Re: [PATCH] net: sched: fix a use-after-free error on chain on the error exit path

From: Cong Wang
Date: Fri May 19 2017 - 13:18:30 EST


On Thu, May 18, 2017 at 7:07 AM, Colin King <colin.king@xxxxxxxxxxxxx> wrote:
> diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
> index 4020b8d932a1..82ebdc3fcb2e 100644
> --- a/net/sched/cls_api.c
> +++ b/net/sched/cls_api.c
> @@ -511,6 +511,7 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
> if (n->nlmsg_type == RTM_DELTFILTER && prio == 0) {
> tfilter_notify_chain(net, skb, n, chain, RTM_DELTFILTER);
> tcf_chain_destroy(chain);


Jiri, how does this work...? An action could hold a refcnt to a filter
chain, but here you destroy a whole chain without respecting
the refcnt???


> + chain = NULL;
> err = 0;
> goto errout;

Colin, not your fault, I think we may miss something more serious
when reviewing Jiri's patchset. ;)

Thanks.