OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/include/net
History
Vlad Buslov 976ee31ea3 net: sched: fix police ext initialization 
commit 396d7f23adf9e8c436dd81a69488b5b6a865acf8 upstream.

When police action is created by cls API tcf_exts_validate() first
conditional that calls tcf_action_init_1() directly, the action idr is not
updated according to latest changes in action API that require caller to
commit newly created action to idr with tcf_idr_insert_many(). This results
such action not being accessible through act API and causes crash reported
by syzbot:

==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
BUG: KASAN: null-ptr-deref in __tcf_idr_release net/sched/act_api.c:178 [inline]
BUG: KASAN: null-ptr-deref in tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598
Read of size 4 at addr 0000000000000010 by task kworker/u4:5/204

CPU: 0 PID: 204 Comm: kworker/u4:5 Not tainted 5.11.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 __kasan_report mm/kasan/report.c:400 [inline]
 kasan_report.cold+0x5f/0xd5 mm/kasan/report.c:413
 check_memory_region_inline mm/kasan/generic.c:179 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:185
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
 __tcf_idr_release net/sched/act_api.c:178 [inline]
 tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598
 tc_action_net_exit include/net/act_api.h:151 [inline]
 police_exit_net+0x168/0x360 net/sched/act_police.c:390
 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190
 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:604
 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 204 Comm: kworker/u4:5 Tainted: G    B             5.11.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 panic+0x306/0x73d kernel/panic.c:231
 end_report+0x58/0x5e mm/kasan/report.c:100
 __kasan_report mm/kasan/report.c:403 [inline]
 kasan_report.cold+0x67/0xd5 mm/kasan/report.c:413
 check_memory_region_inline mm/kasan/generic.c:179 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:185
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
 __tcf_idr_release net/sched/act_api.c:178 [inline]
 tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598
 tc_action_net_exit include/net/act_api.h:151 [inline]
 police_exit_net+0x168/0x360 net/sched/act_police.c:390
 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190
 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:604
 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Kernel Offset: disabled

Fix the issue by calling tcf_idr_insert_many() after successful action
initialization.

