projects
/
GitHub
/
LineageOS
/
android_kernel_motorola_exynos9610.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
6b4a3d4
)
net/sched: fix NULL dereference in the error path of tcf_sample_init()
author
Davide Caratti
<dcaratti@redhat.com>
Thu, 15 Mar 2018 23:00:56 +0000
(
00:00
+0100)
committer
Greg Kroah-Hartman
<gregkh@linuxfoundation.org>
Wed, 30 May 2018 05:52:16 +0000
(07:52 +0200)
[ Upstream commit
1f110e7cae09e6c6a144616480d1a9dd99c5208a
]
when the following command
# tc action add action sample rate 100 group 100 index 100
is run for the first time, and psample_group_get(100) fails to create a
new group, tcf_sample_cleanup() calls psample_group_put(NULL), thus
causing the following error:
BUG: unable to handle kernel NULL pointer dereference at
000000000000001c
IP: psample_group_put+0x15/0x71 [psample]
PGD
8000000075775067
P4D
8000000075775067
PUD
7453c067
PMD 0
Oops: 0002 [#1] SMP PTI
Modules linked in: act_sample(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core mbcache jbd2 crct10dif_pclmul snd_hwdep crc32_pclmul snd_seq ghash_clmulni_intel pcbc snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer glue_helper snd cryptd joydev pcspkr i2c_piix4 soundcore virtio_balloon nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_net ata_piix virtio_console virtio_blk libata serio_raw crc32c_intel virtio_pci i2c_core virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_tunnel_key]
CPU: 2 PID: 5740 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:psample_group_put+0x15/0x71 [psample]
RSP: 0018:
ffffb8a80032f7d0
EFLAGS:
00010246
RAX:
0000000000000000
RBX:
0000000000000000
RCX:
0000000000000024
RDX:
0000000000000001
RSI:
0000000000000000
RDI:
ffffffffc06d93c0
RBP:
0000000000000000
R08:
0000000000000001
R09:
0000000000000044
R10:
00000000bd003000
R11:
ffff979fba04aa59
R12:
0000000000000000
R13:
0000000000000000
R14:
0000000000000000
R15:
ffff979fbba3f22c
FS:
00007f7638112740
(0000) GS:
ffff979fbfd00000
(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
000000000000001c
CR3:
00000000734ea001
CR4:
00000000001606e0
Call Trace:
__tcf_idr_release+0x79/0xf0
tcf_sample_init+0x125/0x1d0 [act_sample]
tcf_action_init_1+0x2cc/0x430
tcf_action_init+0xd3/0x1b0
tc_ctl_action+0x18b/0x240
rtnetlink_rcv_msg+0x29c/0x310
? _cond_resched+0x15/0x30
? __kmalloc_node_track_caller+0x1b9/0x270
? rtnl_calcit.isra.28+0x100/0x100
netlink_rcv_skb+0xd2/0x110
netlink_unicast+0x17c/0x230
netlink_sendmsg+0x2cd/0x3c0
sock_sendmsg+0x30/0x40
___sys_sendmsg+0x27a/0x290
? filemap_map_pages+0x34a/0x3a0
? __handle_mm_fault+0xbfd/0xe20
__sys_sendmsg+0x51/0x90
do_syscall_64+0x6e/0x1a0
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x7f7637523ba0
RSP: 002b:
00007fff0473ef58
EFLAGS:
00000246
ORIG_RAX:
000000000000002e
RAX:
ffffffffffffffda
RBX:
00007fff0473f080
RCX:
00007f7637523ba0
RDX:
0000000000000000
RSI:
00007fff0473efd0
RDI:
0000000000000003
RBP:
000000005aaaac80
R08:
0000000000000002
R09:
0000000000000000
R10:
00007fff0473e9e0
R11:
0000000000000246
R12:
0000000000000000
R13:
00007fff0473f094
R14:
0000000000000001
R15:
0000000000669f60
Code: be 02 00 00 00 48 89 df e8 a9 fe ff ff e9 7c ff ff ff 0f 1f 40 00 0f 1f 44 00 00 53 48 89 fb 48 c7 c7 c0 93 6d c0 e8 db 20 8c ef <83> 6b 1c 01 74 10 48 c7 c7 c0 93 6d c0 ff 14 25 e8 83 83 b0 5b
RIP: psample_group_put+0x15/0x71 [psample] RSP:
ffffb8a80032f7d0
CR2:
000000000000001c
Fix it in tcf_sample_cleanup(), ensuring that calls to psample_group_put(p)
are done only when p is not NULL.
Fixes:
cadb9c9fdbc6
("net/sched: act_sample: Fix error path in init")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/sched/act_sample.c
patch
|
blob
|
blame
|
history
diff --git
a/net/sched/act_sample.c
b/net/sched/act_sample.c
index 8b5abcd2f32faeaa2a283bcc8fb388201f7a86e2..53752b9327d02e1f81ce48a0d4459366421bd117 100644
(file)
--- a/
net/sched/act_sample.c
+++ b/
net/sched/act_sample.c
@@
-103,7
+103,8
@@
static void tcf_sample_cleanup_rcu(struct rcu_head *rcu)
psample_group = rcu_dereference_protected(s->psample_group, 1);
RCU_INIT_POINTER(s->psample_group, NULL);
- psample_group_put(psample_group);
+ if (psample_group)
+ psample_group_put(psample_group);
}
static void tcf_sample_cleanup(struct tc_action *a, int bind)