From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
"Zhengchao Shao" <shaozhengchao@huawei.com>,
"Toke Høiland-Jørgensen" <toke@toke.dk>,
"David S. Miller" <davem@davemloft.net>,
"Sasha Levin" <sashal@kernel.org>
Subject: [PATCH 5.4 45/53] net: sched: cake: fix null pointer access issue when cake_init() fails
Date: Thu, 27 Oct 2022 18:56:33 +0200 [thread overview]
Message-ID: <20221027165051.551273288@linuxfoundation.org> (raw)
In-Reply-To: <20221027165049.817124510@linuxfoundation.org>
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit 51f9a8921ceacd7bf0d3f47fa867a64988ba1dcb ]
When the default qdisc is cake, if the qdisc of dev_queue fails to be
inited during mqprio_init(), cake_reset() is invoked to clear
resources. In this case, the tins is NULL, and it will cause gpf issue.
The process is as follows:
qdisc_create_dflt()
cake_init()
q->tins = kvcalloc(...) --->failed, q->tins is NULL
...
qdisc_put()
...
cake_reset()
...
cake_dequeue_one()
b = &q->tins[...] --->q->tins is NULL
The following is the Call Trace information:
general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:cake_dequeue_one+0xc9/0x3c0
Call Trace:
<TASK>
cake_reset+0xb1/0x140
qdisc_reset+0xed/0x6f0
qdisc_destroy+0x82/0x4c0
qdisc_put+0x9e/0xb0
qdisc_create_dflt+0x2c3/0x4a0
mqprio_init+0xa71/0x1760
qdisc_create+0x3eb/0x1000
tc_modify_qdisc+0x408/0x1720
rtnetlink_rcv_msg+0x38e/0xac0
netlink_rcv_skb+0x12d/0x3a0
netlink_unicast+0x4a2/0x740
netlink_sendmsg+0x826/0xcc0
sock_sendmsg+0xc5/0x100
____sys_sendmsg+0x583/0x690
___sys_sendmsg+0xe8/0x160
__sys_sendmsg+0xbf/0x160
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f89e5122d04
</TASK>
Fixes: 046f6fd5daef ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 0eb4d4a568f7..9e5e7fda0f4a 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -2190,8 +2190,12 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch)
static void cake_reset(struct Qdisc *sch)
{
+ struct cake_sched_data *q = qdisc_priv(sch);
u32 c;
+ if (!q->tins)
+ return;
+
for (c = 0; c < CAKE_MAX_TINS; c++)
cake_clear_tin(sch, c);
}
--
2.35.1
next prev parent reply other threads:[~2022-10-27 17:09 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-27 16:55 [PATCH 5.4 00/53] 5.4.221-rc1 review Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 01/53] xfs: open code insert range extent split helper Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 02/53] xfs: rework insert range into an atomic operation Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 03/53] xfs: rework collapse " Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 04/53] xfs: add a function to deal with corrupt buffers post-verifiers Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 05/53] xfs: xfs_buf_corruption_error should take __this_address Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 06/53] xfs: fix buffer corruption reporting when xfs_dir3_free_header_check fails Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 07/53] xfs: check owner of dir3 data blocks Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 08/53] xfs: check owner of dir3 blocks Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 09/53] xfs: Use scnprintf() for avoiding potential buffer overflow Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 10/53] xfs: remove the xfs_disk_dquot_t and xfs_dquot_t Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 11/53] xfs: remove the xfs_dq_logitem_t typedef Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 12/53] xfs: remove the xfs_qoff_logitem_t typedef Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 13/53] xfs: Replace function declaration by actual definition Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 14/53] xfs: factor out quotaoff intent AIL removal and memory free Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 15/53] xfs: fix unmount hang and memory leak on shutdown during quotaoff Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 16/53] xfs: preserve default grace interval during quotacheck Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 17/53] xfs: Lower CIL flush limit for large logs Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 18/53] xfs: Throttle commits on delayed background CIL push Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 19/53] xfs: factor common AIL item deletion code Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 20/53] xfs: tail updates only need to occur when LSN changes Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 21/53] xfs: dont write a corrupt unmount record to force summary counter recalc Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 22/53] xfs: trylock underlying buffer on dquot flush Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 23/53] xfs: factor out a new xfs_log_force_inode helper Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 24/53] xfs: reflink should force the log out if mounted with wsync Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 25/53] xfs: move inode flush to the sync workqueue Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 26/53] xfs: fix use-after-free on CIL context on shutdown Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 27/53] ocfs2: clear dinode links count in case of error Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 28/53] ocfs2: fix BUG when iput after ocfs2_mknod fails Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 29/53] x86/microcode/AMD: Apply the patch early on every logical thread Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 30/53] hwmon/coretemp: Handle large core ID value Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 31/53] ata: ahci-imx: Fix MODULE_ALIAS Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 32/53] ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 33/53] KVM: arm64: vgic: Fix exit condition in scan_its_table() Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 34/53] media: venus: dec: Handle the case where find_format fails Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 35/53] arm64: errata: Remove AES hwcap for COMPAT tasks Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 36/53] r8152: add PID for the Lenovo OneLink+ Dock Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 37/53] btrfs: fix processing of delayed data refs during backref walking Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 38/53] btrfs: fix processing of delayed tree block " Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 39/53] ACPI: extlog: Handle multiple records Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 40/53] tipc: Fix recognition of trial period Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 41/53] tipc: fix an information leak in tipc_topsrv_kern_subscr Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 42/53] HID: magicmouse: Do not set BTN_MOUSE on double report Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 43/53] net/atm: fix proc_mpc_write incorrect return value Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 44/53] net: phy: dp83867: Extend RX strap quirk for SGMII mode Greg Kroah-Hartman
2022-10-27 16:56 ` Greg Kroah-Hartman [this message]
2022-10-27 16:56 ` [PATCH 5.4 46/53] net: hns: fix possible memory leak in hnae_ae_register() Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 47/53] iommu/vt-d: Clean up si_domain in the init_dmars() error path Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 48/53] arm64: topology: move store_cpu_topology() to shared code Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 49/53] riscv: topology: fix default topology reporting Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 50/53] [PATCH v3] ACPI: video: Force backlight native for more TongFang devices Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 51/53] Makefile.debug: re-enable debug info for .S files Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 52/53] hv_netvsc: Fix race between VF offering and VF association message from host Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 53/53] mm: /proc/pid/smaps_rollup: fix no vmas null-deref Greg Kroah-Hartman
2022-10-28 10:49 ` [PATCH 5.4 00/53] 5.4.221-rc1 review Sudip Mukherjee (Codethink)
2022-10-28 11:58 ` Jon Hunter
2022-10-28 14:01 ` Naresh Kamboju
2022-10-28 20:06 ` Florian Fainelli
2022-10-29 3:35 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221027165051.551273288@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=shaozhengchao@huawei.com \
--cc=stable@vger.kernel.org \
--cc=toke@toke.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.