linux/net/sched
Davide Caratti 3ff4cbec87 net/sched: cls_matchall: fix crash when used with classful qdisc
this script, edited from Linux Advanced Routing and Traffic Control guide

tc q a dev en0 root handle 1: htb default a
tc c a dev en0 parent 1:  classid 1:1 htb rate 6mbit burst 15k
tc c a dev en0 parent 1:1 classid 1:a htb rate 5mbit ceil 6mbit burst 15k
tc c a dev en0 parent 1:1 classid 1:b htb rate 1mbit ceil 6mbit burst 15k
tc f a dev en0 parent 1:0 prio 1 $clsname $clsargs classid 1:b
ping $address -c1
tc -s c s dev en0

classifies traffic to 1:b or 1:a, depending on whether the packet matches
or not the pattern $clsargs of filter $clsname. However, when $clsname is
'matchall', a systematic crash can be observed in htb_classify(). HTB and
classful qdiscs don't assign initial value to struct tcf_result, but then
they expect it to contain valid values after filters have been run. Thus,
current 'matchall' ignores the TCA_MATCHALL_CLASSID attribute, configured
by user, and makes HTB (and classful qdiscs) dereference random pointers.

By assigning head->res to *res in mall_classify(), before the actions are
invoked, we fix this crash and enable TCA_MATCHALL_CLASSID functionality,
that had no effect on 'matchall' classifier since its first introduction.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1460213
Reported-by: Jiri Benc <jbenc@redhat.com>
Fixes: b87f7936a9 ("net/sched: introduce Match-all classifier")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Yotam Gigi <yotamg@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-18 16:37:36 -07:00
..
act_api.c net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker 2017-09-13 09:34:08 -07:00
act_bpf.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_connmark.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_csum.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_gact.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_ife.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_ipt.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_meta_mark.c Support to encoding decoding skb mark on IFE action 2016-03-01 17:15:23 -05:00
act_meta_skbprio.c Support to encoding decoding skb prio on IFE action 2016-03-01 17:15:23 -05:00
act_meta_skbtcindex.c net sched ife action: Introduce skb tcindex metadata encap decap 2016-09-19 21:55:28 -04:00
act_mirred.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_nat.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_pedit.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_police.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_sample.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_simple.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_skbedit.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_skbmod.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_tunnel_key.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
act_vlan.c net/sched: Change act_api and act_xxx modules to use IDR 2017-08-30 14:38:51 -07:00
cls_api.c net_sched: carefully handle tcf_block_put() 2017-09-12 20:41:02 -07:00
cls_basic.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_bpf.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_cgroup.c net_sched: use void pointer for filter handle 2017-08-07 14:12:17 -07:00
cls_flow.c net_sched: use void pointer for filter handle 2017-08-07 14:12:17 -07:00
cls_flower.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_fw.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_matchall.c net/sched: cls_matchall: fix crash when used with classful qdisc 2017-09-18 16:37:36 -07:00
cls_route.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_rsvp6.c
cls_rsvp.c
cls_rsvp.h net/sched: fix pointer check in gen_handle 2017-09-11 14:34:52 -07:00
cls_tcindex.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
cls_u32.c net_sched: add reverse binding for tc class 2017-08-31 11:40:52 -07:00
em_canid.c
em_cmp.c
em_ipset.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
em_meta.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
em_nbyte.c
em_text.c
em_u32.c
ematch.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
Kconfig net: sched: select cls when cls_act is enabled 2017-06-05 10:56:36 -04:00
Makefile net/sched: Introduce sample tc action 2017-01-24 13:44:28 -05:00
sch_api.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_atm.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_blackhole.c net_sched: drop packets after root qdisc lock is released 2016-06-25 12:19:35 -04:00
sch_cbq.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_choke.c treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
sch_codel.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_drr.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_dsmark.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_fifo.c sched: don't use skb queue helpers 2016-09-19 01:47:18 -04:00
sch_fq_codel.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_fq.c mm, tree wide: replace __GFP_REPEAT by __GFP_RETRY_MAYFAIL with more useful semantic 2017-07-12 16:26:03 -07:00
sch_generic.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_gred.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_hfsc.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_hhf.c sch_hhf: fix null pointer dereference on init failure 2017-08-30 15:26:11 -07:00
sch_htb.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_ingress.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_mq.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_mqprio.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_multiq.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_netem.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_pie.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_plug.c net_sched: drop packets after root qdisc lock is released 2016-06-25 12:19:35 -04:00
sch_prio.c sched: Use __qdisc_drop instead of kfree_skb in sch_prio and sch_qfq 2017-09-06 21:20:07 -07:00
sch_qfq.c sched: Use __qdisc_drop instead of kfree_skb in sch_prio and sch_qfq 2017-09-06 21:20:07 -07:00
sch_red.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_sfb.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_sfq.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_tbf.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_teql.c net: make ndo_get_stats64 a void function 2017-01-08 17:51:44 -05:00