linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-07 22:14:04 +02:00

Linux kernel source tree

Go to file

Pavel Tikhomirov cdcf3829f4 net: sched: sch_teql: fix null-pointer dereference commit `1ffbc7ea91` upstream. Reproduce: modprobe sch_teql tc qdisc add dev teql0 root teql0 This leads to (for instance in Centos 7 VM) OOPS: [ 532.366633] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8 [ 532.366733] IP: [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql] [ 532.366825] PGD 80000001376d5067 PUD 137e37067 PMD 0 [ 532.366906] Oops: 0000 [#1] SMP [ 532.366987] Modules linked in: sch_teql ... [ 532.367945] CPU: 1 PID: 3026 Comm: tc Kdump: loaded Tainted: G ------------ T 3.10.0-1062.7.1.el7.x86_64 #1 [ 532.368041] Hardware name: Virtuozzo KVM, BIOS 1.11.0-2.vz7.2 04/01/2014 [ 532.368125] task: ffff8b7d37d31070 ti: ffff8b7c9fdbc000 task.ti: ffff8b7c9fdbc000 [ 532.368224] RIP: 0010:[<ffffffffc06124a8>] [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql] [ 532.368320] RSP: 0018:ffff8b7c9fdbf8e0 EFLAGS: 00010286 [ 532.368394] RAX: ffffffffc0612490 RBX: ffff8b7cb1565e00 RCX: ffff8b7d35ba2000 [ 532.368476] RDX: ffff8b7d35ba2000 RSI: 0000000000000000 RDI: ffff8b7cb1565e00 [ 532.368557] RBP: ffff8b7c9fdbf8f8 R08: ffff8b7d3fd1f140 R09: ffff8b7d3b001600 [ 532.368638] R10: ffff8b7d3b001600 R11: ffffffff84c7d65b R12: 00000000ffffffd8 [ 532.368719] R13: 0000000000008000 R14: ffff8b7d35ba2000 R15: ffff8b7c9fdbf9a8 [ 532.368800] FS: 00007f6a4e872740(0000) GS:ffff8b7d3fd00000(0000) knlGS:0000000000000000 [ 532.368885] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 532.368961] CR2: 00000000000000a8 CR3: 00000001396ee000 CR4: 00000000000206e0 [ 532.369046] Call Trace: [ 532.369159] [<ffffffff84c8192e>] qdisc_create+0x36e/0x450 [ 532.369268] [<ffffffff846a9b49>] ? ns_capable+0x29/0x50 [ 532.369366] [<ffffffff849afde2>] ? nla_parse+0x32/0x120 [ 532.369442] [<ffffffff84c81b4c>] tc_modify_qdisc+0x13c/0x610 [ 532.371508] [<ffffffff84c693e7>] rtnetlink_rcv_msg+0xa7/0x260 [ 532.372668] [<ffffffff84907b65>] ? sock_has_perm+0x75/0x90 [ 532.373790] [<ffffffff84c69340>] ? rtnl_newlink+0x890/0x890 [ 532.374914] [<ffffffff84c8da7b>] netlink_rcv_skb+0xab/0xc0 [ 532.376055] [<ffffffff84c63708>] rtnetlink_rcv+0x28/0x30 [ 532.377204] [<ffffffff84c8d400>] netlink_unicast+0x170/0x210 [ 532.378333] [<ffffffff84c8d7a8>] netlink_sendmsg+0x308/0x420 [ 532.379465] [<ffffffff84c2f3a6>] sock_sendmsg+0xb6/0xf0 [ 532.380710] [<ffffffffc034a56e>] ? __xfs_filemap_fault+0x8e/0x1d0 [xfs] [ 532.381868] [<ffffffffc034a75c>] ? xfs_filemap_fault+0x2c/0x30 [xfs] [ 532.383037] [<ffffffff847ec23a>] ? __do_fault.isra.61+0x8a/0x100 [ 532.384144] [<ffffffff84c30269>] ___sys_sendmsg+0x3e9/0x400 [ 532.385268] [<ffffffff847f3fad>] ? handle_mm_fault+0x39d/0x9b0 [ 532.386387] [<ffffffff84d88678>] ? __do_page_fault+0x238/0x500 [ 532.387472] [<ffffffff84c31921>] __sys_sendmsg+0x51/0x90 [ 532.388560] [<ffffffff84c31972>] SyS_sendmsg+0x12/0x20 [ 532.389636] [<ffffffff84d8dede>] system_call_fastpath+0x25/0x2a [ 532.390704] [<ffffffff84d8de21>] ? system_call_after_swapgs+0xae/0x146 [ 532.391753] Code: 00 00 00 00 00 00 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 55 41 54 53 48 8b b7 48 01 00 00 48 89 fb <48> 8b 8e a8 00 00 00 48 85 c9 74 43 48 89 ca eb 0f 0f 1f 80 00 [ 532.394036] RIP [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql] [ 532.395127] RSP <ffff8b7c9fdbf8e0> [ 532.396179] CR2: 00000000000000a8 Null pointer dereference happens on