From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 17/47] net: sched: sch_teql: fix null-pointer dereference
Date: Thu, 15 Apr 2021 16:47:09 +0200 [thread overview]
Message-ID: <20210415144414.017068339@linuxfoundation.org> (raw)
In-Reply-To: <20210415144413.487943796@linuxfoundation.org>
From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
commit 1ffbc7ea91606e4abd10eb60de5367f1c86daf5e upstream.
Reproduce:
modprobe sch_teql
tc qdisc add dev teql0 root teql0
This leads to (for instance in Centos 7 VM) OOPS:
[ 532.366633] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8
[ 532.366733] IP: [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
[ 532.366825] PGD 80000001376d5067 PUD 137e37067 PMD 0
[ 532.366906] Oops: 0000 [#1] SMP
[ 532.366987] Modules linked in: sch_teql ...
[ 532.367945] CPU: 1 PID: 3026 Comm: tc Kdump: loaded Tainted: G ------------ T 3.10.0-1062.7.1.el7.x86_64 #1
[ 532.368041] Hardware name: Virtuozzo KVM, BIOS 1.11.0-2.vz7.2 04/01/2014
[ 532.368125] task: ffff8b7d37d31070 ti: ffff8b7c9fdbc000 task.ti: ffff8b7c9fdbc000
[ 532.368224] RIP: 0010:[<ffffffffc06124a8>] [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
[ 532.368320] RSP: 0018:ffff8b7c9fdbf8e0 EFLAGS: 00010286
[ 532.368394] RAX: ffffffffc0612490 RBX: ffff8b7cb1565e00 RCX: ffff8b7d35ba2000
[ 532.368476] RDX: ffff8b7d35ba2000 RSI: 0000000000000000 RDI: ffff8b7cb1565e00
[ 532.368557] RBP: ffff8b7c9fdbf8f8 R08: ffff8b7d3fd1f140 R09: ffff8b7d3b001600
[ 532.368638] R10: ffff8b7d3b001600 R11: ffffffff84c7d65b R12: 00000000ffffffd8
[ 532.368719] R13: 0000000000008000 R14: ffff8b7d35ba2000 R15: ffff8b7c9fdbf9a8
[ 532.368800] FS: 00007f6a4e872740(0000) GS:ffff8b7d3fd00000(0000) knlGS:0000000000000000
[ 532.368885] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 532.368961] CR2: 00000000000000a8 CR3: 00000001396ee000 CR4: 00000000000206e0
[ 532.369046] Call Trace:
[ 532.369159] [<ffffffff84c8192e>] qdisc_create+0x36e/0x450
[ 532.369268] [<ffffffff846a9b49>] ? ns_capable+0x29/0x50
[ 532.369366] [<ffffffff849afde2>] ? nla_parse+0x32/0x120
[ 532.369442] [<ffffffff84c81b4c>] tc_modify_qdisc+0x13c/0x610
[ 532.371508] [<ffffffff84c693e7>] rtnetlink_rcv_msg+0xa7/0x260
[ 532.372668] [<ffffffff84907b65>] ? sock_has_perm+0x75/0x90
[ 532.373790] [<ffffffff84c69340>] ? rtnl_newlink+0x890/0x890
[ 532.374914] [<ffffffff84c8da7b>] netlink_rcv_skb+0xab/0xc0
[ 532.376055] [<ffffffff84c63708>] rtnetlink_rcv+0x28/0x30
[ 532.377204] [<ffffffff84c8d400>] netlink_unicast+0x170/0x210
[ 532.378333] [<ffffffff84c8d7a8>] netlink_sendmsg+0x308/0x420
[ 532.379465] [<ffffffff84c2f3a6>] sock_sendmsg+0xb6/0xf0
[ 532.380710] [<ffffffffc034a56e>] ? __xfs_filemap_fault+0x8e/0x1d0 [xfs]
[ 532.381868] [<ffffffffc034a75c>] ? xfs_filemap_fault+0x2c/0x30 [xfs]
[ 532.383037] [<ffffffff847ec23a>] ? __do_fault.isra.61+0x8a/0x100
[ 532.384144] [<ffffffff84c30269>] ___sys_sendmsg+0x3e9/0x400
[ 532.385268] [<ffffffff847f3fad>] ? handle_mm_fault+0x39d/0x9b0
[ 532.386387] [<ffffffff84d88678>] ? __do_page_fault+0x238/0x500
[ 532.387472] [<ffffffff84c31921>] __sys_sendmsg+0x51/0x90
[ 532.388560] [<ffffffff84c31972>] SyS_sendmsg+0x12/0x20
[ 532.389636] [<ffffffff84d8dede>] system_call_fastpath+0x25/0x2a
[ 532.390704] [<ffffffff84d8de21>] ? system_call_after_swapgs+0xae/0x146
[ 532.391753] Code: 00 00 00 00 00 00 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 55 41 54 53 48 8b b7 48 01 00 00 48 89 fb <48> 8b 8e a8 00 00 00 48 85 c9 74 43 48 89 ca eb 0f 0f 1f 80 00
[ 532.394036] RIP [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
[ 532.395127] RSP <ffff8b7c9fdbf8e0>
[ 532.396179] CR2: 00000000000000a8
Null pointer dereference happens on master->slaves dereference in
teql_destroy() as master is null-pointer.
