From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 007/114] sch_choke: avoid potential panic in choke_reset()
Date: Mon, 18 May 2020 19:35:39 +0200 [thread overview]
Message-ID: <20200518173504.443663488@linuxfoundation.org> (raw)
In-Reply-To: <20200518173503.033975649@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ]
If choke_init() could not allocate q->tab, we would crash later
in choke_reset().
BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline]
BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326
Write of size 8 at addr 0000000000000000 by task syz-executor822/7022
CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
__kasan_report.cold+0x5/0x4d mm/kasan/report.c:515
kasan_report+0x33/0x50 mm/kasan/common.c:625
check_memory_region_inline mm/kasan/generic.c:187 [inline]
check_memory_region+0x141/0x190 mm/kasan/generic.c:193
memset+0x20/0x40 mm/kasan/common.c:85
memset include/linux/string.h:366 [inline]
choke_reset+0x208/0x340 net/sched/sch_choke.c:326
qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910
dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138
netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline]
dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195
dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233
qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051
tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670
rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454
netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:672
____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362
___sys_sendmsg+0x100/0x170 net/socket.c:2416
__sys_sendmsg+0xec/0x1b0 net/socket.c:2449
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_choke.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/sched/sch_choke.c
+++ b/net/sched/sch_choke.c
@@ -327,7 +327,8 @@ static void choke_reset(struct Qdisc *sc
sch->q.qlen = 0;
sch->qstats.backlog = 0;
- memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
+ if (q->tab)
+ memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
q->head = q->tail = 0;
red_restart(&q->vars);
}
next prev parent reply other threads:[~2020-05-18 17:47 UTC|newest]
Thread overview: 119+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-18 17:35 [PATCH 4.14 000/114] 4.14.181-rc1 review Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 001/114] USB: serial: qcserial: Add DW5816e support Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 002/114] dp83640: reverse arguments to list_add_tail Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 003/114] fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 004/114] net: macsec: preserve ingress frame ordering Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 005/114] net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 006/114] net: usb: qmi_wwan: add support for DW5816e Greg Kroah-Hartman
2020-05-18 17:35 ` Greg Kroah-Hartman [this message]
2020-05-18 17:35 ` [PATCH 4.14 008/114] sch_sfq: validate silly quantum values Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 009/114] bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 010/114] net/mlx5: Fix forced completion access non initialized command entry Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 011/114] net/mlx5: Fix command entry leak in Internal Error State Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 012/114] bnxt_en: Improve AER slot reset Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 013/114] bnxt_en: Fix VF anti-spoof filter setup Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 014/114] net: stricter validation of untrusted gso packets Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 015/114] ipv6: fix cleanup ordering for ip6_mr failure Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 016/114] HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 017/114] geneve: only configure or fill UDP_ZERO_CSUM6_RX/TX info when CONFIG_IPV6 Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 018/114] HID: usbhid: Fix race between usbhid_close() and usbhid_stop() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 019/114] USB: uas: add quirk for LaCie 2Big Quadra Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 020/114] USB: serial: garmin_gps: add sanity checking for data length Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 021/114] tracing: Add a vmalloc_sync_mappings() for safe measure Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 022/114] KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 023/114] mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 024/114] coredump: fix crash when umh is disabled Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 025/114] batman-adv: fix batadv_nc_random_weight_tq Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 026/114] batman-adv: Fix refcnt leak in batadv_show_throughput_override Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 027/114] batman-adv: Fix refcnt leak in batadv_store_throughput_override Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 028/114] batman-adv: Fix refcnt leak in batadv_v_ogm_process Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 029/114] x86/entry/64: Fix unwind hints in kernel exit path Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 030/114] x86/entry/64: Fix unwind hints in rewind_stack_do_exit() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 031/114] x86/unwind/orc: Dont skip the first frame for inactive tasks Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 032/114] x86/unwind/orc: Prevent unwinding before ORC initialization Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 033/114] x86/unwind/orc: Fix error path for bad ORC entry type Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 034/114] netfilter: nat: never update the UDP checksum when its 0 Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 035/114] objtool: Fix stack offset tracking for indirect CFAs Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 036/114] scripts/decodecode: fix trapping instruction formatting Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 037/114] net: ipv6: add net argument to ip6_dst_lookup_flow Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 038/114] net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 039/114] blktrace: fix unlocked access to init/start-stop/teardown Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 040/114] blktrace: fix trace mutex deadlock Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 041/114] blktrace: Protect q->blk_trace with RCU Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 042/114] blktrace: fix dereference after null check Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 043/114] f2fs: introduce read_inline_xattr Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 044/114] f2fs: introduce read_xattr_block Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 045/114] f2fs: sanity check of xattr entry size Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 046/114] f2fs: fix to avoid accessing xattr across the boundary Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 047/114] f2fs: fix to avoid memory leakage in f2fs_listxattr Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 048/114] net: stmmac: Use mutex instead of spinlock Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 