iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Taehee Yoo a98c6f4478 sch_dsmark: fix a NULL deref in qdisc_reset() 
[ Upstream commit 9b76eade16423ef06829cccfe3e100cfce31afcd ]

If Qdisc_ops->init() is failed, Qdisc_ops->reset() would be called.
When dsmark_init(Qdisc_ops->init()) is failed, it possibly doesn't
initialize dsmark_qdisc_data->q. But dsmark_reset(Qdisc_ops->reset())
uses dsmark_qdisc_data->q pointer wihtout any null checking.
So, panic would occur.

Test commands:
    sysctl net.core.default_qdisc=dsmark -w
    ip link add dummy0 type dummy
    ip link add vw0 link dummy0 type virt_wifi
    ip link set vw0 up

Splat looks like:
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 3 PID: 684 Comm: ip Not tainted 5.12.0+ #910
RIP: 0010:qdisc_reset+0x2b/0x680
Code: 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 41 57 41 56 41 55 41 54
55 48 89 fd 48 83 c7 18 53 48 89 fa 48 c1 ea 03 48 83 ec 20 <80> 3c 02
00 0f 85 09 06 00 00 4c 8b 65 18 0f 1f 44 00 00 65 8b 1d
RSP: 0018:ffff88800fda6bf8 EFLAGS: 00010282
RAX: dffffc0000000000 RBX: ffff8880050ed800 RCX: 0000000000000000
RDX: 0000000000000003 RSI: ffffffff99e34100 RDI: 0000000000000018
RBP: 0000000000000000 R08: fffffbfff346b553 R09: fffffbfff346b553
R10: 0000000000000001 R11: fffffbfff346b552 R12: ffffffffc0824940
R13: ffff888109e83800 R14: 00000000ffffffff R15: ffffffffc08249e0
FS:  00007f5042287680(0000) GS:ffff888119800000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ae1f4dbd90 CR3: 0000000006760002 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ? rcu_read_lock_bh_held+0xa0/0xa0
 dsmark_reset+0x3d/0xf0 [sch_dsmark]
 qdisc_reset+0xa9/0x680
 qdisc_destroy+0x84/0x370
 qdisc_create_dflt+0x1fe/0x380
 attach_one_default_qdisc.constprop.41+0xa4/0x180
 dev_activate+0x4d5/0x8c0
 ? __dev_open+0x268/0x390
 __dev_open+0x270/0x390

