linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
	"David S. Miller" <davem@davemloft.net>,
	Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 4.9 68/78] sch_htb: fix crash on init failure
Date: Thu, 13 Sep 2018 15:31:55 +0200	[thread overview]
Message-ID: <20180913131812.489447139@linuxfoundation.org> (raw)
In-Reply-To: <20180913131805.732342940@linuxfoundation.org>

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 88c2ace69dbef696edba77712882af03879abc9c upstream.

The commit below added a call to the ->destroy() callback for all qdiscs
which failed in their ->init(), but some were not prepared for such
change and can't handle partially initialized qdisc. HTB is one of them
and if any error occurs before the qdisc watchdog timer and qdisc work are
initialized then we can hit either a null ptr deref (timer->base) when
canceling in ->destroy or lockdep error info about trying to register
a non-static key and a stack dump. So to fix these two move the watchdog
timer and workqueue init before anything that can err out.
To reproduce userspace needs to send broken htb qdisc create request,
tested with a modified tc (q_htb.c).

Trace log:
[ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 2710.897977] IP: hrtimer_active+0x17/0x8a
[ 2710.898174] PGD 58fab067
[ 2710.898175] P4D 58fab067
[ 2710.898353] PUD 586c0067
[ 2710.898531] PMD 0
[ 2710.898710]
[ 2710.899045] Oops: 0000 [#1] SMP
[ 2710.899232] Modules linked in:
[ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54
[ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000
[ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a
[ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246
[ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000
[ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298
[ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001
[ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000
[ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0
[ 2710.901907] FS:  00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000
[ 2710.902277] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0
[ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2710.903180] Call Trace:
[ 2710.903332]  hrtimer_try_to_cancel+0x1a/0x93
[ 2710.903504]  hrtimer_cancel+0x15/0x20
[ 2710.903667]  qdisc_watchdog_cancel+0x12/0x14
[ 2710.903866]  htb_destroy+0x2e/0xf7
[ 2710.904097]  qdisc_create+0x377/0x3fd
[ 2710.904330]  tc_modify_qdisc+0x4d2/0x4fd
[ 2710.904511]  rtnetlink_rcv_msg+0x188/0x197
[ 2710.904682]  ? rcu_read_unlock+0x3e/0x5f
[ 2710.904849]  ? rtnl_newlink+0x729/0x729
[ 2710.905017]  netlink_rcv_skb+0x6c/0xce
[ 2710.905183]  rtnetlink_rcv+0x23/0x2a
[ 2710.905345]  netlink_unicast+0x103/0x181
[ 2710.905511]  netlink_sendmsg+0x326/0x337
[ 2710.905679]  sock_sendmsg_nosec+0x14/0x3f
[ 2710.905847]  sock_sendmsg+0x29/0x2e
[ 2710.906010]  ___sys_sendmsg+0x209/0x28b
[ 2710.906176]  ? do_raw_spin_unlock+0xcd/0xf8
[ 2710.906346]  ? _raw_spin_unlock+0x27/0x31
[ 2710.906514]  ? __handle_mm_fault+0x651/0xdb1
[ 2710.906685]  ? check_chain_key+0xb0/0xfd
[ 2710.906855]  __sys_sendmsg+0x45/0x63
[ 2710.907018]  ? __sys_sendmsg+0x45/0x63
[ 2710.907185]  SyS_sendmsg+0x19/0x1b
[ 2710.907344]  entry_SYSCALL_64_fastpath+0x23/0xc2

Note that probably this bug goes further back because the default qdisc
handling always calls ->destroy on init failure too.

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/sch_htb.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -1013,6 +1013,9 @@ static int htb_init(struct Qdisc *sch, s
 	int err;
 	int i;
 
+	qdisc_watchdog_init(&q->watchdog, sch);
+	INIT_WORK(&q->work, htb_work_func);
+
 	if (!opt)
 		return -EINVAL;
 
@@ -1033,8 +1036,6 @@ static int htb_init(struct Qdisc *sch, s
 	for (i = 0; i < TC_HTB_NUMPRIO; i++)
 		INIT_LIST_HEAD(q->drops + i);
 
-	qdisc_watchdog_init(&q->watchdog, sch);
-	INIT_WORK(&q->work, htb_work_func);
 	qdisc_skb_head_init(&q->direct_queue);
 
 	if (tb[TCA_HTB_DIRECT_QLEN])



  parent reply	other threads:[~2018-09-13 13:41 UTC|newest]

