net/sched: fix use-after-free in taprio_dev_notifier

Since taprio’s taprio_dev_notifier() isn’t protected by an
RCU read-side critical section, a race with advance_sched()
can lead to a use-after-free.

Adding rcu_read_lock() inside taprio_dev_notifier() prevents this.

Fixes: fed87cc6718a ("net/sched: taprio: automatically calculate queueMaxSDU based on TC gate durations")
Cc: stable@vger.kernel.org
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/aEzIYYxt0is9upYG@v4bel-B760M-AORUS-ELITE-AX
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index 14021b8123290655bdc388976ab45135a2da00f0..2b14c81a87e5c4ba134670d5d1f724c73d75b369 100644 (file)
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -1328,13 +1328,15 @@ static int taprio_dev_notifier(struct notifier_block *nb, unsigned long event,
 
                stab = rtnl_dereference(q->root->stab);
 
-               oper = rtnl_dereference(q->oper_sched);
+               rcu_read_lock();
+               oper = rcu_dereference(q->oper_sched);
                if (oper)
                        taprio_update_queue_max_sdu(q, oper, stab);
 
-               admin = rtnl_dereference(q->admin_sched);
+               admin = rcu_dereference(q->admin_sched);
                if (admin)
                        taprio_update_queue_max_sdu(q, admin, stab);
+               rcu_read_unlock();
 
                break;
        }