iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet 9aa2c8807b sch_choke: avoid potential panic in choke_reset() 
[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ]

If choke_init() could not allocate q->tab, we would crash later
in choke_reset().

BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline]
BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326
Write of size 8 at addr 0000000000000000 by task syz-executor822/7022

CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 check_memory_region_inline mm/kasan/generic.c:187 [inline]
 check_memory_region+0x141/0x190 mm/kasan/generic.c:193
 memset+0x20/0x40 mm/kasan/common.c:85
 memset include/linux/string.h:366 [inline]
 choke_reset+0x208/0x340 net/sched/sch_choke.c:326
 qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910
 dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138
 netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline]
 dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195
 dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233
 qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051
 tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454
 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362
 ___sys_sendmsg+0x100/0x170 net/socket.c:2416
 __sys_sendmsg+0xec/0x1b0 net/socket.c:2449
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295

Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-20 08:11:30 +02:00
..
6lowpan
6lowpan: Off by one handling ->nexthdr
2020-01-29 10:21:42 +01:00
9p
9p/virtio: Add cleanup path in p9_virtio_init
2019-08-04 09:34:51 +02:00
802
8021q
vlan: fix memory leak in vlan_dev_set_egress_priority
2020-01-12 11:22:52 +01:00
appletalk
appletalk: Set error code if register_snap_client failed
2019-12-21 10:35:03 +01:00
atm
net: atm: Fix potential Spectre v1 vulnerabilities
2019-04-27 09:33:59 +02:00
ax25
ax25: enforce CAP_NET_RAW for raw sockets
2019-10-05 12:27:43 +02:00
batman-adv
batman-adv: replace WARN with rate limited output on non-existing VLAN
2020-05-10 10:26:02 +02:00
bluetooth
Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl
2020-04-13 10:31:34 +02:00
bridge
bridge: Fix problems around fdb entries pointing to the bridge device
2020-05-10 10:26:35 +02:00
caif
net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
2018-09-05 09:18:34 +02:00
can
can: purge socket error queue on sock destruct
2019-07-10 09:56:33 +02:00
ceph
libceph: handle an empty authorize reply
2019-03-23 08:44:18 +01:00
core
net: skbuff: Remove errornous length validation in skb_vlan_pop()
2020-05-10 10:26:35 +02:00
dcb
net: dcb: For wild-card lookups, use priority -1, not 0
2018-09-19 22:48:58 +02:00
dccp
dccp: limit sk_filter trim to payload
2020-05-10 10:25:51 +02:00
decnet
decnet: fix DN_IFREQ_SIZE
2019-12-05 15:27:07 +01:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2018-07-22 14:25:54 +02:00
dsa
net: dsa: slave: fix of-node leak and phy priority
2020-05-10 10:26:09 +02:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2020-01-12 11:22:45 +01:00
hsr
hsr: set .netnsok flag
2020-04-02 19:02:34 +02:00
ieee802154
nl802154: add missing attribute validation for dev_type
2020-03-20 09:06:19 +01:00
ipv4
net: icmp_route_lookup should use rt dev to determine L3 domain
2020-05-10 10:26:32 +02:00
ipv6
net: icmp6_send should use dst dev to determine L3 domain
2020-05-10 10:26:28 +02:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 14:30:13 +02:00
irda
irda: Free skb on irda_accept error path.
2020-05-10 10:25:58 +02:00
iucv
net/af_iucv: always register net_device notifier
2020-01-29 10:21:45 +01:00
key
xfrm: clean up xfrm protocol checks
2019-09-16 08:13:35 +02:00
l2tp
l2tp: fix use-after-free during module unload
2020-05-10 10:26:31 +02:00
l3mdev
net: Add netif_is_l3_slave
2015-10-07 04:27:43 -07:00
lapb
lapb: fixed leak of control-blocks.
2019-06-22 08:18:25 +02:00
llc
llc: fix sk_buff refcounting in llc_conn_state_process()
2020-01-29 10:21:49 +01:00
mac80211
mac80211: add ieee80211_is_any_nullfunc()
2020-05-10 10:26:36 +02:00
mac802154
net: mac802154: tx: expand tailroom if necessary
2018-09-09 20:04:32 +02:00
mpls
mpls, nospec: Sanitize array index in mpls_label_ok()
2018-03-11 16:19:47 +01:00
netfilter
netfilter: nf_tables: destroy the set if fail to add transaction
2020-05-10 10:26:17 +02:00
netlabel
netlabel: check for IPV4MASK in addrinfo_get
2018-10-20 09:52:36 +02:00
netlink
net: netlink: cap max groups which will be considered in netlink_bind()
2020-03-11 07:51:14 +01:00
netrom
net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node
2020-05-02 17:20:33 +02:00
nfc
NFC: nci: memory leak in nci_core_conn_create()
2020-05-10 10:26:08 +02:00
openvswitch
openvswitch: update checksum in {push,pop}_mpls
2020-05-10 10:26:25 +02:00
packet
packet: fix data-race in fanout_flow_is_huge()
2020-01-29 10:21:50 +01:00
phonet
phonet: fix building with clang
2019-03-23 08:44:34 +01:00
rds
RDS:TCP: Synchronize rds_tcp_accept_one with rds_send_xmit when resetting t_sock
2020-05-10 10:26:01 +02:00
rfkill
rfkill: Fix incorrect check to avoid NULL pointer dereference
2020-01-12 11:22:49 +01:00
rose
net: rose: fix a possible stack overflow
2019-04-03 06:23:25 +02:00
rxrpc
rxrpc: check return value of skb_to_sgvec always
2018-04-13 19:50:23 +02:00
sched
sch_choke: avoid potential panic in choke_reset()
2020-05-20 08:11:30 +02:00
sctp
sctp: Fix SHUTDOWN CTSN Ack in the peer restart case
2020-05-10 10:26:36 +02:00
sunrpc
xprtrdma: Fix backchannel allocation of extra rpcrdma_reps
2020-05-10 10:26:23 +02:00
switchdev
switchdev: pass pointer to fib_info instead of copy
2016-06-24 10:18:16 -07:00
tipc
tipc: fix the error handling in tipc_udp_enable()
2020-05-10 10:26:28 +02:00
unix
net: fix warning in af_unix
2019-11-28 18:25:43 +01:00
vmw_vsock
VSOCK: bind to random port for VMADDR_PORT_ANY
2019-12-05 15:26:49 +01:00
wimax
wireless
nl80211: add missing attribute validation for channel switch
2020-03-20 09:06:23 +01:00
x25
net/x25: Fix x25_neigh refcnt leak when receiving frame
2020-05-02 17:20:33 +02:00
xfrm
xfrm: Fix memory leak of aead algorithm name
2020-05-10 10:26:04 +02:00
compat.c
sock: Make sock->sk_stamp thread-safe
2019-01-13 10:05:28 +01:00
Kconfig
Make DST_CACHE a silent config option
2018-02-25 11:03:37 +01:00
Makefile
socket.c
compat_ioctl: handle SIOCOUTQNSD
2020-01-23 08:18:37 +01:00
sysctl_net.c
net: Use ns_capable_noaudit() when determining net sysctl permissions
2016-09-15 08:27:50 +02:00