Merge branch 'tcf_foo_init-NULL-deref'

Davide Caratti says: ==================== net/sched: fix NULL dereference in the error path of .init() with several TC actions it's possible to see NULL pointer dereference, when the .init() function calls tcf_idr_alloc(), fails at some point and then calls tcf_idr_release(): this series fixes all them introducing non-NULL tests in the .cleanup() function. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-17 19:53:29 -04:00 · 2018-03-17 19:53:29 -04:00 · 78f1b04fa2
commit 78f1b04fa2
parent f9db50691d 2d43361017
5 changed files with 13 additions and 8 deletions
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@ -626,7 +626,8 @@ static void tcf_csum_cleanup(struct tc_action *a)
 	struct tcf_csum_params *params;

 	params = rcu_dereference_protected(p->params, 1);
-	kfree_rcu(params, rcu);
+	if (params)
+		kfree_rcu(params, rcu);
 }

 static int tcf_csum_walker(struct net *net, struct sk_buff *skb,
--- a/net/sched/act_sample.c
+++ b/net/sched/act_sample.c
@ -103,7 +103,8 @@ static void tcf_sample_cleanup(struct tc_action *a)

 	psample_group = rtnl_dereference(s->psample_group);
 	RCU_INIT_POINTER(s->psample_group, NULL);
-	psample_group_put(psample_group);
+	if (psample_group)
+		psample_group_put(psample_group);
 }

 static bool tcf_sample_dev_ok_push(struct net_device *dev)
--- a/net/sched/act_skbmod.c
+++ b/net/sched/act_skbmod.c
@ -190,7 +190,8 @@ static void tcf_skbmod_cleanup(struct tc_action *a)
 	struct tcf_skbmod_params  *p;

 	p = rcu_dereference_protected(d->skbmod_p, 1);
-	kfree_rcu(p, rcu);
+	if (p)
+		kfree_rcu(p, rcu);
 }

 static int tcf_skbmod_dump(struct sk_buff *skb, struct tc_action *a,
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@ -208,11 +208,12 @@ static void tunnel_key_release(struct tc_action *a)
 	struct tcf_tunnel_key_params *params;

 	params = rcu_dereference_protected(t->params, 1);
+	if (params) {
+		if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
+			dst_release(&params->tcft_enc_metadata->dst);

-	if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
-		dst_release(&params->tcft_enc_metadata->dst);
-
-	kfree_rcu(params, rcu);
+		kfree_rcu(params, rcu);
+	}
 }

 static int tunnel_key_dump_addresses(struct sk_buff *skb,
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@ -225,7 +225,8 @@ static void tcf_vlan_cleanup(struct tc_action *a)
 	struct tcf_vlan_params *p;

 	p = rcu_dereference_protected(v->vlan_p, 1);
-	kfree_rcu(p, rcu);
+	if (p)
+		kfree_rcu(p, rcu);
 }

 static int tcf_vlan_dump(struct sk_buff *skb, struct tc_action *a,