It assigns the net_device pointer of network interface to
sock->in_dev in cls_tc_rx_hook() in the receiving process.
The use of a sock->in_dev pointer can potentially lead to
wrong memory access if the memory of struct net_device is
freed after network interface is unregistered, which may
cause kernel crash.
The above use after free issue causes a crash as follows:
BUG: unable to handle page fault for address: ffffffed698999c8
CPU: 50 PID: 1290732 Comm: kubelet Kdump: loaded
Tainted: G O K 5.4.119-1-tlinux4-0009.1 #1
RIP: 0010:cls_cgroup_tx_accept+0x5e/0x120
Call Trace:
<IRQ>
cls_tc_tx_hook+0x10d/0x1a0
nf_hook_slow+0x43/0xc0
__ip_local_out+0xcb/0x130
? ip_forward_options+0x190/0x190
ip_local_out+0x1c/0x40
__ip_queue_xmit+0x162/0x3d0
? rx_cgroup_throttle.isra.4+0x2b0/0x2b0
ip_queue_xmit+0x10/0x20
__tcp_transmit_skb+0x57f/0xbe0
__tcp_retransmit_skb+0x1b0/0x8a0
tcp_retransmit_skb+0x19/0xd0
tcp_retransmit_timer+0x367/0xa80
? kvm_clock_get_cycles+0x11/0x20
? ktime_get+0x34/0x90
tcp_write_timer_handler+0x93/0x1f0
tcp_write_timer+0x7c/0x80
? tcp_write_timer_handler+0x1f0/0x1f0
call_timer_fn+0x35/0x130
run_timer_softirq+0x1a8/0x420
? ktime_get+0x34/0x90
? clockevents_program_event+0x85/0xe0
__do_softirq+0x8c/0x2d7
? hrtimer_interrupt+0x12a/0x210
irq_exit+0xa3/0xb0
smp_apic_timer_interrupt+0x77/0x130
apic_timer_interrupt+0xf/0x20
</IRQ>
We introduce indev_ifindex as a new struct filed to record
the ifindex of net_device, and then indev_ifindex can be
used for obtaining an index to avoid direct memory access
to struct members of in_dev pointer.
Fixes: f8829546f3b3 ("rue/net: init netcls traffic controller")
Signed-off-by: Honglin Li <honglinli@tencent.com>
Reviewed-by: Ze Gao <zegao@tencent.com>
26941c0f5e