From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A0421C43381 for ; Wed, 20 Mar 2019 18:12:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6CD82218D4 for ; Wed, 20 Mar 2019 18:12:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="FP76ipUK" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726936AbfCTSMh (ORCPT ); Wed, 20 Mar 2019 14:12:37 -0400 Received: from mail-ed1-f68.google.com ([209.85.208.68]:35907 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727382AbfCTSMh (ORCPT ); Wed, 20 Mar 2019 14:12:37 -0400 Received: by mail-ed1-f68.google.com with SMTP id e4so2836288edi.3 for ; Wed, 20 Mar 2019 11:12:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=RiDdixz5Yl2Ur+QpJihUilx99teOK+U/T2uF5H/6Z1Q=; b=FP76ipUKT/SbjKAP8gGyS27QWvxdWHhgCEgzzICWG/AjBIagRZmRiyUPXrK6IsWKNA JfBh/s8Atks9hN5NnM2BasYBnRPbd2WHfV+9QuIqSuzp/5Dz0VCnL3ufg+aWBVmU9YV2 //y2Xa2n37mi9CVbzM8P1qy9xTc2ddt/7m04b3Fqshob/dBDmnHrlf5Ch0UUel62T5yF YIwHEU/nGpZgDiOeN5UypVyGjczJnhnTcSZ8uZ1Y+1HjCGh0nlzQPLLkuq5nbTY8fKZI KLEkc5w6IfdZOAUrNSJYh45X7LsnQYIvffxBg4xmePU+jiCXQ30elmUyp18giNfI/7EK d3Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=RiDdixz5Yl2Ur+QpJihUilx99teOK+U/T2uF5H/6Z1Q=; b=iwstCYxymUBJyIsKM6wpzypeQPF7mvDXjdnSUwnFSjX2rb9NnR9uViXKdJ8Eq094ao KKuNATXhzZcGrnD4bXZMWhrVW0/3GRZEJz6ekRJ2O1i+qbNgXqD0Dzpk01Jw3IHJVz0a 9/glR6iLkR1QKkDbHwEiYSIpZ231FGD6AkOYnfNrz7l/+QcnzCE6RiF077/vRM0U0iiN 9qeHEJl8PP/Arr4jkNzmued3lWOCLVK0rTMeNWs6Sk6MKbjbTumE3rLHyiABp8vgdrc6 PsPVrYzWQPH12iX3f9RQ8z84Uzc5X0LcbZN11dvtEUPv/YrGiZXi9K3JZ7sK42oZPgIV QOUQ== X-Gm-Message-State: APjAAAXl32SAKaVc1RdsNWdQY+MqyR+kJN3F4ZcbwVwJJMqL7QX3hXut GQe/vzxDBLniMb9TeOra+jV20eq5Hu4= X-Google-Smtp-Source: APXvYqyndYWSclRjipd1BP71qpg00CUFaz6wPb/Qa/gzOAY4l+g7HYC+lrLoVliCeAYBCmFQu+JY9A== X-Received: by 2002:a50:b36b:: with SMTP id r40mr21753849edd.12.1553105554587; Wed, 20 Mar 2019 11:12:34 -0700 (PDT) Received: from jhurley-Precision-Tower-3420.netronome.com ([80.76.204.157]) by smtp.gmail.com with ESMTPSA id j14sm889753ede.46.2019.03.20.11.12.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Mar 2019 11:12:33 -0700 (PDT) From: John Hurley To: jiri@mellanox.com, davem@davemloft.net, xiyou.wangcong@gmail.com Cc: netdev@vger.kernel.org, vladbu@mellanox.com, oss-drivers@netronome.com, John Hurley Subject: [PATCH net 1/1] net: sched: fix cleanup NULL pointer exception in act_mirr Date: Wed, 20 Mar 2019 18:12:25 +0000 Message-Id: <1553105545-12987-1-git-send-email-john.hurley@netronome.com> X-Mailer: git-send-email 2.7.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org A new mirred action is created by the tcf_mirred_init function. This contains a list head struct which is inserted into a global list on successful creation of a new action. However, after a creation, it is still possible to error out if the egress device does not exist. This calls the act_mirr cleanup function via __tcf_idr_release and __tcf_action_put. This cleanup function tries to delete the list entry which is as yet uninitialised, leading to a NULL pointer exception. Fix this by taking a reference to the egress device, if one exists in the params, prior to the creation of the action. This means we can error out correctly on failure to get the device and removes the incorrect error path from further down the function. Bug report: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 PGD 8000000840c73067 P4D 8000000840c73067 PUD 858dcc067 PMD 