/cls_bpf.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 87f2f1b17181..d2f034cf6055 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -233,15 +233,21 @@ static u32 cls_bpf_grab_new_handle(struct tcf_proto *tp,
struct cls_bpf_head *head)
{
unsigned int i = 0x80000000;
+ u32 handle;

do {
if (++head->hgen == 0x7FFFFFFF)
head->hgen = 1;
} while (--i > 0 && cls_bpf_get(tp, head->hgen));
- if (i == 0)
+
+ if (unlikely(i == 0)) {
pr_err("Insufficient number of handles\n");
+ handle = 0;
+ } else {
+ handle = head->hgen;
+ }

- return i;
+ return handle;
}

static int cls_bpf_change(struct net *net, struct sk_buff *in_skb,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Luis Henriques: "[PATCH 3.16.y-ckt 096/165] svcrpc: fix memory leak in gssp_accept_sec_context_upcall"
Previous message: Luis Henriques: "[PATCH 3.16.y-ckt 084/165] x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization"
In reply to: Luis Henriques: "[PATCH 3.16.y-ckt 084/165] x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization"
Next in thread: Luis Henriques: "[PATCH 3.16.y-ckt 096/165] svcrpc: fix memory leak in gssp_accept_sec_context_upcall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]