When qdisc_create() calls teql_qdisc_init() it imediately fails after
check "if (m->dev == dev)" because both devices are teql0, and it does
not set qdisc_priv(sch)->m leaving it zero on error path, then
qdisc_create() imediately calls teql_destroy() which does not expect
zero master pointer and we get OOPS.
Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_teql.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/sched/sch_teql.c
+++ b/net/sched/sch_teql.c
@@ -138,6 +138,9 @@ teql_destroy(struct Qdisc *sch)
struct teql_sched_data *dat = qdisc_priv(sch);
struct teql_master *master = dat->m;
+ if (!master)
+ return;
+
prev = master->slaves;
if (prev) {
do {
next prev parent reply other threads:[~2021-04-15 14:52 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-15 14:46 [PATCH 4.9 00/47] 4.9.267-rc1 review Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 01/47] ARM: 8723/2: always assume the "unified" syntax for assembly code Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 02/47] iio: hid-sensor-prox: Fix scale not correct issue Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 03/47] ALSA: aloop: Fix initialization of controls Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 04/47] ASoC: intel: atom: Stop advertising non working S24LE support Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 05/47] nfc: fix refcount leak in llcp_sock_bind() Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 06/47] nfc: fix refcount leak in llcp_sock_connect() Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 07/47] nfc: fix memory " Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 08/47] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 09/47] xen/evtchn: Change irq_info lock to raw_spinlock_t Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 10/47] net: ipv6: check for validity before dereferencing cfg->fc_nlinfo.nlh Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 11/47] ia64: fix user_stack_pointer() for ptrace() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 12/47] ocfs2: fix deadlock between setattr and dio_end_io_write Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 13/47] fs: direct-io: fix missing sdio->boundary Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 14/47] parisc: parisc-agp requires SBA IOMMU driver Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 15/47] parisc: avoid a warning on u8 cast for cmpxchg on u8 pointers Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 16/47] batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field Greg Kroah-Hartman
2021-04-15 14:47 ` Greg Kroah-Hartman [this message]
2021-04-15 14:47 ` [PATCH 4.9 18/47] sch_red: fix off-by-one checks in red_check_params() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 19/47] gianfar: Handle error code at MAC address change Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 20/47] net:tipc: Fix a double free in tipc_sk_mcast_rcv Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 21/47] soc/fsl: qbman: fix conflicting alignment attributes Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 22/47] clk: fix invalid usage of list cursor in unregister Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 23/47] workqueue: Move the position of debug_work_activate() in __queue_work() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 24/47] s390/cpcmd: fix inline assembly register clobbering Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 25/47] RDMA/cxgb4: check for ipv6 address properly while destroying listener Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 26/47] clk: socfpga: fix iomem pointer cast on 64-bit Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 27/47] mm: add cond_resched() in gather_pte_stats() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 28/47] usbip: fix vudc usbip_sockfd_store races leading to gpf Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 29/47] cfg80211: remove WARN_ON() in cfg80211_sme_connect Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 30/47] net: tun: set tun->dev->addr_len during TUNSETLINK processing Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 31/47] drivers: net: fix memory leak in atusb_probe Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 32/47] drivers: net: fix memory leak in peak_usb_create_dev Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 33/47] net: mac802154: Fix general protection fault Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 34/47] net: ieee802154: nl-mac: fix check on panid Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 35/47] net: ieee802154: fix nl802154 del llsec key Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 36/47] net: ieee802154: fix nl802154 del llsec dev Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 37/47] net: ieee802154: fix nl802154 add llsec key Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 38/47] net: ieee802154: fix nl802154 del llsec devkey Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 39/47] net: ieee802154: forbid monitor for set llsec params Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 40/47] net: ieee802154: forbid monitor for del llsec seclevel Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 41/47] net: ieee802154: stop dump llsec params for monitors Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 42/47] Revert "cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath." Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 43/47] drm/imx: imx-ldb: fix out of bounds array access warning Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 44/47] gfs2: report "already frozen/thawed" errors Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 45/47] netfilter: x_tables: fix compat match/target pad out-of-bound write Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 46/47] perf map: Tighten snprintf() string precision to pass gcc check on some 32-bit arches Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 47/47] xen/events: fix setting irq affinity Greg Kroah-Hartman
2021-04-15 22:44 ` [PATCH 4.9 00/47] 4.9.267-rc1 review Shuah Khan
2021-04-16 0:59 ` Florian Fainelli
2021-04-16 11:50 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210415144414.017068339@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ptikhomirov@virtuozzo.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).