linux/net/sched
Davide Caratti 34043d250f net/sched: act_sample: fix NULL dereference in the data path
Matteo reported the following splat, testing the datapath of TC 'sample':

 BUG: KASAN: null-ptr-deref in tcf_sample_act+0xc4/0x310
 Read of size 8 at addr 0000000000000000 by task nc/433

 CPU: 0 PID: 433 Comm: nc Not tainted 4.19.0-rc3-kvm #17
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS ?-20180531_142017-buildhw-08.phx2.fedoraproject.org-1.fc28 04/01/2014
 Call Trace:
  kasan_report.cold.6+0x6c/0x2fa
  tcf_sample_act+0xc4/0x310
  ? dev_hard_start_xmit+0x117/0x180
  tcf_action_exec+0xa3/0x160
  tcf_classify+0xdd/0x1d0
  htb_enqueue+0x18e/0x6b0
  ? deref_stack_reg+0x7a/0xb0
  ? htb_delete+0x4b0/0x4b0
  ? unwind_next_frame+0x819/0x8f0
  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
  __dev_queue_xmit+0x722/0xca0
  ? unwind_get_return_address_ptr+0x50/0x50
  ? netdev_pick_tx+0xe0/0xe0
  ? save_stack+0x8c/0xb0
  ? kasan_kmalloc+0xbe/0xd0
  ? __kmalloc_track_caller+0xe4/0x1c0
  ? __kmalloc_reserve.isra.45+0x24/0x70
  ? __alloc_skb+0xdd/0x2e0
  ? sk_stream_alloc_skb+0x91/0x3b0
  ? tcp_sendmsg_locked+0x71b/0x15a0
  ? tcp_sendmsg+0x22/0x40
  ? __sys_sendto+0x1b0/0x250
  ? __x64_sys_sendto+0x6f/0x80
  ? do_syscall_64+0x5d/0x150
  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
  ? __sys_sendto+0x1b0/0x250
  ? __x64_sys_sendto+0x6f/0x80
  ? do_syscall_64+0x5d/0x150
  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
  ip_finish_output2+0x495/0x590
  ? ip_copy_metadata+0x2e0/0x2e0
  ? skb_gso_validate_network_len+0x6f/0x110
  ? ip_finish_output+0x174/0x280
  __tcp_transmit_skb+0xb17/0x12b0
  ? __tcp_select_window+0x380/0x380
  tcp_write_xmit+0x913/0x1de0
  ? __sk_mem_schedule+0x50/0x80
  tcp_sendmsg_locked+0x49d/0x15a0
  ? tcp_rcv_established+0x8da/0xa30
  ? tcp_set_state+0x220/0x220
  ? clear_user+0x1f/0x50
  ? iov_iter_zero+0x1ae/0x590
  ? __fget_light+0xa0/0xe0
  tcp_sendmsg+0x22/0x40
  __sys_sendto+0x1b0/0x250
  ? __ia32_sys_getpeername+0x40/0x40
  ? _copy_to_user+0x58/0x70
  ? poll_select_copy_remaining+0x176/0x200
  ? __pollwait+0x1c0/0x1c0
  ? ktime_get_ts64+0x11f/0x140
  ? kern_select+0x108/0x150
  ? core_sys_select+0x360/0x360
  ? vfs_read+0x127/0x150
  ? kernel_write+0x90/0x90
  __x64_sys_sendto+0x6f/0x80
  do_syscall_64+0x5d/0x150
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7fefef2b129d
 Code: ff ff ff ff eb b6 0f 1f 80 00 00 00 00 48 8d 05 51 37 0c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41
 RSP: 002b:00007fff2f5350c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 000056118d60c120 RCX: 00007fefef2b129d
 RDX: 0000000000002000 RSI: 000056118d629320 RDI: 0000000000000003
 RBP: 000056118d530370 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000002000
 R13: 000056118d5c2a10 R14: 000056118d5c2a10 R15: 000056118d5303b8

tcf_sample_act() tried to update its per-cpu stats, but tcf_sample_init()
forgot to allocate them, because tcf_idr_create() was called with a wrong
value of 'cpustats'. Setting it to true proved to fix the reported crash.

