NothingOSS/android_kernel_msm-6.1_nothing_sm7635
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_msm-6.1_noth.../net
History
valis aab2d095ce net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free 
[ Upstream commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 ]

When u32_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.

This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.

Fix this by no longer copying the tcf_result struct from the old filter.

Fixes: de5df63228 ("net: sched: cls_u32 changes to knode must appear atomic to readers")
Reported-by: valis <sec@valis.email>
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
Signed-off-by: valis <sec@valis.email>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
Link: https://lore.kernel.org/r/20230729123202.72406-2-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-08-11 12:08:15 +02:00
..
6lowpan net: 6lowpan: constify lowpan_nhc structures 2022-06-09 21:53:28 +02:00
9p 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition 2023-04-20 12:35:08 +02:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:33:02 +01:00
8021q vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() 2023-05-24 17:32:47 +01:00
appletalk
atm atm: hide unused procfs functions 2023-06-09 10:34:16 +02:00
ax25 ax25: move from strlcpy with unused retval to strscpy 2022-08-22 17:55:50 -07:00
batman-adv batman-adv: Broken sync while rescheduling delayed work 2023-06-14 11:15:23 +02:00
bluetooth Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor() 2023-07-27 08:50:47 +02:00
bpf Revert "bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES" 2023-03-17 08:50:32 +01:00
bpfilter
bridge bridge: Add extack warning when enabling STP in netns. 2023-07-27 08:50:40 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:50:24 +01:00
can can: bcm: Fix UAF in bcm_proc_show() 2023-07-27 08:50:27 +02:00
ceph rbd: harden get_lock_owner_info() a bit 2023-08-03 10:24:17 +02:00
core net: annotate data-races around sk->sk_priority 2023-08-11 12:08:15 +02:00
dcb
dccp net: annotate data-races around sk->sk_mark 2023-08-11 12:08:14 +02:00
dns_resolver
dsa net: dsa: sja1105: always enable the send_meta options 2023-07-19 16:22:06 +02:00
ethernet net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
ethtool ethtool: Fix uninitialized number of lanes 2023-05-17 11:53:37 +02:00
hsr hsr: ratelimit only when errors are printed 2023-04-06 12:10:58 +02:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-10-07 09:29:17 +02:00
ife
ipv4 net: annotate data-races around sk->sk_priority 2023-08-11 12:08:15 +02:00
ipv6 net: annotate data-races around sk->sk_priority 2023-08-11 12:08:15 +02:00
iucv net/iucv: Fix size of interrupt data 2023-03-22 13:33:50 +01:00
kcm kcm: close race conditions on sk_receive_queue 2022-11-15 12:42:26 +01:00
key af_key: Reject optional tunnel/BEET mode templates in outbound policies 2023-05-24 17:32:43 +01:00
l2tp net: annotate data-races around sk->sk_mark 2023-08-11 12:08:14 +02:00
l3mdev
lapb
llc llc: Don't drop packet from non-root netns. 2023-07-27 08:50:45 +02:00
mac80211 wifi: mac80211: Remove "Missing iftype sband data/EHT cap" spam 2023-07-19 16:21:09 +02:00
mac802154 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() 2022-12-05 09:53:08 +01:00
mctp net: mctp: purge receive queues on sk destruction 2023-02-06 08:06:34 +01:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-22 12:59:53 +01:00
mptcp net: annotate data-races around sk->sk_mark 2023-08-11 12:08:14 +02:00
ncsi net/ncsi: change from ndo_set_mac_address to dev_set_mac_address 2023-07-23 13:49:51 +02:00
netfilter net: annotate data-races around sk->sk_mark 2023-08-11 12:08:14 +02:00
netlabel genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink netlink: Add __sock_i_ino() for __netlink_diag_dump(). 2023-07-19 16:21:13 +02:00
netrom netrom: fix info-leak in nr_write_internal() 2023-06-09 10:34:01 +02:00
nfc net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-19 16:21:13 +02:00
nsh net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() 2023-05-24 17:32:45 +01:00
openvswitch net: openvswitch: fix race on port output 2023-04-20 12:35:09 +02:00
packet net: annotate data-races around sk->sk_priority 2023-08-11 12:08:15 +02:00
phonet
psample genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
qrtr net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() 2023-04-20 12:35:09 +02:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-03-10 09:33:02 +01:00
rfkill
rose net/rose: Fix to not accept on connected socket 2023-02-22 12:59:42 +01:00
rxrpc rxrpc: Fix hard call timeout units 2023-05-17 11:53:35 +02:00
sched net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free 2023-08-11 12:08:15 +02:00
sctp sctp: fix potential deadlock on &net->sctp.addr_wq_lock 2023-07-19 16:22:00 +02:00
smc net: annotate data-races around sk->sk_mark 2023-08-11 12:08:14 +02:00
strparser strparser: pad sk_skb_cb to avoid straddling cachelines 2022-07-08 18:38:44 -07:00
sunrpc SUNRPC: Fix UAF in svc_tcp_listen_data_ready() 2023-07-19 16:21:48 +02:00
switchdev net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
tipc tipc: stop tipc crypto on failure in tipc_node_create 2023-08-03 10:24:02 +02:00
tls tls: rx: strp: don't use GFP_KERNEL in softirq context 2023-06-09 10:34:29 +02:00
unix net: add missing data-race annotations around sk->sk_peek_off 2023-08-11 12:08:14 +02:00
vmw_vsock vsock: avoid to close connected socket after the timeout 2023-05-24 17:32:44 +01:00
wireless wifi: cfg80211: Fix return value in scan logic 2023-08-11 12:08:11 +02:00
x25 net/x25: Fix to not accept on connected socket 2023-02-09 11:28:13 +01:00
xdp net: annotate data-races around sk->sk_mark 2023-08-11 12:08:14 +02:00
xfrm net: annotate data-races around sk->sk_mark 2023-08-11 12:08:14 +02:00
compat.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
devres.c
Kconfig Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
Kconfig.debug net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET 2022-09-20 14:23:56 -07:00
Makefile Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
socket.c net: annotate sk->sk_err write from do_recvmmsg() 2023-05-24 17:32:32 +01:00
sysctl_net.c