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-06-03 08:38:12 +02:00
..
6lowpan
6lowpan: Off by one handling ->nexthdr
2020-01-27 14:50:41 +01:00
9p
net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid
2020-11-05 11:08:44 +01:00
802
8021q
net: vlan: avoid leaks on register_vlan_dev() failures
2021-01-17 14:04:19 +01:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 12:48:49 +02:00
atm
atm: fix a memory leak of vcc->user_back
2020-10-01 13:14:43 +02:00
ax25
AX.25: Prevent integer overflows in connect and sendmsg
2020-07-31 18:37:48 +02:00
batman-adv
batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field
2021-04-14 08:22:33 +02:00
bluetooth
Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
2021-06-03 08:38:08 +02:00
bpf
bpfilter
signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig
2020-01-27 14:50:51 +01:00
bridge
net: bridge: when suppression is enabled exclude RARP packets
2021-05-22 10:59:40 +02:00
caif
net: use skb_queue_empty_lockless() in poll() handlers
2019-11-10 11:27:48 +01:00
can
can: af_can: prevent potential access of uninitialized member in canfd_rcv()
2020-11-24 13:27:22 +01:00
ceph
libceph: clear con->out_msg on Policy::stateful_server faults
2020-11-05 11:08:53 +01:00
core
bpf: Set mac_len in bpf_skb_change_head
2021-06-03 08:38:12 +02:00
dcb
net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands
2021-01-23 15:49:56 +01:00
dccp
ipv6: weaken the v4mapped source check
2021-04-07 12:48:47 +02:00
decnet
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
2020-01-04 19:13:37 +01:00
dns_resolver
KEYS: Don't write out to userspace while holding key semaphore
2020-04-23 10:30:24 +02:00
dsa
net: dsa: fix error code getting shifted with 4 in dsa_slave_get_sset_count
2021-06-03 08:38:11 +02:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2020-01-09 10:19:09 +01:00
hsr
hsr: use netdev_err() instead of WARN_ONCE()
2021-05-22 10:59:24 +02:00
ieee802154
net: ieee802154: forbid monitor for add llsec seclevel
2021-04-28 13:16:49 +02:00
ife
ipv4
net: Only allow init netns to set default tcp cong to a restricted algo
2021-05-22 10:59:39 +02:00
ipv6
ipv6: record frag_max_size in atomic fragments in input path
2021-06-03 08:38:12 +02:00
iucv
net/af_iucv: set correct sk_protocol for child sockets
2020-12-08 10:18:52 +01:00
kcm
kcm: switch order of device registration to fix a crash
2019-04-17 08:38:40 +02:00
key
af_key: relax availability checks for skb size calculation
2021-02-13 13:51:14 +01:00
l2tp
l2tp: remove skb_dst_set() from l2tp_xmit_skb()
2020-07-22 09:31:59 +02:00
l3mdev
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:21:06 +01:00
llc
net: silence data-races on sk_backlog.tail
2020-10-01 13:14:26 +02:00
mac80211
mac80211: extend protection against mixed key and fragment cache attacks
2021-06-03 08:38:04 +02:00
mac802154
net: mac802154: Fix general protection fault
2021-04-14 08:22:36 +02:00
mpls
net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0
2021-03-17 16:43:43 +01:00
ncsi
net/ncsi: Avoid channel_monitor hrtimer deadlock
2021-04-14 08:22:35 +02:00
netfilter
netfilter: conntrack: Make global sysctls readonly in non-init netns
2021-05-22 10:59:47 +02:00
netlabel
cipso,calipso: resolve a number of problems with the DOI refcounts
2021-03-17 16:43:44 +01:00
netlink
genetlink: remove genl_bind
2020-07-22 09:31:58 +02:00
netrom
net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node
2020-04-29 16:31:21 +02:00
nfc
NFC: nci: fix memory leak in nci_allocate_device
2021-06-03 08:38:02 +02:00
nsh
openvswitch
openvswitch: meter: fix race when getting now_ms.
2021-06-03 08:38:11 +02:00
packet
net/packet: fix overflow in tpacket_rcv
2020-10-07 08:00:08 +02:00
phonet
net: use skb_queue_empty_lockless() in poll() handlers
2019-11-10 11:27:48 +01:00
psample
net: psample: fix skb_over_panic
2019-12-05 09:21:30 +01:00
qrtr
net: qrtr: fix a kernel-infoleak in qrtr_recvmsg()
2021-03-30 14:37:03 +02:00
rds
net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS
2021-02-23 15:00:58 +01:00
rfkill
rfkill: Fix incorrect check to avoid NULL pointer dereference
2020-01-12 12:17:17 +01:00
rose
rose: Fix Null pointer dereference in rose_send_frame()
2020-12-08 10:18:52 +01:00
rxrpc
rxrpc: Fix deadlock around release of dst cached on udp tunnel
2021-02-10 09:21:06 +01:00
sched
sch_dsmark: fix a NULL deref in qdisc_reset()
2021-06-03 08:38:12 +02:00
sctp
sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b
2021-05-22 10:59:43 +02:00
smc
smc: disallow TCP_ULP in smc_setsockopt()
2021-05-22 10:59:44 +02:00
strparser
net: strparser: partially revert "strparser: Call skb_unclone conditionally"
2019-05-16 19:41:27 +02:00
sunrpc
rpc: fix NULL dereference on kmalloc failure
2021-04-07 12:48:47 +02:00
switchdev
tipc
tipc: skb_linearize the head skb when reassembling msgs
2021-06-03 08:38:08 +02:00
tls
net/tls: Protect from calling tls_dev_del for TLS RX twice
2020-12-08 10:18:52 +01:00
unix
skbuff: fix a data race in skb_queue_len()
2020-10-01 13:14:32 +02:00
vmw_vsock
vsock/vmci: log once the failed queue pair allocation
2021-05-22 10:59:37 +02:00
wimax
wireless
cfg80211: mitigate A-MSDU aggregation attacks
2021-06-03 08:38:03 +02:00
x25
net/x25: prevent a couple of overflows
2020-12-08 10:18:54 +01:00
xdp
xsk: Simplify detection of empty and full rings
2021-05-22 10:59:48 +02:00
xfrm
net: xfrm: Localize sequence counter per network namespace
2021-04-14 08:22:34 +02:00
compat.c
net/compat: Add missing sock updates for SCM_RIGHTS
2020-08-21 11:05:32 +02:00
Kconfig
Makefile
socket.c
net: Set fput_needed iff FDPUT_FPUT is set
2020-08-19 08:15:03 +02:00
sysctl_net.c