• Daniel Borkmann's avatar
    sched: cls_flow: fix panic on filter replace · 32b2f4b1
    Daniel Borkmann authored
    The following test case causes a NULL pointer dereference in cls_flow:
    
      tc filter add dev foo parent 1: handle 0x1 flow hash keys dst action ok
      tc filter replace dev foo parent 1: pref 49152 handle 0x1 \
                flow hash keys mark action drop
    
    To be more precise, actually two different panics are fixed, the first
    occurs because tcf_exts_init() is not called on the newly allocated
    filter when we do a replace. And the second panic uncovered after that
    happens since the arguments of list_replace_rcu() are swapped, the old
    element needs to be the first argument and the new element the second.
    
    Fixes: 70da9f0b ("net: sched: cls_flow use RCU")
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    32b2f4b1
cls_flow.c 16.3 KB