Reported-by: Matteo Croce <mcroce@redhat.com>
Fixes: 65a206c01e ("net/sched: Change act_api and act_xxx modules to use IDR")
Fixes: 5c5670fae4 ("net/sched: Introduce sample tc action")
Tested-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-14 08:46:28 -07:00
..
act_api.c net: sched: null actions array pointer before releasing action 2018-09-03 21:47:33 -07:00
act_bpf.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_connmark.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_csum.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_gact.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_ife.c net: sched: action_ife: take reference to meta module 2018-09-04 12:20:21 -07:00
act_ipt.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_nat.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_pedit.c net/sched: act_pedit: fix dump of extended layered op 2018-08-29 18:11:05 -07:00
act_police.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_sample.c net/sched: act_sample: fix NULL dereference in the data path 2018-09-14 08:46:28 -07:00
act_simple.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_skbedit.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_skbmod.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
act_tunnel_key.c net_sched: properly cancel netlink dump on failure 2018-09-07 23:05:07 -07:00
act_vlan.c net_sched: remove unnecessary ops->delete() 2018-08-21 12:45:44 -07:00
cls_api.c net_sched: notify filter deletion when deleting a chain 2018-09-13 09:07:40 -07:00
cls_basic.c sched: fix trailing whitespace 2018-07-24 14:10:42 -07:00
cls_bpf.c cls_bpf: Use kmemdup instead of duplicating it in cls_bpf_prog_from_ops 2018-07-29 13:19:49 -07:00
cls_cgroup.c net_sched: switch to rcu_work 2018-05-24 22:56:15 -04:00
cls_flow.c net_sched: switch to rcu_work 2018-05-24 22:56:15 -04:00
cls_flower.c net: sched: cls_flower: set correct offload data in fl_reoffload 2018-08-07 12:35:17 -07:00
cls_fw.c net_sched: switch to rcu_work 2018-05-24 22:56:15 -04:00
cls_matchall.c cls_matchall: fix tcf_unbind_filter missing 2018-08-16 12:08:26 -07:00
cls_route.c net_sched: switch to rcu_work 2018-05-24 22:56:15 -04:00
cls_rsvp6.c
cls_rsvp.c
cls_rsvp.h net_sched: switch to rcu_work 2018-05-24 22:56:15 -04:00
cls_tcindex.c net_sched: Fix missing res info when create new tc_index filter 2018-08-13 19:37:42 -07:00
cls_u32.c net: sched: Fix memory exposure from short TCA_U32_SEL 2018-08-26 14:21:50 -07:00
em_canid.c
em_cmp.c
em_ipset.c
em_ipt.c
em_meta.c
em_nbyte.c
em_text.c
em_u32.c
ematch.c
Kconfig net/sched: add skbprio scheduler 2018-07-24 14:44:00 -07:00
Makefile net/sched: add skbprio scheduler 2018-07-24 14:44:00 -07:00
sch_api.c net/sched: Allow creating a Qdisc watchdog with other clocks 2018-07-04 22:30:27 +09:00
sch_atm.c
sch_blackhole.c net_sched: blackhole: tell upper qdisc about dropped packets 2018-06-17 08:42:33 +09:00
sch_cake.c sch_cake: Fix TC filter flow override and expand it to hosts as well 2018-08-22 21:39:45 -07:00
sch_cbq.c
sch_cbs.c cbs: Add support for the graft function 2018-07-26 13:58:30 -07:00
sch_choke.c
sch_codel.c
sch_drr.c
sch_dsmark.c
sch_etf.c net/sched: Make etf report drops on error_queue 2018-07-04 22:30:28 +09:00
sch_fifo.c
sch_fq_codel.c sch_fq_codel: zero q->flows_cnt when fq_codel_init fails 2018-07-12 12:32:09 -07:00
sch_fq.c net_sched: fq: take care of throttled flows before reuse 2018-05-02 16:37:38 -04:00
sch_generic.c net: remove bypassed check in sch_direct_xmit() 2018-05-31 13:26:19 -04:00
sch_gred.c
sch_hfsc.c net_sched: remove a bogus warning in hfsc 2018-06-23 10:58:46 +09:00
sch_hhf.c treewide: kvzalloc() -> kvcalloc() 2018-06-12 16:19:22 -07:00
sch_htb.c net_sched: remove unused htb drop_list 2018-06-24 16:42:46 +09:00
sch_ingress.c
sch_mq.c net: sched: mq: request stats from offloads 2018-05-29 09:49:16 -04:00
sch_mqprio.c
sch_multiq.c
sch_netem.c netem: slotting with non-uniform distribution 2018-06-28 22:06:24 +09:00
sch_pie.c
sch_plug.c
sch_prio.c
sch_qfq.c
sch_red.c net: sched: red: avoid hashing NULL child 2018-05-18 13:52:32 -04:00
sch_sfb.c
sch_sfq.c
sch_skbprio.c net/sched: add skbprio scheduler 2018-07-24 14:44:00 -07:00
sch_tbf.c net: sched: red: avoid hashing NULL child 2018-05-18 13:52:32 -04:00
sch_teql.c