Thread overview: 82+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-13 13:30 [PATCH 4.9 00/78] 4.9.127-stable review Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 01/78] x86/speculation/l1tf: Fix up pte->pfn conversion for PAE Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 02/78] act_ife: fix a potential use-after-free Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 03/78] ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 04/78] net: bcmgenet: use MAC link status for fixed phy Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 05/78] net: sched: Fix memory exposure from short TCA_U32_SEL Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 06/78] qlge: Fix netdev features configuration Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 07/78] r8169: add support for NCube 8168 network card Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 08/78] tcp: do not restart timewait timer on rst reception Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 09/78] vti6: remove !skb->ignore_df check from vti6_xmit() Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 10/78] sctp: hold transport before accessing its asoc in sctp_transport_get_next Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 11/78] vhost: correctly check the iova range when waking virtqueue Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 12/78] hv_netvsc: ignore devices that are not PCI Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 13/78] act_ife: move tcfa_lock down to where necessary Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 14/78] act_ife: fix a potential deadlock Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 15/78] net: sched: action_ife: take reference to meta module Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 16/78] cifs: check if SMB2 PDU size has been padded and suppress the warning Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 17/78] hfsplus: dont return 0 when fill_super() failed Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 18/78] hfs: prevent crash on exit from failed search Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 19/78] sunrpc: Dont use stack buffer with scatterlist Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 20/78] fork: dont copy inconsistent signal handler state to child Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 21/78] reiserfs: change j_timestamp type to time64_t Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 22/78] hfsplus: fix NULL dereference in hfsplus_lookup() Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 23/78] fat: validate ->i_start before using Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 24/78] scripts: modpost: check memory allocation results Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 25/78] virtio: pci-legacy: Validate queue pfn Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 26/78] mm/fadvise.c: fix signed overflow UBSAN complaint Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 27/78] fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 28/78] platform/x86: intel_punit_ipc: fix build errors Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 29/78] s390/kdump: Fix memleak in nt_vmcoreinfo Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 30/78] ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 31/78] mfd: sm501: Set coherent_dma_mask when creating subdevices Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 32/78] platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360 Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 33/78] RDMA/hns: Fix usage of bitmap allocation functions return values Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 34/78] irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 35/78] net/9p/trans_fd.c: fix race by holding the lock Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 36/78] net/9p: fix error path of p9_virtio_probe Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 37/78] powerpc: Fix size calculation using resource_size() Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 38/78] perf probe powerpc: Fix trace event post-processing Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 39/78] block: bvec_nr_vecs() returns value for wrong slab Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 40/78] s390/dasd: fix hanging offline processing due to canceled worker Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 41/78] s390/dasd: fix panic for failed online processing Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 42/78] ACPI / scan: Initialize status to ACPI_STA_DEFAULT Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 43/78] scsi: aic94xx: fix an error code in aic94xx_init() Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 44/78] PCI: mvebu: Fix I/O space end address calculation Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 45/78] dm kcopyd: avoid softlockup in run_complete_job Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 46/78] staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 47/78] selftests/powerpc: Kill child processes on SIGINT Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 48/78] RDS: IB: fix passing zero to ERR_PTR() warning Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 49/78] smb3: fix reset of bytes read and written stats Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 50/78] SMB3: Number of requests sent should be displayed for SMB3 not just CIFS Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 51/78] powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 52/78] clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in rk3399 Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 53/78] btrfs: replace: Reset on-disk dev stats value after replace Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 54/78] btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 55/78] btrfs: Dont remove block group that still has pinned down bytes Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 56/78] arm64: rockchip: Force CONFIG_PM on Rockchip systems Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 57/78] ARM: " Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 58/78] drm/edid: Add 6 bpc quirk for SDC panel in Lenovo B50-80 Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 59/78] tcp: Revert "tcp: tcp_probe: use spin_lock_bh()" Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 60/78] debugobjects: Make stack check warning more informative Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 61/78] x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 62/78] kbuild: make missing $DEPMOD a Warning instead of an Error Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 63/78] irda: Fix memory leak caused by repeated binds of irda socket Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 64/78] irda: Only insert new objects into the global database via setsockopt Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 65/78] Revert "ARM: imx_v6_v7_defconfig: Select ULPI support" Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 66/78] enic: do not call enic_change_mtu in enic_probe Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 67/78] Fixes: Commit 2aa6d036b716 ("mm: numa: avoid waiting on freed migrated pages") Greg Kroah-Hartman
2018-09-13 13:31 ` Greg Kroah-Hartman [this message]
2018-09-13 13:31 ` [PATCH 4.9 69/78] sch_multiq: fix double free on init failure Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 70/78] sch_hhf: fix null pointer dereference " Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 71/78] sch_netem: avoid null pointer deref " Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 72/78] sch_tbf: fix two null pointer dereferences " Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 73/78] mei: me: allow runtime pm for platform with D0i3 Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 74/78] s390/lib: use expoline for all bcr instructions Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 75/78] ASoC: wm8994: Fix missing break in switch Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 76/78] btrfs: use correct compare function of dirty_metadata_bytes Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 77/78] arm64: Fix mismatched cache line size detection Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 78/78] arm64: Handle mismatched cache type Greg Kroah-Hartman
2018-09-13 19:10 ` [PATCH 4.9 00/78] 4.9.127-stable review Nathan Chancellor
2018-09-14 12:42 ` Naresh Kamboju
2018-09-14 14:55 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180913131812.489447139@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=amit.pundir@linaro.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nikolay@cumulusnetworks.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).