• John Hurley's avatar
    net: sched: fix cleanup NULL pointer exception in act_mirr · a491de90
    John Hurley authored
    [ Upstream commit 064c5d6881e897077639e04973de26440ee205e6 ]
    
    A new mirred action is created by the tcf_mirred_init function. This
    contains a list head struct which is inserted into a global list on
    successful creation of a new action. However, after a creation, it is
    still possible to error out and call the tcf_idr_release function. This,
    in turn, calls the act_mirr cleanup function via __tcf_idr_release and
    __tcf_action_put. This cleanup function tries to delete the list entry
    which is as yet uninitialised, leading to a NULL pointer exception.
    
    Fix this by initialising the list entry on creation of a new action.
    
    Bug report:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
    PGD 8000000840c73067 P4D 8000000840c73067 PUD 858dcc067 PMD 0
    Oops: 0002 [#1] SMP PTI
    CPU: 32 PID: 5636 Comm: handler194 Tainted: G           OE     5.0.0+ #186
    Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.3.6 06/03/2015
    RIP: 0010:tcf_mirred_release+0x42/0xa7 [act_mirred]
    Code: f0 90 39 c0 e8 52 04 57 c8 48 c7 c7 b8 80 39 c0 e8 94 fa d4 c7 48 8b 93 d0 00 00 00 48 8b 83 d8 00 00 00 48 c7 c7 f0 90 39 c0 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 d0 00
    RSP: 0018:ffffac4aa059f688 EFLAGS: 00010282
    RAX: 0000000000000000 RBX: ffff9dcd1b214d00 RCX: 0000000000000000
    RDX: 0000000000000000 RSI: ffff9dcd1fa165f8 RDI: ffffffffc03990f0
    RBP: ffff9dccf9c7af80 R08: 0000000000000a3b R09: 0000000000000000
    R10: ffff9dccfa11f420 R11: 0000000000000000 R12: 0000000000000001
    R13: ffff9dcd16b433c0 R14: ffff9dcd1b214d80 R15: 0000000000000000
    FS:  00007f441bfff700(0000) GS:ffff9dcd1fa00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000008 CR3: 0000000839e64004 CR4: 00000000001606e0
    Call Trace:
    tcf_action_cleanup+0x59/0xca
    __tcf_action_put+0x54/0x6b
    __tcf_idr_release.cold.33+0x9/0x12
    tcf_mirred_init.cold.20+0x22e/0x3b0 [act_mirred]
    tcf_action_init_1+0x3d0/0x4c0
    tcf_action_init+0x9c/0x130
    tcf_exts_validate+0xab/0xc0
    fl_change+0x1ca/0x982 [cls_flower]
    tc_new_tfilter+0x647/0x8d0
    ? load_balance+0x14b/0x9e0
    rtnetlink_rcv_msg+0xe3/0x370
    ? __switch_to_asm+0x40/0x70
    ? __switch_to_asm+0x34/0x70
    ? _cond_resched+0x15/0x30
    ? __kmalloc_node_track_caller+0x1d4/0x2b0
    ? rtnl_calcit.isra.31+0xf0/0xf0
    netlink_rcv_skb+0x49/0x110
    netlink_unicast+0x16f/0x210
    netlink_sendmsg+0x1df/0x390
    sock_sendmsg+0x36/0x40
    ___sys_sendmsg+0x27b/0x2c0
    ? futex_wake+0x80/0x140
    ? do_futex+0x2b9/0xac0
    ? ep_scan_ready_list.constprop.22+0x1f2/0x210
    ? ep_poll+0x7a/0x430
    __sys_sendmsg+0x47/0x80
    do_syscall_64+0x55/0x100
    entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Fixes: 4e232818 ("net: sched: act_mirred: remove dependency on rtnl lock")
    Signed-off-by: 's avatarJohn Hurley <john.hurley@netronome.com>
    Reviewed-by: 's avatarJakub Kicinski <jakub.kicinski@netronome.com>
    Acked-by: 's avatarCong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    a491de90
Name
Last commit
Last update
..
6lowpan Loading commit data...
802 Loading commit data...
8021q Loading commit data...
9p Loading commit data...
appletalk Loading commit data...
atm Loading commit data...
ax25 Loading commit data...
batman-adv Loading commit data...
bluetooth Loading commit data...
bpf Loading commit data...
bpfilter Loading commit data...
bridge Loading commit data...
caif Loading commit data...
can Loading commit data...
ceph Loading commit data...
core Loading commit data...
dcb Loading commit data...
dccp Loading commit data...
decnet Loading commit data...
dns_resolver Loading commit data...
dsa Loading commit data...
ethernet Loading commit data...
hsr Loading commit data...
ieee802154 Loading commit data...
ife Loading commit data...
ipv4 Loading commit data...
ipv6 Loading commit data...
iucv Loading commit data...
kcm Loading commit data...
key Loading commit data...
l2tp Loading commit data...
l3mdev Loading commit data...
lapb Loading commit data...
llc Loading commit data...
mac80211 Loading commit data...
mac802154 Loading commit data...
mpls Loading commit data...
ncsi Loading commit data...
netfilter Loading commit data...
netlabel Loading commit data...
netlink Loading commit data...
netrom Loading commit data...
nfc Loading commit data...
nsh Loading commit data...
openvswitch Loading commit data...
packet Loading commit data...
phonet Loading commit data...
psample Loading commit data...
qrtr Loading commit data...
rds Loading commit data...
rfkill Loading commit data...
rose Loading commit data...
rxrpc Loading commit data...
sched Loading commit data...
sctp Loading commit data...
smc Loading commit data...
strparser Loading commit data...
sunrpc Loading commit data...
switchdev Loading commit data...
tipc Loading commit data...
tls Loading commit data...
unix Loading commit data...
vmw_vsock Loading commit data...
wimax Loading commit data...
wireless Loading commit data...
x25 Loading commit data...
xdp Loading commit data...
xfrm Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
compat.c Loading commit data...
socket.c Loading commit data...
sysctl_net.c Loading commit data...