iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net/sched
History
Pavel Tikhomirov 1ffbc7ea91 net: sched: sch_teql: fix null-pointer dereference 
Reproduce:

  modprobe sch_teql
  tc qdisc add dev teql0 root teql0

This leads to (for instance in Centos 7 VM) OOPS:

[  532.366633] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8
[  532.366733] IP: [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
[  532.366825] PGD 80000001376d5067 PUD 137e37067 PMD 0
[  532.366906] Oops: 0000 [#1] SMP
[  532.366987] Modules linked in: sch_teql ...
[  532.367945] CPU: 1 PID: 3026 Comm: tc Kdump: loaded Tainted: G               ------------ T 3.10.0-1062.7.1.el7.x86_64 #1
[  532.368041] Hardware name: Virtuozzo KVM, BIOS 1.11.0-2.vz7.2 04/01/2014
[  532.368125] task: ffff8b7d37d31070 ti: ffff8b7c9fdbc000 task.ti: ffff8b7c9fdbc000
[  532.368224] RIP: 0010:[<ffffffffc06124a8>]  [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
[  532.368320] RSP: 0018:ffff8b7c9fdbf8e0  EFLAGS: 00010286
[  532.368394] RAX: ffffffffc0612490 RBX: ffff8b7cb1565e00 RCX: ffff8b7d35ba2000
[  532.368476] RDX: ffff8b7d35ba2000 RSI: 0000000000000000 RDI: ffff8b7cb1565e00
[  532.368557] RBP: ffff8b7c9fdbf8f8 R08: ffff8b7d3fd1f140 R09: ffff8b7d3b001600
[  532.368638] R10: ffff8b7d3b001600 R11: ffffffff84c7d65b R12: 00000000ffffffd8
[  532.368719] R13: 0000000000008000 R14: ffff8b7d35ba2000 R15: ffff8b7c9fdbf9a8
[  532.368800] FS:  00007f6a4e872740(0000) GS:ffff8b7d3fd00000(0000) knlGS:0000000000000000
[  532.368885] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  532.368961] CR2: 00000000000000a8 CR3: 00000001396ee000 CR4: 00000000000206e0
[  532.369046] Call Trace:
[  532.369159]  [<ffffffff84c8192e>] qdisc_create+0x36e/0x450
[  532.369268]  [<ffffffff846a9b49>] ? ns_capable+0x29/0x50
[  532.369366]  [<ffffffff849afde2>] ? nla_parse+0x32/0x120
[  532.369442]  [<ffffffff84c81b4c>] tc_modify_qdisc+0x13c/0x610
[  532.371508]  [<ffffffff84c693e7>] rtnetlink_rcv_msg+0xa7/0x260
[  532.372668]  [<ffffffff84907b65>] ? sock_has_perm+0x75/0x90
[  532.373790]  [<ffffffff84c69340>] ? rtnl_newlink+0x890/0x890
[  532.374914]  [<ffffffff84c8da7b>] netlink_rcv_skb+0xab/0xc0
[  532.376055]  [<ffffffff84c63708>] rtnetlink_rcv+0x28/0x30
[  532.377204]  [<ffffffff84c8d400>] netlink_unicast+0x170/0x210
[  532.378333]  [<ffffffff84c8d7a8>] netlink_sendmsg+0x308/0x420
[  532.379465]  [<ffffffff84c2f3a6>] sock_sendmsg+0xb6/0xf0
[  532.380710]  [<ffffffffc034a56e>] ? __xfs_filemap_fault+0x8e/0x1d0 [xfs]
[  532.381868]  [<ffffffffc034a75c>] ? xfs_filemap_fault+0x2c/0x30 [xfs]
[  532.383037]  [<ffffffff847ec23a>] ? __do_fault.isra.61+0x8a/0x100
[  532.384144]  [<ffffffff84c30269>] ___sys_sendmsg+0x3e9/0x400
[  532.385268]  [<ffffffff847f3fad>] ? handle_mm_fault+0x39d/0x9b0
[  532.386387]  [<ffffffff84d88678>] ? __do_page_fault+0x238/0x500
[  532.387472]  [<ffffffff84c31921>] __sys_sendmsg+0x51/0x90
[  532.388560]  [<ffffffff84c31972>] SyS_sendmsg+0x12/0x20
[  532.389636]  [<ffffffff84d8dede>] system_call_fastpath+0x25/0x2a
[  532.390704]  [<ffffffff84d8de21>] ? system_call_after_swapgs+0xae/0x146
[  532.391753] Code: 00 00 00 00 00 00 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 55 41 54 53 48 8b b7 48 01 00 00 48 89 fb <48> 8b 8e a8 00 00 00 48 85 c9 74 43 48 89 ca eb 0f 0f 1f 80 00
[  532.394036] RIP  [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
[  532.395127]  RSP <ffff8b7c9fdbf8e0>
[  532.396179] CR2: 00000000000000a8

Null pointer dereference happens on master->slaves dereference in
teql_destroy() as master is null-pointer.