Fixes: 0fedc63fad ("net_sched: commit action insertions together")
Reported-by: syzbot+151e3e714d34ae4ce7e8@syzkaller.appspotmail.com
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2021-03-04 10:26:53 +01:00
..
9p
bluetooth Bluetooth: Disconnect if E0 is used for Level 4 2020-10-17 10:11:22 +02:00
caif
iucv
netfilter netfilter: nft_dynset: fix timeouts later than 23 days 2020-12-30 11:50:54 +01:00
netns netfilter: nf_tables: autoload modules from the abort path 2020-01-29 16:45:33 +01:00
nfc
phonet
sctp net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant 2020-09-26 18:03:13 +02:00
tc_act net: sched: take reference to psample group in flow_action infra 2019-09-16 09:18:03 +02:00
6lowpan.h
Space.h
act_api.h net: sched: fix police ext initialization 2021-03-04 10:26:53 +01:00
addrconf.h ipv6: fix memory leaks on IPV6_ADDRFORM path 2020-08-11 15:33:39 +02:00
af_ieee802154.h
af_rxrpc.h rxrpc: Make rxrpc_kernel_get_srtt() indicate validity 2020-09-09 19:12:23 +02:00
af_unix.h
af_vsock.h
ah.h
arp.h net: avoid potential false sharing in neighbor related code 2019-12-31 16:45:03 +01:00
atmclip.h
ax25.h
ax88796.h
bond_3ad.h
bond_alb.h
bond_options.h
bonding.h bonding: wait for sysfs kobject destruction before freeing struct slave 2020-12-08 10:40:24 +01:00
bpf_sk_storage.h
busy_poll.h net: annotate lockless accesses to sk->sk_napi_id 2019-10-30 17:34:35 -07:00
calipso.h
cfg80211-wext.h
cfg80211.h cfg80211: Fix radar event during another phy CAC 2020-02-05 21:22:46 +00:00
cfg802154.h
checksum.h
cipso_ipv4.h
cls_cgroup.h
codel.h
codel_impl.h
codel_qdisc.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h devlink: disallow reload operation during device cleanup 2019-11-09 19:38:36 -08:00
dn.h
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
dn_route.h
drop_monitor.h net: drop_monitor: use IS_REACHABLE() to guard net_dm_hw_report() 2020-05-27 17:46:24 +02:00
dsa.h net: dsa: Pass ndo_setup_tc slave callback to drivers 2019-09-16 21:32:57 +02:00
dsfield.h
dst.h net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb 2020-07-22 09:32:47 +02:00
dst_cache.h
dst_metadata.h
dst_ops.h net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:18:58 +01:00
erspan.h
esp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h fib: add missing attribute validation for tun_id 2020-03-18 07:17:44 +01:00
firewire.h
flow.h ipv4: Initialize flowi4_multipath_hash in data path 2020-09-26 18:03:12 +02:00
flow_dissector.h net: sched: correct flower port blocking 2020-03-05 16:43:32 +01:00
flow_offload.h net: core: rename indirect block ingress cb function 2019-12-18 16:08:47 +01:00
fou.h
fq.h net/flow_dissector: switch to siphash 2019-10-23 20:13:22 -07:00
fq_impl.h net/fq_impl: Switch to kvmalloc() for memory allocation 2019-11-08 09:11:49 +01:00
garp.h
gen_stats.h
genetlink.h genetlink: remove genl_bind 2020-07-22 09:32:46 +02:00
geneve.h
gre.h
gro_cells.h
gtp.h
gue.h
hwbm.h net: hwbm: if CONFIG_NET_HWBM unset, make stub functions static 2019-10-25 16:24:32 -07:00
icmp.h net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-03-04 10:26:53 +01:00
ieee80211_radiotap.h
ieee802154_netdev.h
if_inet6.h ipv6: shrink struct ipv6_mc_socklist 2019-08-28 14:43:03 -07:00
ife.h
ila.h
inet6_connection_sock.h
inet6_hashtables.h
inet_common.h
inet_connection_sock.h tcp: fix TCP_USER_TIMEOUT with zero window 2021-01-27 11:47:55 +01:00
inet_ecn.h inet_ecn: Fix endianness of checksum update when setting ECT(1) 2020-12-08 10:40:25 +01:00
inet_frag.h
inet_hashtables.h dccp: Fix possible memleak in dccp_init and dccp_fini 2020-06-17 16:40:32 +02:00
inet_sock.h ip: support SO_MARK cmsg 2019-09-13 21:44:19 +02:00
inet_timewait_sock.h tcp: honor SO_PRIORITY in TIME_WAIT state 2019-09-27 12:05:02 +02:00
inetpeer.h
ip.h net/ipv4: always honour route mtu during forwarding 2020-10-29 09:57:24 +01:00
ip6_checksum.h
ip6_fib.h ipv6: Use global sernum for dst validation with nexthop objects 2020-05-14 07:58:20 +02:00
ip6_route.h net: ipv6: do not consider routes via gateways for anycast address check 2020-04-21 09:04:45 +02:00
ip6_tunnel.h
ip_fib.h ipv4: nexthop version of fib_info_nh_uses_dev 2020-06-03 08:21:37 +02:00
ip_tunnels.h ip_tunnels: Set tunnel option flag when tunnel metadata is present 2020-11-24 13:29:05 +01:00
ip_vs.h ipvs: allow connection reuse for unconfirmed conntrack 2020-08-19 08:16:10 +02:00
ipcomp.h
ipconfig.h
ipv6.h net: ipv6: add net argument to ip6_dst_lookup_flow 2019-12-18 16:08:40 +01:00
ipv6_frag.h
ipv6_stubs.h net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup 2019-12-18 16:08:42 +01:00
ipx.h bonding/alb: properly access headers in bond_alb_xmit() 2020-02-11 04:35:48 -08:00
iw_handler.h
kcm.h
l3mdev.h
lag.h
lapb.h
lib80211.h
llc.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h llc: fix sk_buff leak in llc_conn_service() 2019-10-08 13:23:05 -07:00
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
lwtunnel.h
mac80211.h mac80211: populate debugfs only after cfg80211 init 2020-04-29 16:33:18 +02:00
mac802154.h
mip6.h
mld.h
mpls.h
mpls_iptunnel.h
mrp.h
ncsi.h
ndisc.h net: avoid potential false sharing in neighbor related code 2019-12-31 16:45:03 +01:00
neighbour.h Exempt multicast addresses from five-second neighbor lifetime 2020-11-24 13:28:56 +01:00
net_failover.h
net_namespace.h ipv6: Use global sernum for dst validation with nexthop objects 2020-05-14 07:58:20 +02:00
net_ratelimit.h
netevent.h
netlabel.h
netlink.h
netprio_cgroup.h
netrom.h
nexthop.h ipv4: nexthop version of fib_info_nh_uses_dev 2020-06-03 08:21:37 +02:00
nl802154.h
nsh.h
p8022.h
page_pool.h page_pool: do not release pool until inflight == 0. 2019-12-18 16:09:07 +01:00
ping.h
pkt_cls.h net_sched: fix ops->bind_class() implementations 2020-02-01 09:34:38 +00:00
pkt_sched.h sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
pptp.h
protocol.h
psample.h net: sched: take reference to psample group in flow_action infra 2019-09-16 09:18:03 +02:00
psnap.h
raw.h
rawv6.h
red.h net: sched: prevent invalid Scell_log shift count 2021-01-12 20:16:14 +01:00
regulatory.h
request_sock.h net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head 2019-10-09 21:34:31 -07:00
rose.h
route.h ipv4: Revert removal of rt_uses_gateway 2019-09-20 18:23:33 -07:00
rsi_91x.h
rtnetlink.h
rtnh.h
sch_generic.h net: sched: replaced invalid qdisc tree flush helper in qdisc_replace 2021-02-10 09:25:33 +01:00
scm.h
secure_seq.h
seg6.h
seg6_hmac.h
seg6_local.h
slhc_vj.h
smc.h
snmp.h
sock.h net: silence data-races on sk_backlog.tail 2020-10-01 13:17:15 +02:00
sock_reuseport.h udp: correct reuseport selection with connected sockets 2019-09-16 09:02:18 +02:00
stp.h
strparser.h
switchdev.h
tcp.h tcp: fix SO_RCVLOWAT related hangs under mem pressure 2021-03-04 10:26:17 +01:00
tcp_states.h
timewait_sock.h
tipc.h
tls.h net/tls: Protect from calling tls_dev_del for TLS RX twice 2020-12-08 10:40:23 +01:00
transp_v6.h
tso.h
tun_proto.h
udp.h udp: document udp_rcv_segment special case for looped packets 2020-05-10 10:31:33 +02:00
udp_tunnel.h
udplite.h
vsock_addr.h
vxlan.h vxlan: add adjacent link to limit depth level 2019-10-24 14:53:49 -07:00
wext.h
wimax.h
x25.h
x25device.h
xdp.h
xdp_priv.h page_pool: do not release pool until inflight == 0. 2019-12-18 16:09:07 +01:00
xdp_sock.h xsk: add support to allow unaligned chunk placement 2019-08-31 01:08:26 +02:00
xfrm.h xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate 2020-10-14 10:33:02 +02:00