Re: [PATCH net 2/5] net/sched: fix NULL dereference in the error path of tcf_csum_init()

[Jiri Pirko <jiri@resnulli.us>]

Fri, Mar 16, 2018 at 12:00:54AM CET, dcaratti@redhat.com wrote:
>when the following command
>
> # tc action add action csum udp continue index 100
>
>is run for the first time, and tcf_csum_init() fails allocating struct
>tcf_csum, tcf_csum_cleanup() calls kfree_rcu(NULL,...). This causes the
>following error:
>
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> IP: __call_rcu+0x23/0x2b0
> PGD 80000000740b4067 P4D 80000000740b4067 PUD 32e7f067 PMD 0
> Oops: 0002 [#1] SMP PTI
> Modules linked in: act_csum(E) act_vlan ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer aesni_intel crypto_simd glue_helper cryptd snd joydev pcspkr virtio_balloon i2c_piix4 soundcore nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_blk drm virtio_net virtio_console ata_piix crc32c_intel libata virtio_pci serio_raw i2c_core virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_vlan]
> CPU: 2 PID: 5763 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
> Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
> RIP: 0010:__call_rcu+0x23/0x2b0
> RSP: 0018:ffffb275803e77c0 EFLAGS: 00010246
> RAX: ffffffffc057b080 RBX: ffff9674bc6f5240 RCX: 00000000ffffffff
> RDX: ffffffff928a5f00 RSI: 0000000000000008 RDI: 0000000000000008
> RBP: 0000000000000008 R08: 0000000000000001 R09: 0000000000000044
> R10: 0000000000000220 R11: ffff9674b9ab4821 R12: 0000000000000000
> R13: ffffffff928a5f00 R14: 0000000000000000 R15: 0000000000000001
> FS:  00007fa6368d8740(0000) GS:ffff9674bfd00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000010 CR3: 0000000073dec001 CR4: 00000000001606e0
> Call Trace:
>  __tcf_idr_release+0x79/0xf0
>  tcf_csum_init+0xfb/0x180 [act_csum]
>  tcf_action_init_1+0x2cc/0x430
>  tcf_action_init+0xd3/0x1b0
>  tc_ctl_action+0x18b/0x240
>  rtnetlink_rcv_msg+0x29c/0x310
>  ? _cond_resched+0x15/0x30
>  ? __kmalloc_node_track_caller+0x1b9/0x270
>  ? rtnl_calcit.isra.28+0x100/0x100
>  netlink_rcv_skb+0xd2/0x110
>  netlink_unicast+0x17c/0x230
>  netlink_sendmsg+0x2cd/0x3c0
>  sock_sendmsg+0x30/0x40
>  ___sys_sendmsg+0x27a/0x290
>  ? filemap_map_pages+0x34a/0x3a0
>  ? __handle_mm_fault+0xbfd/0xe20
>  __sys_sendmsg+0x51/0x90
>  do_syscall_64+0x6e/0x1a0
>  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
> RIP: 0033:0x7fa635ce9ba0
> RSP: 002b:00007ffc185b0fc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00007ffc185b10f0 RCX: 00007fa635ce9ba0
> RDX: 0000000000000000 RSI: 00007ffc185b1040 RDI: 0000000000000003
> RBP: 000000005aaa85e0 R08: 0000000000000002 R09: 0000000000000000
> R10: 00007ffc185b0a20 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ffc185b1104 R14: 0000000000000001 R15: 0000000000669f60
> Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89
> RIP: __call_rcu+0x23/0x2b0 RSP: ffffb275803e77c0
> CR2: 0000000000000010
>
>fix this in tcf_csum_cleanup(), ensuring that kfree_rcu(param, ...) is
>called only when param is not NULL.
>
>Fixes: 9c5f69bbd75a ("net/sched: act_csum: don't use spinlock in the fast path")
>Signed-off-by: Davide Caratti <dcaratti@redhat.com>

Acked-by: Jiri Pirko <jiri@mellanox.com>