[net,v2] net_sched: let qdisc_put() accept NULL pointer

Message ID	20190912172230.9635-1-xiyou.wangcong@gmail.com
State	Accepted
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Cong Wang <xiyou.wangcong@gmail.com> To: netdev@vger.kernel.org Cc: Cong Wang <xiyou.wangcong@gmail.com>, syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com, Linus Torvalds <torvalds@linux-foundation.org>, Jamal Hadi Salim <jhs@mojatatu.com>, Jiri Pirko <jiri@resnulli.us> Subject: [Patch net v2] net_sched: let qdisc_put() accept NULL pointer Date: Thu, 12 Sep 2019 10:22:30 -0700 Message-Id: <20190912172230.9635-1-xiyou.wangcong@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	[net,v2] net_sched: let qdisc_put() accept NULL pointer \| expand [net,v2] net_sched: let qdisc_put() accept NULL pointer

Message ID

20190912172230.9635-1-xiyou.wangcong@gmail.com

State

Accepted

Delegated to:

David Miller

Headers

From: Cong Wang <xiyou.wangcong@gmail.com>
To: netdev@vger.kernel.org
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
	syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Jamal Hadi Salim <jhs@mojatatu.com>, Jiri Pirko <jiri@resnulli.us>
Subject: [Patch net v2] net_sched: let qdisc_put() accept NULL pointer
Date: Thu, 12 Sep 2019 10:22:30 -0700
Message-Id: <20190912172230.9635-1-xiyou.wangcong@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

[net,v2] net_sched: let qdisc_put() accept NULL pointer | expand

Commit Message

Cong Wang Sept. 12, 2019, 5:22 p.m. UTC

When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL
pointer which leads to a crash in sfb_destroy(). Similar for
sch_dsmark.

Instead of fixing each separately, Linus suggested to just accept
NULL pointer in qdisc_put(), which would make callers easier.

(For sch_dsmark, the bug probably exists long before commit
6529eaba33f0.)

Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
Reported-by: syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/sched/sch_generic.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Jiri Pirko Sept. 12, 2019, 8:30 p.m. UTC | #1

Thu, Sep 12, 2019 at 07:22:30PM CEST, xiyou.wangcong@gmail.com wrote:
>When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL
>pointer which leads to a crash in sfb_destroy(). Similar for
>sch_dsmark.
>
>Instead of fixing each separately, Linus suggested to just accept
>NULL pointer in qdisc_put(), which would make callers easier.
>
>(For sch_dsmark, the bug probably exists long before commit
>6529eaba33f0.)
>
>Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
>Reported-by: syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com
>Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
>Cc: Jamal Hadi Salim <jhs@mojatatu.com>
>Cc: Jiri Pirko <jiri@resnulli.us>
>Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Acked-by: Jiri Pirko <jiri@mellanox.com>

Thanks!

David Miller Sept. 15, 2019, 6:55 p.m. UTC | #2

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Thu, 12 Sep 2019 10:22:30 -0700

> When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL
> pointer which leads to a crash in sfb_destroy(). Similar for
> sch_dsmark.
> 
> Instead of fixing each separately, Linus suggested to just accept
> NULL pointer in qdisc_put(), which would make callers easier.
> 
> (For sch_dsmark, the bug probably exists long before commit
> 6529eaba33f0.)
> 
> Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
> Reported-by: syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Applied and queued up for -stable, thanks.

diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index ac28f6a5d70e..17bd8f539bc7 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -985,6 +985,9 @@  static void qdisc_destroy(struct Qdisc *qdisc)
 
 void qdisc_put(struct Qdisc *qdisc)
 {
+	if (!qdisc)
+		return;
+
 	if (qdisc->flags & TCQ_F_BUILTIN ||
 	    !refcount_dec_and_test(&qdisc->refcnt))
 		return;