When qdisc_create() calls teql_qdisc_init() it imediately fails after
check "if (m->dev == dev)" because both devices are teql0, and it does
not set qdisc_priv(sch)->m leaving it zero on error path, then
qdisc_create() imediately calls teql_destroy() which does not expect
zero master pointer and we get OOPS.

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-04-08 14:14:42 -07:00
..
act_api.c
net: sched: fix err handler in tcf_action_init()
2021-04-08 13:47:33 -07:00
act_bpf.c
net: sched: fix misspellings using misspell-fixer tool
2020-11-10 17:00:28 -08:00
act_connmark.c
net_sched: defer tcf_idr_insert() in tcf_action_init_1()
2020-09-24 19:46:21 -07:00
act_csum.c
net_sched: defer tcf_idr_insert() in tcf_action_init_1()
2020-09-24 19:46:21 -07:00
act_ct.c
net/sched: act_ct: clear post_ct if doing ct_clear
2021-03-23 14:32:26 -07:00
act_ctinfo.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2020-10-05 18:40:01 -07:00
act_gact.c
net_sched: defer tcf_idr_insert() in tcf_action_init_1()
2020-09-24 19:46:21 -07:00
act_gate.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2020-10-05 18:40:01 -07:00
act_ife.c
net_sched: defer tcf_idr_insert() in tcf_action_init_1()
2020-09-24 19:46:21 -07:00
act_ipt.c
treewide: rename nla_strlcpy to nla_strscpy.
2020-11-16 08:08:54 -08:00
act_meta_mark.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
act_meta_skbprio.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
act_meta_skbtcindex.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
act_mirred.c
net/sched: sch_frag: add generic packet fragment support.
2020-11-27 14:36:02 -08:00
act_mpls.c
net/sched: act_mpls: ensure LSE is pullable before reading it
2020-12-03 11:13:37 -08:00
act_nat.c
net_sched: defer tcf_idr_insert() in tcf_action_init_1()
2020-09-24 19:46:21 -07:00
act_pedit.c
net_sched: defer tcf_idr_insert() in tcf_action_init_1()
2020-09-24 19:46:21 -07:00
act_police.c
net_sched: defer tcf_idr_insert() in tcf_action_init_1()
2020-09-24 19:46:21 -07:00
act_sample.c
net_sched: defer tcf_idr_insert() in tcf_action_init_1()
2020-09-24 19:46:21 -07:00
act_simple.c
treewide: rename nla_strlcpy to nla_strscpy.
2020-11-16 08:08:54 -08:00
act_skbedit.c
net_sched: defer tcf_idr_insert() in tcf_action_init_1()
2020-09-24 19:46:21 -07:00
act_skbmod.c
net_sched: defer tcf_idr_insert() in tcf_action_init_1()
2020-09-24 19:46:21 -07:00
act_tunnel_key.c
net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels
2020-10-20 21:10:41 -07:00
act_vlan.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2020-10-05 18:40:01 -07:00
cls_api.c
net: sched: fix err handler in tcf_action_init()
2021-04-08 13:47:33 -07:00
cls_basic.c
net_sched: fix ops->bind_class() implementations
2020-01-27 10:51:43 +01:00
cls_bpf.c
net_sched: fix ops->bind_class() implementations
2020-01-27 10:51:43 +01:00
cls_cgroup.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
cls_flow.c
Remove uninitialized_var() macro for v5.9-rc1
2020-08-04 13:49:43 -07:00
cls_flower.c
net/sched: cls_flower: fix only mask bit check in the validate_ct_state
2021-03-17 11:56:25 -07:00
cls_fw.c
net_sched: fix ops->bind_class() implementations
2020-01-27 10:51:43 +01:00
cls_matchall.c
net: qos offload add flow status with dropped count
2020-06-19 12:53:30 -07:00
cls_route.c
net_sched: cls_route: remove the right filter from hashtable
2020-03-16 01:59:32 -07:00
cls_rsvp6.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
cls_rsvp.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
cls_rsvp.h
net: sched: fix misspellings using misspell-fixer tool
2020-11-10 17:00:28 -08:00
cls_tcindex.c
net_sched: avoid shift-out-of-bounds in tcindex_set_parms()
2021-01-15 18:11:10 -08:00
cls_u32.c
net/sched: cls_u32: simplify the return expression of u32_reoffload_knode()
2020-12-08 16:22:53 -08:00
em_canid.c
net: sched: kerneldoc fixes
2020-07-13 17:20:40 -07:00
