From patchwork Tue Jul 31 18:43:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 143210 Delivered-To: patch@linaro.org Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp5670643ljj; Tue, 31 Jul 2018 11:43:16 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeYoAkdQ8d4PKtlTJqdNd6H31Hv1JyAtoJdMA+Zl25b4ti2134wvr/t6mFJhurCl214klQN X-Received: by 2002:a63:f043:: with SMTP id s3-v6mr12153392pgj.94.1533062595998; Tue, 31 Jul 2018 11:43:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533062595; cv=none; d=google.com; s=arc-20160816; b=1A4zbVzzuAooeg+0+90tCe9mUzWmw8lOGNp452yG2lV1XC5h/KPXot7bt93IpkEHyP J1+kFkXSKQHmTtIPYrXvMz+hDF0OMe79uE8WB743lZNGhCBPC2CkJPCcnlzzwNQpTY8l 12LRbjefkz8Q8VnwcBLQ0M9R5+EwP6b/1clJcpEUkYhQvyXoKhCujx/tD2xn6KDtqqST 0+qQrqo/f34KgBwumIItYY2nSO1tEZ73b1oiiMPwozkYzNyjwAK2Hly0IycZMrWgJqmR aU+o7KbMBYQGQGZKjpm+Rbn+Rp2JUpw7bckIm9CEQiNW79JS2T6Y4K5INQ1VRu3lSFTe ceAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=cCK/HU3i3xinKCWKK2dyWNF8Qe2zvHlQFLobnGxcnZg=; b=Y3zLxQPaSgOXEYmIabdOfrC9mbJ1BbLZe53myjbNleXxxE/HqbT4tniBV/ULny/wQw a/0fViggNwLJN30dklQ69aFU/VL+YFh1R95SB4asmN7VzBxJx2unT9FEzBO/4nLzCEoY op3+wFvEDOCJVdNbJ99EjgIh+fvUnKXNMf8dlxSt+Aj7941U3nrR5dspvmkpkyOxiT75 668YRK1LP+Ry4TFEhthI9HJsqIX78UC5OGiFADYulAWDyutLBJ/8ozAHwjHfx0BcA+rT Hb8inv7Mtx5x53SpsBCrip7/Tr3lQWgXiLU3RTfAGmPalTIpskbxy6B6Ez1fq0DBnvIX WACA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZsOF7Jvm; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t71-v6si13085197pgd.271.2018.07.31.11.43.15; Tue, 31 Jul 2018 11:43:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZsOF7Jvm; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729681AbeGaUYu (ORCPT + 13 others); Tue, 31 Jul 2018 16:24:50 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:45105 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729645AbeGaUYu (ORCPT ); Tue, 31 Jul 2018 16:24:50 -0400 Received: by mail-pg1-f196.google.com with SMTP id f1-v6so9505762pgq.12 for ; Tue, 31 Jul 2018 11:43:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=cCK/HU3i3xinKCWKK2dyWNF8Qe2zvHlQFLobnGxcnZg=; b=ZsOF7Jvm+/yHp+3BILfHLBfO24nKsWfJtOGM5ll6bVZC6t/qq4eWG4Ks8RG2f8BNqa PitF92sWgfczHr+Bi1I1IJW1ZIAcXE8o5cSCll/FWHAh+0n7BAoHc5UGyy5+KPMQgxrQ 5iUktQcB4cKxO21JtpwntfAws66ycAGFpjGSw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=cCK/HU3i3xinKCWKK2dyWNF8Qe2zvHlQFLobnGxcnZg=; b=FTuWKe8BniMlZkiU4HeGwG5BivpfNH5BtPPEVP2N9PrTciwkLejEnXK8mTkbtWD/Tt AmLDSVMgXgifuhRqloVqrRXp8xk3VNC4EVl7zhzf2bzTxGc+/w7zLFZhFImsYaazX+DJ c3x9ebACMdYfnJFfnca6gXu5FN3Zh9qt4iiA+7IUAhfQPPQ0C3pzpHgXFBPlXnuJhCVR I9FYpKtQa2DdW6/fUauj+ACHhPieG4mRYpLWIJd6ihSTH/LlRxxjZuU63Yw1ASnz8uC3 jhOZD12quGGC3IqyO0BFk7hPc3XsdcGt4oN5Cox0UrZNC3nKHLyk1AOJg00QcZOWMSjY MEUg== X-Gm-Message-State: AOUpUlGjEsLlghEIa0/QZ201+AzDhHxa8JHyDj/kQzkiEyYsZhKkJa5f KgRlJxAR0n06EPyJ7vjdjHBB1Q== X-Received: by 2002:a62:4bc6:: with SMTP id d67-v6mr23118273pfj.175.1533062593915; Tue, 31 Jul 2018 11:43:13 -0700 (PDT) Received: from localhost.localdomain ([106.51.18.123]) by smtp.gmail.com with ESMTPSA id v22-v6sm38486956pfi.60.2018.07.31.11.43.