From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Fri, 2 Oct 2020 19:13:34 +0000 (-0700)
Subject: net_sched: check error pointer in tcf_dump_walker()
X-Git-Tag: v5.4.138~40
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=99372c38a948823060e9123ce6ec6bcba43d9387;p=thirdparty%2Fkernel%2Fstable.git

net_sched: check error pointer in tcf_dump_walker()

[ Upstream commit 580e4273d7a883ececfefa692c1f96bdbacb99b5 ]

Although we take RTNL on dump path, it is possible to
skip RTNL on insertion path. So the following race condition
is possible:

rtnl_lock()		// no rtnl lock
			mutex_lock(&idrinfo->lock);
			// insert ERR_PTR(-EBUSY)
			mutex_unlock(&idrinfo->lock);
tc_dump_action()
rtnl_unlock()

So we have to skip those temporary -EBUSY entries on dump path
too.

Reported-and-tested-by: syzbot+b47bc4f247856fb4d9e1@syzkaller.appspotmail.com
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Cc: Vlad Buslov <vladbu@mellanox.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 17e5cd9ebd89f..75132d0ca8870 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -231,6 +231,8 @@ static int tcf_dump_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb,
 		index++;
 		if (index < s_i)
 			continue;
+		if (IS_ERR(p))
+			continue;
 
 		if (jiffy_since &&
 		    time_after(jiffy_since,