From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Jamal Hadi Salim <jhs@mojatatu.com>,
Pedro Tammela <pctammela@mojatatu.com>,
syzbot <syzkaller@googlegroups.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 52/57] net/sched: tcindex: search key must be 16 bits
Date: Mon, 20 Feb 2023 14:37:00 +0100 [thread overview]
Message-ID: <20230220133551.182086931@linuxfoundation.org> (raw)
In-Reply-To: <20230220133549.360169435@linuxfoundation.org>
From: Pedro Tammela <pctammela@mojatatu.com>
[ Upstream commit 42018a322bd453e38b3ffee294982243e50a484f ]
Syzkaller found an issue where a handle greater than 16 bits would trigger
a null-ptr-deref in the imperfect hash area update.
general protection fault, probably for non-canonical address
0xdffffc0000000015: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
CPU: 0 PID: 5070 Comm: syz-executor456 Not tainted
6.2.0-rc7-syzkaller-00112-gc68f345b7c42 #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/21/2023
RIP: 0010:tcindex_set_parms+0x1a6a/0x2990 net/sched/cls_tcindex.c:509
Code: 01 e9 e9 fe ff ff 4c 8b bd 28 fe ff ff e8 0e 57 7d f9 48 8d bb
a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c
02 00 0f 85 94 0c 00 00 48 8b 85 f8 fd ff ff 48 8b 9b a8 00
RSP: 0018:ffffc90003d3ef88 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000015 RSI: ffffffff8803a102 RDI: 00000000000000a8
RBP: ffffc90003d3f1d8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801e2b10a8
R13: dffffc0000000000 R14: 0000000000030000 R15: ffff888017b3be00
FS: 00005555569af300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056041c6d2000 CR3: 000000002bfca000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tcindex_change+0x1ea/0x320 net/sched/cls_tcindex.c:572
tc_new_tfilter+0x96e/0x2220 net/sched/cls_api.c:2155
rtnetlink_rcv_msg+0x959/0xca0 net/core/rtnetlink.c:6132
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
____sys_sendmsg+0x334/0x8c0 net/socket.c:2476
___sys_sendmsg+0x110/0x1b0 net/socket.c:2530
__sys_sendmmsg+0x18f/0x460 net/socket.c:2616
__do_sys_sendmmsg net/socket.c:2645 [inline]
__se_sys_sendmmsg net/socket.c:2642 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2642
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
Fixes: ee059170b1f7 ("net/sched: tcindex: update imperfect hash filters respecting rcu")
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_tcindex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index 50bf7ec4b5b25..2c0c95204cb5a 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -502,7 +502,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
/* lookup the filter, guaranteed to exist */
for (cf = rcu_dereference_bh_rtnl(*fp); cf;
fp = &cf->next, cf = rcu_dereference_bh_rtnl(*fp))
- if (cf->key == handle)
+ if (cf->key == (u16)handle)
break;
f->next = cf->next;
--
2.39.0
next prev parent reply other threads:[~2023-02-20 13:56 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-20 13:36 [PATCH 5.10 00/57] 5.10.169-rc1 review Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 01/57] ASoC: Intel: sof_rt5682: always set dpcm_capture for amplifiers Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 02/57] selftests/bpf: Verify copy_register_state() preserves parent/live fields Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 03/57] ALSA: hda: Do not unset preset when cleaning up codec Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 04/57] ASoC: cs42l56: fix DT probe Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 05/57] tools/virtio: fix the vringh test for virtio ring changes Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 06/57] net/rose: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 07/57] net: stmmac: do not stop RX_CLK in Rx LPI state for qcs404 SoC Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 08/57] net: sched: sch: Bounds check priority Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 09/57] s390/decompressor: specify __decompress() buf len to avoid overflow Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 10/57] nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 11/57] platform/x86: touchscreen_dmi: Add Chuwi Vi8 (CWI501) DMI match Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 12/57] nvmem: core: add error handling for dev_set_name Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 13/57] nvmem: core: remove nvmem_config wp_gpio Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 14/57] nvmem: core: fix cleanup after dev_set_name() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 15/57] nvmem: core: fix registration vs use race Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 16/57] aio: fix mremap after fork null-deref Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 17/57] [PATCH