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 31 Jul 2018 11:43:12 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH for-4.4.y 1/5] sch_htb: fix crash on init failure Date: Wed, 1 Aug 2018 00:13:02 +0530 Message-Id: <1533062586-804-2-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1533062586-804-1-git-send-email-amit.pundir@linaro.org> References: <1533062586-804-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 88c2ace69dbef696edba77712882af03879abc9c upstream. The commit below added a call to the ->destroy() callback for all qdiscs which failed in their ->init(), but some were not prepared for such change and can't handle partially initialized qdisc. HTB is one of them and if any error occurs before the qdisc watchdog timer and qdisc work are initialized then we can hit either a null ptr deref (timer->base) when canceling in ->destroy or lockdep error info about trying to register a non-static key and a stack dump. So to fix these two move the watchdog timer and workqueue init before anything that can err out. To reproduce userspace needs to send broken htb qdisc create request, tested with a modified tc (q_htb.c). Trace log: [ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2710.897977] IP: hrtimer_active+0x17/0x8a [ 2710.898174] PGD 58fab067 [ 2710.898175] P4D 58fab067 [ 2710.898353] PUD 586c0067 [ 2710.898531] PMD 0 [ 2710.898710] [ 2710.899045] Oops: 0000 [#1] SMP [ 2710.899232] Modules linked in: [ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54 [ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000 [ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a [ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246 [ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000 [ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298 [ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001 [ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000 [ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0 [ 2710.901907] FS: 00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000 [ 2710.902277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0 [ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2710.903180] Call Trace: [ 2710.903332] hrtimer_try_to_cancel+0x1a/0x93 [ 2710.903504] hrtimer_cancel+0x15/0x20 [ 2710.903667] qdisc_watchdog_cancel+0x12/0x14 [ 2710.903866] htb_destroy+0x2e/0xf7 [ 2710.904097] qdisc_create+0x377/0x3fd [ 2710.904330] tc_modify_qdisc+0x4d2/0x4fd [ 2710.904511] rtnetlink_rcv_msg+0x188/0x197 [ 2710.904682] ? rcu_read_unlock+0x3e/0x5f [ 2710.904849] ? rtnl_newlink+0x729/0x729 [ 2710.905017] netlink_rcv_skb+0x6c/0xce [ 2710.905183] rtnetlink_rcv+0x23/0x2a [ 2710.905345] netlink_unicast+0x103/0x181 [ 2710.905511] netlink_sendmsg+0x326/0x337 [ 2710.905679] sock_sendmsg_nosec+0x14/0x3f [ 2710.905847] sock_sendmsg+0x29/0x2e [ 2710.906010] ___sys_sendmsg+0x209/0x28b [ 2710.906176] ? do_raw_spin_unlock+0xcd/0xf8 [ 2710.906346] ? _raw_spin_unlock+0x27/0x31 [ 2710.906514] ? __handle_mm_fault+0x651/0xdb1 [ 2710.906685] ? check_chain_key+0xb0/0xfd [ 2710.906855] __sys_sendmsg+0x45/0x63 [ 2710.907018] ? __sys_sendmsg+0x45/0x63 [ 2710.907185] SyS_sendmsg+0x19/0x1b [ 2710.907344] entry_SYSCALL_64_fastpath+0x23/0xc2 Note that probably this bug goes further back because the default qdisc handling always calls ->destroy on init failure too. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [AmitP: Rebased for linux-4.4.y] Signed-off-by: Amit Pundir --- net/sched/sch_htb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index 87b02ed3d5f2..daa01d5604c2 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -1025,6 +1025,9 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) int err; int i; + qdisc_watchdog_init(&q->watchdog, sch); + INIT_WORK(&q->work, htb_work_func); + if (!opt) return -EINVAL; @@ -1045,8 +1048,6 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) for (i = 0; i < TC_HTB_NUMPRIO; i++) INIT_LIST_HEAD(q->drops + i); - qdisc_watchdog_init(&q->watchdog, sch); - INIT_WORK(&q->work, htb_work_func); __skb_queue_head_init(&q->direct_queue); if (tb[TCA_HTB_DIRECT_QLEN])