049/114] shmem: fix possible deadlocks on shmlock_user_lock Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 050/114] net/sonic: Fix a resource leak in an error handling path in jazz_sonic_probe() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 051/114] net: moxa: Fix a potential double free_irq() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 052/114] drop_monitor: work around gcc-10 stringop-overflow warning Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 053/114] virtio-blk: handle block_device_operations callbacks after hot unplug Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 054/114] scsi: sg: add sg_remove_request in sg_write Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 055/114] dmaengine: pch_dma.c: Avoid data race between probe and irq handler Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 056/114] dmaengine: mmp_tdma: Reset channel error on release Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 057/114] cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 058/114] ALSA: hda/hdmi: fix race in monitor detection during probe Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 059/114] drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 060/114] ipc/util.c: sysvipc_find_ipc() incorrectly updates position index Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 061/114] ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 062/114] x86/entry/64: Fix unwind hints in register clearing code Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 063/114] ipmi: Fix NULL pointer dereference in ssif_probe Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 064/114] pinctrl: baytrail: Enable pin configuration setting for GPIO chip Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 065/114] pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 066/114] i40iw: Fix error handling in i40iw_manage_arp_cache() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 067/114] netfilter: conntrack: avoid gcc-10 zero-length-bounds warning Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 068/114] IB/mlx4: Test return value of calls to ib_get_cached_pkey Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 069/114] hwmon: (da9052) Synchronize access with mfd Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 070/114] pnp: Use list_for_each_entry() instead of open coding Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 071/114] gcc-10 warnings: fix low-hanging fruit Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 072/114] kbuild: compute false-positive -Wmaybe-uninitialized cases in Kconfig Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 073/114] Stop the ad-hoc games with -Wno-maybe-initialized Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 074/114] gcc-10: disable zero-length-bounds warning for now Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 075/114] gcc-10: disable array-bounds " Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 076/114] gcc-10: disable stringop-overflow " Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 077/114] gcc-10: disable restrict " Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 078/114] gcc-10: avoid shadowing standard library free() in crypto Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 079/114] x86/asm: Add instruction suffixes to bitops Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 080/114] net: phy: micrel: Use strlcpy() for ethtool::get_strings Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 081/114] net: fix a potential recursive NETDEV_FEAT_CHANGE Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 082/114] netlabel: cope with NULL catmap Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 083/114] net: phy: fix aneg restart in phy_ethtool_set_eee Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 084/114] Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu" Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 085/114] hinic: fix a bug of ndo_stop Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 086/114] net: dsa: loop: Add module soft dependency Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 087/114] net: ipv4: really enforce backoff for redirects Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 088/114] netprio_cgroup: Fix unlimited memory leak of v2 cgroups Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 089/114] net: tcp: fix rx timestamp behavior for tcp_recvmsg Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 090/114] ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 091/114] ALSA: rawmidi: Initialize allocated buffers Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 092/114] ALSA: rawmidi: Fix racy buffer resize under concurrent accesses Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 093/114] ARM: dts: dra7: Fix bus_dma_limit for PCIe Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 094/114] ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 095/114] x86: Fix early boot crash on gcc-10, third try Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 096/114] ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 097/114] usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 098/114] usb: host: xhci-plat: keep runtime active when removing host Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 099/114] USB: gadget: fix illegal array access in binding with UDC Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 100/114] usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 101/114] x86/unwind/orc: Fix error handling in __unwind_start() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 102/114] exec: Move would_dump into flush_old_exec Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 103/114] clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 104/114] usb: gadget: net2272: Fix a memory leak in an error handling path in net2272_plat_probe() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 105/114] usb: gadget: audio: Fix a missing error return value in audio_bind() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 106/114] usb: gadget: legacy: fix error return code in gncm_bind() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 107/114] usb: gadget: legacy: fix error return code in cdc_bind() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 108/114] Revert "ALSA: hda/realtek: Fix pop noise on ALC225" Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 109/114] arm64: dts: rockchip: Replace RK805 PMIC node name with "pmic" on rk3328 boards Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 110/114] arm64: dts: rockchip: Rename dwc3 device nodes on rk3399 to make dtc happy Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 111/114] ARM: dts: r8a73a4: Add missing CMT1 interrupts Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 112/114] ARM: dts: r8a7740: Add missing extal2 to CPG node Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 113/114] KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 114/114] Makefile: disallow data races on gcc-10 as well Greg Kroah-Hartman
2020-05-19 8:15 ` [PATCH 4.14 000/114] 4.14.181-rc1 review Naresh Kamboju
2020-05-19 8:49 ` Jon Hunter
2020-05-19 15:05 ` shuah
2020-05-19 16:28 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200518173504.443663488@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).