Unverified Commit d171d304 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!10088 fix CVE-2024-40995 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhengchao Shao <shaozhengchao@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/TONLOUV7GITPUSULMCE2NYVDWMTDYDCL/ 
Fix CVE-2024-40995.

David Ruth (1):
  net/sched: act_api: fix possible infinite loop in
    tcf_idr_check_alloc()

Pedro Tammela (1):
  net/sched: act_api: rely on rcu in tcf_idr_check_alloc


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/IACR2K 
 
Link:https://gitee.com/openeuler/kernel/pulls/10088

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parents 0ba86522 8ace2ac8

net/sched/act_api.c

+43 −23
Original line number Diff line number Diff line
@@ -507,6 +507,9 @@ EXPORT_SYMBOL(tcf_idr_cleanup); 
 * its reference and bind counters, and return 1. Otherwise insert temporary

 * error pointer (to prevent concurrent users from inserting actions with same

 * index) and return 0.

 *

 * May return -EAGAIN for binding actions in case of a parallel add/delete on

 * the requested index.

 */



int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
@@ -515,43 +518,60 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index, 
	struct tcf_idrinfo *idrinfo = tn->idrinfo;

	struct tc_action *p;

	int ret;

	u32 max;



again:

	mutex_lock(&idrinfo->lock);

	if (*index) {

		rcu_read_lock();

		p = idr_find(&idrinfo->action_idr, *index);



		if (IS_ERR(p)) {

			/* This means that another process allocated

			 * index but did not assign the pointer yet.

			 */

			mutex_unlock(&idrinfo->lock);

			goto again;

			rcu_read_unlock();

			return -EAGAIN;

		}



		if (!p) {

			/* Empty slot, try to allocate it */

			max = *index;

			rcu_read_unlock();

			goto new;

		}



		if (!refcount_inc_not_zero(&p->tcfa_refcnt)) {

			/* Action was deleted in parallel */

			rcu_read_unlock();

			return -EAGAIN;

		}



		if (p) {

			refcount_inc(&p->tcfa_refcnt);

		if (bind)

			atomic_inc(&p->tcfa_bindcnt);

		*a = p;

			ret = 1;

		} else {

			*a = NULL;

			ret = idr_alloc_u32(&idrinfo->action_idr, NULL, index,

					    *index, GFP_KERNEL);

			if (!ret)

				idr_replace(&idrinfo->action_idr,

					    ERR_PTR(-EBUSY), *index);

		}



		rcu_read_unlock();



		return 1;

	} else {

		/* Find a slot */

		*index = 1;

		*a = NULL;

		ret = idr_alloc_u32(&idrinfo->action_idr, NULL, index,

				    UINT_MAX, GFP_KERNEL);

		if (!ret)

			idr_replace(&idrinfo->action_idr, ERR_PTR(-EBUSY),

				    *index);

		max = UINT_MAX;

	}



new:

	*a = NULL;



	mutex_lock(&idrinfo->lock);

	ret = idr_alloc_u32(&idrinfo->action_idr, ERR_PTR(-EBUSY), index, max,

			    GFP_KERNEL);

	mutex_unlock(&idrinfo->lock);



	/* N binds raced for action allocation,

	 * retry for all the ones that failed.

	 */

	if (ret == -ENOSPC && *index == max)

		ret = -EAGAIN;



	return ret;

}

EXPORT_SYMBOL(tcf_idr_check_alloc);