From: Cong Wang xiyou.wangcong@gmail.com
commit 8b142a00edcf8422ca48b8de88d286efb500cb53 upstream
At least sch_red and sch_tbf don't implement ->tcf_block() while still have a non-zero tc "class".
Instead of adding nop implementations to each of such qdisc's, we can just relax the check of cops->tcf_block() in tc_bind_tclass(). They don't support TC filter anyway.
Reported-by: syzbot+21b29db13c065852f64b@syzkaller.appspotmail.com Cc: Jamal Hadi Salim jhs@mojatatu.com Cc: Jiri Pirko jiri@resnulli.us Signed-off-by: Cong Wang xiyou.wangcong@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Zubin Mithra zsm@chromium.org --- Notes: * Syzkaller triggered a NULL pointer dereference with the following stacktrace: tc_bind_tclass+0x139/0x550 net/sched/sch_api.c:1697 tc_ctl_tclass+0x9de/0xb30 net/sched/sch_api.c:1831 rtnetlink_rcv_msg+0x545/0x1010 net/core/rtnetlink.c:4287 netlink_rcv_skb+0x15e/0x3a0 net/netlink/af_netlink.c:2432 rtnetlink_rcv+0x22/0x30 net/core/rtnetlink.c:4299 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x4ac/0x6a0 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x943/0xec0 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xd5/0x110 net/socket.c:656 ___sys_sendmsg+0x754/0x890 net/socket.c:2062 __sys_sendmsg+0xd2/0x1f0 net/socket.c:2096 C_SYSC_sendmsg net/compat.c:744 [inline] compat_SyS_sendmsg+0x2f/0x40 net/compat.c:742 do_syscall_32_irqs_on arch/x86/entry/common.c:352 [inline] do_fast_syscall_32+0x3bb/0xdd1 arch/x86/entry/common.c:415 entry_SYSENTER_compat+0x84/0x96 arch/x86/entry/entry_64_compat.S:139
* This commit is present in linux-4.19.y.
* Tests run: Chrome OS tryjobs, Syzkaller reproducer
net/sched/sch_api.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 637949b576c63..296e95f72eb15 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -1695,6 +1695,8 @@ static void tc_bind_tclass(struct Qdisc *q, u32 portid, u32 clid, cl = cops->find(q, portid); if (!cl) return; + if (!cops->tcf_block) + return; block = cops->tcf_block(q, cl); if (!block) return;
On Thu, Oct 31, 2019 at 11:42:59AM -0700, Zubin Mithra wrote:
From: Cong Wang xiyou.wangcong@gmail.com
commit 8b142a00edcf8422ca48b8de88d286efb500cb53 upstream
At least sch_red and sch_tbf don't implement ->tcf_block() while still have a non-zero tc "class".
Instead of adding nop implementations to each of such qdisc's, we can just relax the check of cops->tcf_block() in tc_bind_tclass(). They don't support TC filter anyway.
Reported-by: syzbot+21b29db13c065852f64b@syzkaller.appspotmail.com Cc: Jamal Hadi Salim jhs@mojatatu.com Cc: Jiri Pirko jiri@resnulli.us Signed-off-by: Cong Wang xiyou.wangcong@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Zubin Mithra zsm@chromium.org
Notes:
- Syzkaller triggered a NULL pointer dereference with the following
stacktrace: tc_bind_tclass+0x139/0x550 net/sched/sch_api.c:1697 tc_ctl_tclass+0x9de/0xb30 net/sched/sch_api.c:1831 rtnetlink_rcv_msg+0x545/0x1010 net/core/rtnetlink.c:4287 netlink_rcv_skb+0x15e/0x3a0 net/netlink/af_netlink.c:2432 rtnetlink_rcv+0x22/0x30 net/core/rtnetlink.c:4299 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x4ac/0x6a0 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x943/0xec0 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xd5/0x110 net/socket.c:656 ___sys_sendmsg+0x754/0x890 net/socket.c:2062 __sys_sendmsg+0xd2/0x1f0 net/socket.c:2096 C_SYSC_sendmsg net/compat.c:744 [inline] compat_SyS_sendmsg+0x2f/0x40 net/compat.c:742 do_syscall_32_irqs_on arch/x86/entry/common.c:352 [inline] do_fast_syscall_32+0x3bb/0xdd1 arch/x86/entry/common.c:415 entry_SYSENTER_compat+0x84/0x96 arch/x86/entry/entry_64_compat.S:139
This commit is present in linux-4.19.y.
Tests run: Chrome OS tryjobs, Syzkaller reproducer
Queued up for 4.14, thank you.
linux-stable-mirror@lists.linaro.org