0 Oops: 0002 [#1] SMP PTI CPU: 32 PID: 5636 Comm: handler194 Tainted: G OE 5.0.0+ #186 Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.3.6 06/03/2015 RIP: 0010:tcf_mirred_release+0x42/0xa7 [act_mirred] Code: f0 90 39 c0 e8 52 04 57 c8 48 c7 c7 b8 80 39 c0 e8 94 fa d4 c7 48 8b 93 d0 00 00 00 48 8b 83 d8 00 00 00 48 c7 c7 f0 90 39 c0 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 d0 00 RSP: 0018:ffffac4aa059f688 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9dcd1b214d00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9dcd1fa165f8 RDI: ffffffffc03990f0 RBP: ffff9dccf9c7af80 R08: 0000000000000a3b R09: 0000000000000000 R10: ffff9dccfa11f420 R11: 0000000000000000 R12: 0000000000000001 R13: ffff9dcd16b433c0 R14: ffff9dcd1b214d80 R15: 0000000000000000 FS: 00007f441bfff700(0000) GS:ffff9dcd1fa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000839e64004 CR4: 00000000001606e0 Call Trace: tcf_action_cleanup+0x59/0xca __tcf_action_put+0x54/0x6b __tcf_idr_release.cold.33+0x9/0x12 tcf_mirred_init.cold.20+0x22e/0x3b0 [act_mirred] tcf_action_init_1+0x3d0/0x4c0 tcf_action_init+0x9c/0x130 tcf_exts_validate+0xab/0xc0 fl_change+0x1ca/0x982 [cls_flower] tc_new_tfilter+0x647/0x8d0 ? load_balance+0x14b/0x9e0 rtnetlink_rcv_msg+0xe3/0x370 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? _cond_resched+0x15/0x30 ? __kmalloc_node_track_caller+0x1d4/0x2b0 ? rtnl_calcit.isra.31+0xf0/0xf0 netlink_rcv_skb+0x49/0x110 netlink_unicast+0x16f/0x210 netlink_sendmsg+0x1df/0x390 sock_sendmsg+0x36/0x40 ___sys_sendmsg+0x27b/0x2c0 ? futex_wake+0x80/0x140 ? do_futex+0x2b9/0xac0 ? ep_scan_ready_list.constprop.22+0x1f2/0x210 ? ep_poll+0x7a/0x430 __sys_sendmsg+0x47/0x80 do_syscall_64+0x55/0x100 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 4e232818bd32 ("net: sched: act_mirred: remove dependency on rtnl lock") Signed-off-by: John Hurley Reviewed-by: Jakub Kicinski --- net/sched/act_mirred.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c index 6692fd0..b26b9d8 100644 --- a/net/sched/act_mirred.c +++ b/net/sched/act_mirred.c @@ -140,21 +140,39 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla, return -EINVAL; } - if (!exists) { - if (!parm->ifindex) { - tcf_idr_cleanup(tn, parm->index); + if (parm->ifindex) { + dev = dev_get_by_index(net, parm->ifindex); + if (!dev) { + if (exists) + tcf_idr_release(*a, bind); + else + tcf_idr_cleanup(tn, parm->index); NL_SET_ERR_MSG_MOD(extack, "Specified device does not exist"); + return -ENODEV; + } + } else { + if (!exists) { + tcf_idr_cleanup(tn, parm->index); + NL_SET_ERR_MSG_MOD(extack, "No ifindex for new mirr action"); return -EINVAL; } + dev = NULL; + } + + if (!exists) { ret = tcf_idr_create(tn, parm->index, est, a, &act_mirred_ops, bind, true); if (ret) { tcf_idr_cleanup(tn, parm->index); + if (dev) + dev_put(dev); return ret; } ret = ACT_P_CREATED; } else if (!ovr) { tcf_idr_release(*a, bind); + if (dev) + dev_put(dev); return -EEXIST; } m = to_mirred(*a); @@ -163,13 +181,7 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla, m->tcf_action = parm->action; m->tcfm_eaction = parm->eaction; - if (parm->ifindex) { - dev = dev_get_by_index(net, parm->ifindex); - if (!dev) { - spin_unlock_bh(&m->tcf_lock); - tcf_idr_release(*a, bind); - return -ENODEV; - } + if (dev) { mac_header_xmit = dev_is_mac_header_xmit(dev); rcu_swap_protected(m->tcfm_dev, dev, lockdep_is_held(&m->tcf_lock)); -- 2.7.4