iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net/sched
History
Eric Dumazet 9aa2c8807b sch_choke: avoid potential panic in choke_reset() 
[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ]

If choke_init() could not allocate q->tab, we would crash later
in choke_reset().

BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline]
BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326
Write of size 8 at addr 0000000000000000 by task syz-executor822/7022

CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 check_memory_region_inline mm/kasan/generic.c:187 [inline]
 check_memory_region+0x141/0x190 mm/kasan/generic.c:193
 memset+0x20/0x40 mm/kasan/common.c:85
 memset include/linux/string.h:366 [inline]
 choke_reset+0x208/0x340 net/sched/sch_choke.c:326
 qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910
 dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138
 netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline]
 dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195
 dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233
 qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051
 tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454
 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362
 ___sys_sendmsg+0x100/0x170 net/socket.c:2416
 __sys_sendmsg+0xec/0x1b0 net/socket.c:2449
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295

Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-20 08:11:30 +02:00
..
act_api.c
net: avoid potential infinite loop in tc_ctl_action()
2019-10-29 09:13:22 +01:00
act_bpf.c
net/sched: fix NULL dereference in the error path of tcf_bpf_init()
2018-04-13 19:50:25 +02:00
act_connmark.c
act_connmark: avoid crashing on malformed nlattrs with null parms
2017-03-22 12:04:16 +01:00
act_csum.c
sched: act_csum: don't mangle TCP and UDP GSO packets
2018-03-22 09:23:22 +01:00
act_gact.c
net_sched: act_gact: remove spinlock in fast path
2015-07-08 13:50:42 -07:00
act_ipt.c
net: sched: fix NULL pointer dereference when action calls some targets
2017-08-30 10:19:21 +02:00
act_mirred.c
net_sched: close another race condition in tcf_mirred_release()
2017-05-02 21:19:49 -07:00
act_nat.c
bpf: try harder on clones when writing into skb
2016-07-11 09:31:12 -07:00
act_pedit.c
net/sched: act_pedit: fix WARN() in the traffic path
2019-11-28 18:25:26 +01:00
act_police.c
act_simple.c
net: sched: add percpu stats to actions
2015-07-08 13:50:41 -07:00
act_skbedit.c
net: sched: add percpu stats to actions
2015-07-08 13:50:41 -07:00
act_vlan.c
net/sched: act_vlan: Push skb->data to mac_header prior calling skb_vlan_*() functions
2016-11-15 07:46:37 +01:00
cls_api.c
net, sched: fix soft lockup in tc_classify
2017-01-15 13:41:34 +01:00
cls_basic.c
net, sched: respect rcu grace period on cls destruction
2016-12-10 19:07:23 +01:00
cls_bpf.c
cls_bpf: reset class and reuse major in da
2020-05-10 10:26:18 +02:00
cls_cgroup.c
net, sched: respect rcu grace period on cls destruction
2016-12-10 19:07:23 +01:00
cls_flow.c
net, sched: respect rcu grace period on cls destruction
2016-12-10 19:07:23 +01:00
cls_flower.c
net_sched: flower: Avoid dissection of unmasked keys
2020-05-10 10:26:21 +02:00
cls_fw.c
net: revert "net_sched: move tp->root allocation into fw_init()"
2015-09-24 14:33:30 -07:00
cls_route.c
net_sched: cls_route: remove the right filter from hashtable
2020-04-02 19:02:33 +02:00
