From: Roman Kapl <[email protected]>
Date: Mon, 20 Nov 2017 22:21:13 +0100
> If you flush (delete) a filter chain other than chain 0 (such as when
> deleting the device), the kernel may run into a use-after-free. The
> chain refcount must not be decremented unless we are sure we are done
> with the chain.
>
> To reproduce the bug, run:
> ip link add dtest type dummy
> tc qdisc add dev dtest ingress
> tc filter add dev dtest chain 1 parent ffff: flower
> ip link del dtest
>
> Introduced in: commit f93e1cdcf42c ("net/sched: fix filter flushing"),
> but unless you have KAsan or luck, you won't notice it until
> commit 0dadc117ac8b ("cls_flower: use tcf_exts_get_net() before call_rcu()")
>
> Fixes: f93e1cdcf42c ("net/sched: fix filter flushing")
> Acked-by: Jiri Pirko <[email protected]>
> Signed-off-by: Roman Kapl <[email protected]>
Applied, thank you.
