net_sched: cls_route: remove the right filter from hashtable

congwang · davem330 · commit ef299cc3fa1a · 2020-03-16T01:59:32.000-07:00
route4_change() allocates a new filter and copies values from the old one. After the new filter is inserted into the hash table, the old filter should be removed and freed, as the final step of the update. However, the current code mistakenly removes the new one. This looks apparently wrong to me, and it causes double "free" and use-after-free too, as reported by syzbot. Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com Fixes: 1109c00 ("net: sched: RCU cls_route") Cc: Jamal Hadi Salim <jhs@mojatatu.com> Cc: Jiri Pirko <jiri@resnulli.us> Cc: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
@@ -534,8 +534,8 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
 			fp = &b->ht[h];
 			for (pfp = rtnl_dereference(*fp); pfp;
 			     fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
-				if (pfp == f) {
-					*fp = f->next;
+				if (pfp == fold) {
+					rcu_assign_pointer(*fp, fold->next);
 					break;
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -534,8 +534,8 @@ static int route4_change(struct net net, struct sk_buff in_skb,`
`534`	`534`	`fp = &b->ht[h];`
`535`	`535`	`for (pfp = rtnl_dereference(*fp); pfp;`
`536`	`536`	`fp = &pfp->next, pfp = rtnl_dereference(*fp)) {`
`537`		`- if (pfp == f) {`
`538`		`- *fp = f->next;`
	`537`	`+ if (pfp == fold) {`
	`538`	`+ rcu_assign_pointer(*fp, fold->next);`
`539`	`539`	`break;`
`540`	`540`	`}`
`541`	`541`	`}`