em_cmp.c
net: sched: fix misspellings using misspell-fixer tool
2020-11-10 17:00:28 -08:00
em_ipset.c
sched: consistently handle layer3 header accesses in the presence of VLANs
2020-07-03 14:34:53 -07:00
em_ipt.c
sched: consistently handle layer3 header accesses in the presence of VLANs
2020-07-03 14:34:53 -07:00
em_meta.c
sched: consistently handle layer3 header accesses in the presence of VLANs
2020-07-03 14:34:53 -07:00
em_nbyte.c
net: sched: Return the correct errno code
2021-02-06 11:15:28 -08:00
em_text.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
em_u32.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
ematch.c
net: sched: kerneldoc fixes
2020-07-13 17:20:40 -07:00
Kconfig
net: sched: incorrect Kconfig dependencies on Netfilter modules
2020-12-09 15:49:29 -08:00
Makefile
net/sched: sch_frag: add generic packet fragment support.
2020-11-27 14:36:02 -08:00
sch_api.c
net: sched: avoid duplicates in classes dump
2021-03-04 14:27:47 -08:00
sch_atm.c
net: sched: Add extack to Qdisc_class_ops.delete
2021-01-22 20:41:29 -08:00
sch_blackhole.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_cake.c
treewide: Use fallthrough pseudo-keyword
2020-08-23 17:36:59 -05:00
sch_cbq.c
net: sched: Add extack to Qdisc_class_ops.delete
2021-01-22 20:41:29 -08:00
sch_cbs.c
net: don't include ethtool.h from netdevice.h
2020-11-23 17:27:04 -08:00
sch_choke.c
net: sched: validate stab values
2021-03-10 15:47:52 -08:00
sch_codel.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_drr.c
net: sched: Add extack to Qdisc_class_ops.delete
2021-01-22 20:41:29 -08:00
sch_dsmark.c
net: sched: Add extack to Qdisc_class_ops.delete
2021-01-22 20:41:29 -08:00
sch_etf.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_ets.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_fifo.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_fq_codel.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2020-08-05 20:13:21 -07:00
sch_fq_pie.c
net/sched: fq_pie: initialize timer earlier in fq_pie_init()
2020-12-04 14:15:01 -08:00
sch_fq.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_frag.c
net/sched: sch_frag: add generic packet fragment support.
2020-11-27 14:36:02 -08:00
sch_generic.c
net/sched: get rid of qdisc->padded
2020-10-09 08:08:08 -07:00
sch_gred.c
net: sched: validate stab values
2021-03-10 15:47:52 -08:00
sch_hfsc.c
net: sched: Add extack to Qdisc_class_ops.delete
2021-01-22 20:41:29 -08:00
sch_hhf.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_htb.c
sch_htb: fix null pointer dereference on a null new_q
2021-03-30 13:50:03 -07:00
sch_ingress.c
net: sched: Pass ingress block to tcf_classify_ingress
2020-02-19 17:49:48 -08:00
sch_mq.c
net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues
2019-12-03 11:53:55 -08:00
sch_mqprio.c
mqprio: Fix out-of-bounds access in mqprio_dump
2019-12-06 11:58:45 -08:00
sch_multiq.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_netem.c
netem: fix zero division in tabledist
2020-10-29 11:45:47 -07:00
sch_pie.c
net: sched: fix misspellings using misspell-fixer tool
2020-11-10 17:00:28 -08:00
sch_plug.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_prio.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_qfq.c
net: sched: Add extack to Qdisc_class_ops.delete
2021-01-22 20:41:29 -08:00
sch_red.c
net: sched: validate stab values
2021-03-10 15:47:52 -08:00
sch_sfb.c
net: sched: Add extack to Qdisc_class_ops.delete
2021-01-22 20:41:29 -08:00
sch_sfq.c
net: sched: validate stab values
2021-03-10 15:47:52 -08:00
sch_skbprio.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_taprio.c
taprio: boolean values to a bool variable
2021-01-19 17:43:48 -08:00
sch_tbf.c
Revert "net: sched: Pass root lock to Qdisc_ops.enqueue"
2020-07-16 16:48:34 -07:00
sch_teql.c
net: sched: sch_teql: fix null-pointer dereference
2021-04-08 14:14:42 -07:00