From: Vlad Buslov <vla...@mellanox.com>
Date: Wed, 6 Mar 2019 16:22:12 +0200
> When adding new filter to flower classifier, fl_change() inserts it to
> handle_idr before initializing filter extensions and assigning it a mask.
> Normally this ordering doesn't matter because all flower classifier ops
> callbacks assume rtnl lock protection. However, when filter has an action
> that doesn't have its kernel module loaded, rtnl lock is released before
> call to request_module(). During this time the filter can be accessed bu
> concurrent task before its initialization is completed, which can lead to a
> crash.
>
> Example case of NULL pointer dereference in concurrent dump:
...
> Extension initialization and mask assignment don't depend on fnew->handle
> that is allocated by idr_alloc_u32(). Move idr allocation code after action
> creation and mask assignment in fl_change() to prevent concurrent access
> to not fully initialized filter when rtnl lock is released to load action
> module.
>
> Fixes: 01683a146999 ("net: sched: refactor flower walk to iterate over idr")
> Signed-off-by: Vlad Buslov <vla...@mellanox.com>
> Reviewed-by: Roi Dayan <r...@mellanox.com>
Applied and queued up for -stable.
