From patchwork Fri Mar 22 12:37:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Hurley X-Patchwork-Id: 1061124 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="0eVuoDdP"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44Qjqh0Dj9z9sSj for ; Fri, 22 Mar 2019 23:38:08 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389428AbfCVMiG (ORCPT ); Fri, 22 Mar 2019 08:38:06 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:41527 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732454AbfCVMiA (ORCPT ); Fri, 22 Mar 2019 08:38:00 -0400 Received: by mail-ed1-f67.google.com with SMTP id a25so1541749edc.8 for ; Fri, 22 Mar 2019 05:37:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=t11ZTp9+yIE0Qa6zfSUwzerAHy1EW7gdowcHOWWEiNQ=; b=0eVuoDdPZu03+nxAbihZptkmhe7LWLHMVJdQC6PUwKrCgBt6uqp8UwpRsXJzCwzcuP UoaRmzVyim6737q9aDj/XshnErA9XbbNQvyjKJh94SMZ3Bv+cPAw1b6Sn0jxU4ShhKUJ UWh9UJi1novZGQ0uw50KhmOx1lQNeAClVyEQ96JiEpB3RwIYJZHq9WfBC3H+UDNqqpjf YfF1M0ui1GlJH0h8gj48z67h0Hn3siQ8kmfYcG5+uwUivlqRpJpl2w7eaIX5f+lXoQmi nIQ9t6PqI7XI6Z6hd3ok4Fh1n88nSK5tXddel+Lehgme+6f2MuboPfQf/ncBVFhmzRyT BKPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=t11ZTp9+yIE0Qa6zfSUwzerAHy1EW7gdowcHOWWEiNQ=; b=ugXbFmhR1fUZ+umtH3ZcvCjQH9jhAeiTzEieiuOgB4JpvpvXCssN2jE0+rsQ4Is7Ei HjZgsF0bkQAc+R10p/Kpv5BvMzLe1U++Dp4Tppa2f4bppkMW6CIp4QxcjOyuEgVPhYXB BjgrjxCZrDA3Vfk2gEynm/EUcee0Ee4xLnqYKBzGgp7WFeUUxpoi5Fpa436F10Dg9q+v 0w+KcIYpdoqrv3LD5NVt1HGqsYhBxVWAnDC0MR1B30ISQUBNhr0j6b3JdqVTYweqgLc/ XvLlgW74PZYxSPNw1sluMQPdp1lFTGHU7yPiR5AzyFb6bQ3Uf1lc4XzeHHx2Kgu7l38g tVdA== X-Gm-Message-State: APjAAAX4hTcPmmVO/+E5iLKpR2nU+Fh9le5STgke18CGjMecOmQRMLXJ 9oIl1ntIZ2veFumx4RhBfSiqEA== X-Google-Smtp-Source: APXvYqxJIVyjlphuNZyvr07gDp7uwfwOW7eQ78f7l1cG3WYO0lDK0pqbShZ0a/WtKtF9f+OrEGP0Ug== X-Received: by 2002:a50:eb4a:: with SMTP id z10mr6299437edp.284.1553258279085; Fri, 22 Mar 2019 05:37:59 -0700 (PDT) Received: from jhurley-Precision-Tower-3420.netronome.com ([80.76.204.157]) by smtp.gmail.com with ESMTPSA id m6sm988180eja.23.2019.03.22.05.37.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 22 Mar 2019 05:37:58 -0700 (PDT) From: John Hurley To: jiri@mellanox.com, davem@davemloft.net, xiyou.wangcong@gmail.com Cc: netdev@vger.kernel.org, vladbu@mellanox.com, oss-drivers@netronome.com, John Hurley Subject: [PATCH net v2 1/1] net: sched: fix cleanup NULL pointer exception in act_mirr Date: Fri, 22 Mar 2019 12:37:35 +0000 Message-Id: <1553258255-9230-1-git-send-email-john.hurley@netronome.com> X-Mailer: git-send-email 2.7.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org A new mirred action is created by the tcf_mirred_init function. This contains a list head struct which is inserted into a global list on successful creation of a new action. However, after a creation, it is still possible to error out and call the tcf_idr_release function. This, in turn, calls the act_mirr cleanup function via __tcf_idr_release and __tcf_action_put. This cleanup function tries to delete the list entry which is as yet uninitialised, leading to a NULL pointer exception. Fix this by initialising the list entry on creation of a new action. Bug report: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 PGD 8000000840c73067 P4D 8000000840c73067 PUD 858dcc067 PMD 0 Oops: 0002 [#1] SMP PTI CPU: 32 PID: 5636 Comm: handler194 Tainted: G OE 5.0.0+ #186 Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.3.6 06/03/2015 RIP: 0010:tcf_mirred_release+0x42/0xa7 [act_mirred] Code: f0 90 39 c0 e8 52 04 57 c8 48 c7 c7 b8 80 39 c0 e8 94 fa d4 c7 48 8b 93 d0 00 00 00 48 8b 83 d8 00 00 00 48 c7 c7 f0 90 39 c0 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 d0 00 RSP: 0018:ffffac4aa059f688 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9dcd1b214d00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9dcd1fa165f8 RDI: ffffffffc03990f0 RBP: ffff9dccf9c7af80 R08: 0000000000000a3b R09: 0000000000000000 R10: ffff9dccfa11f420 R11: 0000000000000000 R12: 0000000000000001 R13: ffff9dcd16b433c0 R14: ffff9dcd1b214d80 R15: 0000000000000000 FS: 00007f441bfff700(0000) GS:ffff9dcd1fa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000839e64004 CR4: 00000000001606e0 Call Trace: tcf_action_cleanup+0x59/0xca __tcf_action_put+0x54/0x6b __tcf_idr_release.cold.33+0x9/0x12 tcf_mirred_init.cold.20+0x22e/0x3b0 [act_mirred] tcf_action_init_1+0x3d0/0x4c0 tcf_action_init+0x9c/0x130 tcf_exts_validate+0xab/0xc0 fl_change+0x1ca/0x982 [cls_flower] tc_new_tfilter+0x647/0x8d0 ? load_balance+0x14b/0x9e0 rtnetlink_rcv_msg+0xe3/0x370 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? _cond_resched+0x15/0x30 ? __kmalloc_node_track_caller+0x1d4/0x2b0 ? rtnl_calcit.isra.31+0xf0/0xf0 netlink_rcv_skb+0x49/0x110 netlink_unicast+0x16f/0x210 netlink_sendmsg+0x1df/0x390 sock_sendmsg+0x36/0x40 ___sys_sendmsg+0x27b/0x2c0 ? futex_wake+0x80/0x140 ? do_futex+0x2b9/0xac0 ? ep_scan_ready_list.constprop.22+0x1f2/0x210 ? ep_poll+0x7a/0x430 __sys_sendmsg+0x47/0x80 do_syscall_64+0x55/0x100 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 4e232818bd32 ("net: sched: act_mirred: remove dependency on rtnl lock") Signed-off-by: John Hurley Reviewed-by: Jakub Kicinski Acked-by: Cong Wang --- net/sched/act_mirred.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c index cd712e4..17cc6bd 100644 --- a/net/sched/act_mirred.c +++ b/net/sched/act_mirred.c @@ -159,12 +159,15 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla, tcf_idr_release(*a, bind); return -EEXIST; } + + m = to_mirred(*a); + if (ret == ACT_P_CREATED) + INIT_LIST_HEAD(&m->tcfm_list); + err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack); if (err < 0) goto release_idr; - m = to_mirred(*a); - spin_lock_bh(&m->tcf_lock); if (parm->ifindex) {