Re: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow
From: Eric Dumazet
Date: Thu Jun 01 2023 - 11:11:40 EST
On Thu, Jun 1, 2023 at 4:06 PM Lee Jones <lee@xxxxxxxxxx> wrote:
>
> On Wed, 31 May 2023, Jamal Hadi Salim wrote:
>
> > On Wed, May 31, 2023 at 11:03 AM Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
> > >
> > > On Wed, May 31, 2023 at 4:16 PM Lee Jones <lee@xxxxxxxxxx> wrote:
> > > >
> > > > In the event of a failure in tcf_change_indev(), u32_set_parms() will
> > > > immediately return without decrementing the recently incremented
> > > > reference counter. If this happens enough times, the counter will
> > > > rollover and the reference freed, leading to a double free which can be
> > > > used to do 'bad things'.
> > > >
> > > > Cc: stable@xxxxxxxxxx # v4.14+
> > >
> > > Please add a Fixes: tag.
>
> Why?
How have you identified v4.14+ ?
Probably you did some research/"git archeology".
By adding the Fixes: tag, you allow us to double check immediately,
and see if other bugs need to be fixed at the same time.
You can also CC blamed patch authors, to get some feedback.
Otherwise, we (people reviewing this patch) have to also do this
research from scratch.
In this case, it seems bug was added in
commit 705c7091262d02b09eb686c24491de61bf42fdb2
Author: Jiri Pirko <jiri@xxxxxxxxxxx>
Date: Fri Aug 4 14:29:14 2017 +0200
net: sched: cls_u32: no need to call tcf_exts_change for newly
allocated struct
A nice Fixes: tag would then be
Fixes: 705c7091262d ("net: sched: cls_u32: no need to call
tcf_exts_change for newly allocated struct")
Thanks.