[net] net_sched: check error pointer in tcf_dump_walker()

Message ID	20201002191334.14135-1-xiyou.wangcong@gmail.com
State	New
Headers	show Return-Path: <SRS0=C+qH=DJ=vger.kernel.org=netdev-owner@kernel.org> From: Cong Wang <xiyou.wangcong@gmail.com> To: netdev@vger.kernel.org Cc: Cong Wang <xiyou.wangcong@gmail.com>, syzbot+b47bc4f247856fb4d9e1@syzkaller.appspotmail.com, Vlad Buslov <vladbu@mellanox.com>, Jamal Hadi Salim <jhs@mojatatu.com>, Jiri Pirko <jiri@resnulli.us> Subject: [Patch net] net_sched: check error pointer in tcf_dump_walker() Date: Fri, 2 Oct 2020 12:13:34 -0700 Message-Id: <20201002191334.14135-1-xiyou.wangcong@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[net] net_sched: check error pointer in tcf_dump_walker() \| expand [net] net_sched: check error pointer in tcf_dump_walker()

Message ID

20201002191334.14135-1-xiyou.wangcong@gmail.com

State

New

Headers

From: Cong Wang <xiyou.wangcong@gmail.com>
To: netdev@vger.kernel.org
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
	syzbot+b47bc4f247856fb4d9e1@syzkaller.appspotmail.com,
	Vlad Buslov <vladbu@mellanox.com>, Jamal Hadi Salim <jhs@mojatatu.com>,
	Jiri Pirko <jiri@resnulli.us>
Subject: [Patch net] net_sched: check error pointer in tcf_dump_walker()
Date: Fri,  2 Oct 2020 12:13:34 -0700
Message-Id: <20201002191334.14135-1-xiyou.wangcong@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[net] net_sched: check error pointer in tcf_dump_walker() | expand

Commit Message

Cong Wang Oct. 2, 2020, 7:13 p.m. UTC

Although we take RTNL on dump path, it is possible to
skip RTNL on insertion path. So the following race condition
is possible:

rtnl_lock()		// no rtnl lock
			mutex_lock(&idrinfo->lock);
			// insert ERR_PTR(-EBUSY)
			mutex_unlock(&idrinfo->lock);
tc_dump_action()
rtnl_unlock()

So we have to skip those temporary -EBUSY entries on dump path
too.

Reported-and-tested-by: syzbot+b47bc4f247856fb4d9e1@syzkaller.appspotmail.com
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Cc: Vlad Buslov <vladbu@mellanox.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/sched/act_api.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

David Miller Oct. 4, 2020, 9:54 p.m. UTC | #1

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Fri,  2 Oct 2020 12:13:34 -0700

> Although we take RTNL on dump path, it is possible to
> skip RTNL on insertion path. So the following race condition
> is possible:
> 
> rtnl_lock()		// no rtnl lock
> 			mutex_lock(&idrinfo->lock);
> 			// insert ERR_PTR(-EBUSY)
> 			mutex_unlock(&idrinfo->lock);
> tc_dump_action()
> rtnl_unlock()
> 
> So we have to skip those temporary -EBUSY entries on dump path
> too.
> 
> Reported-and-tested-by: syzbot+b47bc4f247856fb4d9e1@syzkaller.appspotmail.com
> Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
> Cc: Vlad Buslov <vladbu@mellanox.com>
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Cc: Jiri Pirko <jiri@resnulli.us>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Applied and queued up for -stable.

diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 5612b336e18e..798430e1a79f 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -235,6 +235,8 @@  static int tcf_dump_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb,
 		index++;
 		if (index < s_i)
 			continue;
+		if (IS_ERR(p))
+			continue;
 
 		if (jiffy_since &&
 		    time_after(jiffy_since,