Eric Dumazet
dfd2f0eb23
net/sched: flower: fix fl_change() error recovery path ...
The two "goto errout;" paths in fl_change() became wrong
after cited commit.
Indeed we only must not call __fl_put() until the net pointer
has been set in tcf_exts_init_ex()
This is a minimal fix. We might in the future validate TCA_FLOWER_FLAGS
before we allocate @fnew.
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
BUG: KASAN: null-ptr-deref in refcount_read include/linux/refcount.h:147 [inline]
BUG: KASAN: null-ptr-deref in __refcount_add_not_zero include/linux/refcount.h:152 [inline]
BUG: KASAN: null-ptr-deref in __refcount_inc_not_zero include/linux/refcount.h:227 [inline]
BUG: KASAN: null-ptr-deref in refcount_inc_not_zero include/linux/refcount.h:245 [inline]
BUG: KASAN: null-ptr-deref in maybe_get_net include/net/net_namespace.h:269 [inline]
BUG: KASAN: null-ptr-deref in tcf_exts_get_net include/net/pkt_cls.h:260 [inline]
BUG: KASAN: null-ptr-deref in __fl_put net/sched/cls_flower.c:513 [inline]
BUG: KASAN: null-ptr-deref in __fl_put+0x13e/0x3b0 net/sched/cls_flower.c:508
Read of size 4 at addr 000000000000014c by task syz-executor548/5082
CPU: 0 PID: 5082 Comm: syz-executor548 Not tainted 6.2.0-syzkaller-05251-g5b7c4cabbb65 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_report mm/kasan/report.c:420 [inline]
kasan_report+0xec/0x130 mm/kasan/report.c:517
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x141/0x190 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
refcount_read include/linux/refcount.h:147 [inline]
__refcount_add_not_zero include/linux/refcount.h:152 [inline]
__refcount_inc_not_zero include/linux/refcount.h:227 [inline]
refcount_inc_not_zero include/linux/refcount.h:245 [inline]
maybe_get_net include/net/net_namespace.h:269 [inline]
tcf_exts_get_net include/net/pkt_cls.h:260 [inline]
__fl_put net/sched/cls_flower.c:513 [inline]
__fl_put+0x13e/0x3b0 net/sched/cls_flower.c:508
fl_change+0x101b/0x4ab0 net/sched/cls_flower.c:2341
tc_new_tfilter+0x97c/0x2290 net/sched/cls_api.c:2310
rtnetlink_rcv_msg+0x996/0xd50 net/core/rtnetlink.c:6165
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:722 [inline]
sock_sendmsg+0xde/0x190 net/socket.c:745
____sys_sendmsg+0x334/0x900 net/socket.c:2504
___sys_sendmsg+0x110/0x1b0 net/socket.c:2558
__sys_sendmmsg+0x18f/0x460 net/socket.c:2644
__do_sys_sendmmsg net/socket.c:2673 [inline]
__se_sys_sendmmsg net/socket.c:2670 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2670
Fixes: 08a0063df3ae ("net/sched: flower: Move filter handle initialization earlier")
Reported-by: syzbot+baabf3efa7c1e57d28b2@syzkaller.appspotmail.com
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Paul Blakey <paulb@nvidia.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-03-01 08:49:54 +00:00
2023-02-27 12:16:34 +00:00
2022-12-09 09:18:07 +00:00
2023-03-01 08:19:09 +00:00
2022-12-09 09:18:07 +00:00
2023-02-10 16:23:03 -08:00
2023-02-13 20:09:01 -08:00
2022-12-13 15:47:48 -08:00
2023-02-16 10:39:28 +01:00
2022-12-09 09:18:07 +00:00
2022-12-09 09:18:07 +00:00
2023-01-24 10:30:54 +01:00
2023-02-26 18:27:45 +00:00
2023-02-16 10:39:28 +01:00
2023-02-26 18:27:45 +00:00
2022-12-09 09:18:07 +00:00
2023-02-26 18:27:45 +00:00
2022-12-09 09:18:07 +00:00
2022-12-09 09:18:07 +00:00
2022-12-09 09:18:07 +00:00
2022-12-09 09:18:07 +00:00
2022-12-09 09:18:07 +00:00
2023-02-26 14:51:25 +00:00
2022-12-09 09:18:07 +00:00
2022-12-09 09:18:07 +00:00
2022-12-09 09:18:07 +00:00
2022-12-25 13:38:09 -08:00
2023-03-01 08:49:54 +00:00
2022-12-09 09:18:07 +00:00
2023-02-14 11:00:01 +01:00
2022-12-09 09:18:07 +00:00
2022-12-09 09:18:07 +00:00
2020-07-13 17:20:40 -07:00
2020-11-10 17:00:28 -08:00
2020-07-03 14:34:53 -07:00
2020-07-03 14:34:53 -07:00
2022-05-16 10:31:06 +01:00
2021-02-06 11:15:28 -08:00
2022-12-19 09:43:18 +00:00
2023-02-16 09:27:07 +01:00
2023-02-16 09:27:07 +01:00
2023-02-13 09:51:59 +00:00
2020-07-16 16:48:34 -07:00
2023-02-01 20:54:27 -08:00
2022-09-22 17:34:10 -07:00
2022-11-18 02:15:15 +01:00
2022-09-01 08:06:45 +02:00
2022-09-22 17:34:10 -07:00
2022-09-01 20:08:32 -07:00
2022-09-22 17:34:10 -07:00
2021-10-01 14:59:10 -07:00
2022-10-19 13:47:09 +01:00
2022-09-01 08:06:45 +02:00
2022-09-01 08:06:45 +02:00
2021-12-31 14:35:40 +00:00
2022-09-01 12:58:02 -07:00
2023-01-18 20:28:25 -08:00
2022-09-22 17:34:10 -07:00
2022-09-01 08:06:45 +02:00
2023-02-07 23:38:53 -08:00
2022-09-22 17:34:10 -07:00
2023-02-06 10:06:44 +00:00
2023-02-06 10:06:44 +00:00
2023-02-06 10:06:44 +00:00
2022-09-22 17:34:10 -07:00
2022-11-18 02:15:15 +01:00
2022-10-11 17:42:58 -06:00
2022-09-01 08:06:45 +02:00
2022-09-22 17:34:10 -07:00
2022-09-22 17:34:10 -07:00
2022-10-31 11:55:39 +00:00
2022-10-20 17:24:59 -07:00
2022-09-22 17:34:10 -07:00
2022-09-22 17:34:10 -07:00
2023-02-20 08:46:57 +01:00
2022-09-22 17:34:10 -07:00
2022-08-25 15:10:17 +02:00
dfd2f0eb23