cls_rsvp6.c
cls_rsvp.c
cls_rsvp.h
cls_rsvp: fix rsvp_policy
2020-02-14 16:29:54 -05:00
cls_tcindex.c
net_sched: keep alloc_hash updated after hash allocation
2020-04-02 19:02:33 +02:00
cls_u32.c
net: sched: Fix memory exposure from short TCA_U32_SEL
2019-10-29 09:13:32 +01:00
em_canid.c
em_cmp.c
em_ipset.c
netfilter: x_tables: Pass struct net in xt_action_param
2015-09-18 21:58:14 +02:00
em_meta.c
net_sched: em_meta: use skb_to_full_sk() helper
2015-11-08 20:56:39 -05:00
em_nbyte.c
em_text.c
net: Remove state argument from skb_find_text()
2015-02-22 15:59:54 -05:00
em_u32.c
ematch.c
net_sched: ematch: reject invalid TCF_EM_SIMPLE
2020-02-05 13:03:37 +00:00
Kconfig
net: add CONFIG_NET_INGRESS to enable ingress filtering
2015-05-14 01:10:05 -04:00
Makefile
tc: introduce Flower classifier
2015-05-13 15:19:48 -04:00
sch_api.c
net_sched: refetch skb protocol for each filter
2019-02-06 19:43:03 +01:00
sch_atm.c
net: sched: consolidate tc_classify{,_compat}
2015-08-27 14:18:48 -07:00
sch_blackhole.c
net_sched: blackhole: tell upper qdisc about dropped packets
2018-07-22 14:25:53 +02:00
sch_cbq.c
sch_cbq: validate TCA_CBQ_WRROPT to avoid crash
2019-10-07 21:01:06 +02:00
sch_choke.c
sch_choke: avoid potential panic in choke_reset()
2020-05-20 08:11:30 +02:00
sch_codel.c
net: sched: Fix a possible null-pointer dereference in dequeue_func()
2019-08-11 12:20:45 +02:00
sch_drr.c
sch_drr: update backlog as well
2020-05-10 10:25:57 +02:00
sch_dsmark.c
sch_dsmark: fix potential NULL deref in dsmark_init()
2019-10-07 21:01:05 +02:00
sch_fifo.c
net_sched: fix pfifo_head_drop behavior vs backlog
2016-07-11 09:31:11 -07:00
sch_fq_codel.c
fq_codel: return non zero qlen in class dumps
2020-05-10 10:26:29 +02:00
sch_fq.c
pkt_sched: fq: use proper locking in fq_dump_stats()
2020-05-10 10:26:21 +02:00
sch_generic.c
qdisc: fix a module refcount leak in qdisc_create_dflt()
2020-05-10 10:26:29 +02:00
sch_gred.c
net: sched: gred: pass the right attribute to gred_change_table_def()
2018-11-10 07:41:41 -08:00
sch_hfsc.c
sch_hfsc: always keep backlog updated
2020-05-10 10:25:57 +02:00
sch_hhf.c
net/flow_dissector: switch to siphash
2019-11-10 11:21:14 +01:00
sch_htb.c
sch_htb: fix crash on init failure
2018-09-15 09:40:41 +02:00
sch_ingress.c
net: sched: further simplify handle_ing
2015-05-11 11:10:35 -04:00
sch_mq.c
net: sched: fix tc -s class show no bstats on class with nolock subqueues
2019-12-05 15:27:16 +01:00
sch_mqprio.c
net: sched: fix tc -s class show no bstats on class with nolock subqueues
2019-12-05 15:27:16 +01:00
sch_multiq.c
net: sched: fix tc -s class show no bstats on class with nolock subqueues
2019-12-05 15:27:16 +01:00
sch_netem.c
sch_netem: fix rcu splat in netem_enqueue()
2019-11-06 12:09:24 +01:00
sch_pie.c
net_sched: update hierarchical backlog too
2016-05-18 17:06:39 -07:00
sch_plug.c
net: sched: drop all special handling of tx_queue_len == 0
2015-08-18 11:55:08 -07:00
sch_prio.c
sch_prio: update backlog as well
2020-05-10 10:25:57 +02:00
sch_qfq.c
sch_qfq: keep backlog updated with qlen
2020-05-10 10:25:58 +02:00
sch_red.c
sch_red: update backlog as well
2018-11-10 07:41:37 -08:00
sch_sfb.c
sch_sfb: keep backlog updated with qlen
2020-05-10 10:25:58 +02:00
sch_sfq.c
sch_sfq: validate silly quantum values
2020-05-20 08:11:30 +02:00
sch_tbf.c
sch_tbf: update backlog as well
2020-05-10 10:25:58 +02:00
sch_teql.c