master->slaves dereference in teql_destroy() as master is null-pointer. When qdisc_create() calls teql_qdisc_init() it imediately fails after check "if (m->dev == dev)" because both devices are teql0, and it does not set qdisc_priv(sch)->m leaving it zero on error path, then qdisc_create() imediately calls teql_destroy() which does not expect zero master pointer and we get OOPS. Fixes: `87b60cfacf` ("net_sched: fix error recovery at qdisc creation") Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2021-04-14 08:42:02 +02:00
arch	ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin	2021-04-14 08:41:59 +02:00
block	block: recalculate segment count for multi-segment discards correctly	2021-03-30 14:32:06 +02:00
certs	certs: Fix blacklist flag type confusion	2021-03-04 11:37:59 +01:00
crypto	crypto: mips/poly1305 - enable for all MIPS processors	2021-03-17 17:06:10 +01:00
Documentation	KVM: x86: Protect userspace MSR filter with SRCU, and set atomically-ish	2021-03-30 14:31:53 +02:00
drivers	vdpa/mlx5: Fix suspend/resume index restoration	2021-04-14 08:42:01 +02:00
fs	fs: direct-io: fix missing sdio->boundary	2021-04-14 08:41:58 +02:00
include	net: ensure mac header is set in virtio_net_hdr_to_skb()	2021-04-14 08:42:01 +02:00
init	init/Kconfig: make COMPILE_TEST depend on HAS_IOMEM	2021-04-10 13:36:11 +02:00
ipc	ipc: adjust proc_ipc_sem_dointvec definition to match prototype	2020-09-05 12:14:29 -07:00
kernel	bpf: Refcount task stack in bpf_get_task_stack	2021-04-14 08:42:01 +02:00
lib	math: Export mul_u64_u64_div_u64	2021-04-10 13:36:10 +02:00
LICENSES	LICENSES/deprecated: add Zlib license text	2020-09-16 14:33:49 +02:00
mm	mm: fix race by making init_zero_pfn() early_initcall	2021-04-07 15:00:10 +02:00
net	net: sched: sch_teql: fix null-pointer dereference	2021-04-14 08:42:02 +02:00
samples	samples, bpf: Add missing munmap in xdpsock	2021-03-17 17:06:12 +01:00
scripts	kbuild: dummy-tools: fix inverted tests for gcc	2021-03-30 14:31:50 +02:00
security	selinux: fix race between old and new sidtab	2021-04-14 08:41:57 +02:00
sound	ASoC: intel: atom: Stop advertising non working S24LE support	2021-04-14 08:41:56 +02:00
tools	libbpf: Only create rx and tx XDP rings when necessary	2021-04-14 08:42:01 +02:00
usr	Merge branch 'work.fdpic' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2020-08-07 13:29:39 -07:00
virt	KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped()	2021-02-26 10:13:01 +01:00
.clang-format	RDMA 5.10 pull request	2020-10-17 11:18:18 -07:00
.cocciconfig
.get_maintainer.ignore	Opt out of scripts/get_maintainer.pl	2019-05-16 10:53:40 -07:00
.gitattributes	.gitattributes: use 'dts' diff driver for dts files	2019-12-04 19:44:11 -08:00
.gitignore	.gitignore: docs: ignore sphinx_*/ directories	2020-09-10 10:44:31 -06:00
.mailmap	mailmap: add two more addresses of Uwe Kleine-König	2020-12-06 10:19:07 -08:00
COPYING	COPYING: state that all contributions really are covered by this file	2020-02-10 13:32:20 -08:00
CREDITS	MAINTAINERS: Move Jason Cooper to CREDITS	2020-11-30 10:20:34 +01:00
Kbuild	kbuild: rename hostprogs-y/always to hostprogs/always-y	2020-02-04 01:53:07 +09:00
Kconfig	kbuild: ensure full rebuild when the compiler is updated	2020-05-12 13:28:33 +09:00
MAINTAINERS	MAINTAINERS: move the staging subsystem to lists.linux.dev	2021-03-25 09:04:18 +01:00
Makefile	Linux 5.10.29	2021-04-10 13:36:11 +02:00
README	Drop all 00-INDEX files from Documentation/	2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.