v2 1/1] s390/signal: fix endless loop in do_signal Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 18/57] ovl: remove privs in ovl_copyfile() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 19/57] ovl: remove privs in ovl_fallocate() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 20/57] netfilter: nft_tproxy: restrict to prerouting hook Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 21/57] mmc: jz4740: Work around bug on JZ4760(B) Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 22/57] mmc: sdio: fix possible resource leaks in some error paths Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 23/57] mmc: mmc_spi: fix error handling in mmc_spi_probe() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 24/57] ALSA: hda/conexant: add a new hda codec SN6180 Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 25/57] ALSA: hda/realtek - fixed wrong gpio assigned Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 26/57] sched/psi: Fix use-after-free in ep_remove_wait_queue() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 27/57] hugetlb: check for undefined shift on 32 bit architectures Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 28/57] Revert "mm: Always release pages to the buddy allocator in memblock_free_late()." Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 29/57] net: Fix unwanted sign extension in netdev_stats_to_stats64() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 30/57] revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 31/57] ixgbe: allow to increase MTU to 3K with XDP enabled Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 32/57] i40e: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 33/57] net: bgmac: fix BCM5358 support by setting correct flags Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 34/57] sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 35/57] net/sched: tcindex: update imperfect hash filters respecting rcu Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 36/57] dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 37/57] net/usb: kalmia: Dont pass act_len in usb_bulk_msg error path Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 38/57] net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 39/57] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 40/57] bnxt_en: Fix mqprio and XDP ring checking logic Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 41/57] net: stmmac: Restrict warning on disabling DMA store and fwd mode Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 42/57] net: mpls: fix stale pointer if allocation fails during device rename Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 43/57] ixgbe: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 44/57] ipv6: Fix datagram socket connection with DSCP Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 45/57] ipv6: Fix tcp " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 46/57] nilfs2: fix underflow in second superblock position calculations Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 47/57] drm/i915/gen11: Moving WAs to icl_gt_workarounds_init() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 48/57] drm/i915/gen11: Wa_1408615072/Wa_1407596294 should be on GT list Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 49/57] flow_offload: fill flags to action structure Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 50/57] net/sched: act_ctinfo: use percpu stats Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 51/57] i40e: Add checking for null for nlmsg_find_attr() Greg Kroah-Hartman
2023-02-20 13:37 ` Greg Kroah-Hartman [this message]
2023-02-20 13:37 ` [PATCH 5.10 53/57] kvm: initialize all of the kvm_debugregs structure before sending it to userspace Greg Kroah-Hartman
2023-02-20 13:37 ` [PATCH 5.10 54/57] alarmtimer: Prevent starvation by small intervals and SIG_IGN Greg Kroah-Hartman
2023-02-20 13:37 ` [PATCH 5.10 55/57] ASoC: SOF: Intel: hda-dai: fix possible stream_tag leak Greg Kroah-Hartman
2023-02-20 13:37 ` [PATCH 5.10 56/57] net: sched: sch: Fix off by one in htb_activate_prios() Greg Kroah-Hartman
2023-02-20 13:37 ` [PATCH 5.10 57/57] nvmem: core: fix return value Greg Kroah-Hartman
2023-02-20 19:05 ` [PATCH 5.10 00/57] 5.10.169-rc1 review Pavel Machek
2023-02-21 8:03 ` Naresh Kamboju
2023-02-21 14:20 ` Jon Hunter
2023-02-21 14:58 ` Sudip Mukherjee (Codethink)
2023-02-21 16:21 ` Guenter Roeck
2023-02-21 19:54 ` Florian Fainelli
2023-02-21 23:50 ` Shuah Khan
2023-02-22 8:44 ` zhouzhixiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230220133551.182086931@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=patches@lists.linux.dev \
--cc=pctammela@mojatatu.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.