leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e89d469e3b
linux/net/sched
History
Nikolay Aleksandrov e89d469e3b sch_multiq: fix double free on init failure 
The below commit added a call to ->destroy() on init failure, but multiq
still frees ->queues on error in init, but ->queues is also freed by
->destroy() thus we get double free and corrupted memory.

Very easy to reproduce (eth0 not multiqueue):
$ tc qdisc add dev eth0 root multiq
RTNETLINK answers: Operation not supported
$ ip l add dumdum type dummy
(crash)

Trace log:
[ 3929.467747] general protection fault: 0000 [#1] SMP
[ 3929.468083] Modules linked in:
[ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56
[ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 3929.469124] task: ffff88003716a700 task.stack: ffff88005872c000
[ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be
[ 3929.469746] RSP: 0018:ffff88005872f6a0 EFLAGS: 00010246
[ 3929.470042] RAX: 00000000000002de RBX: 0000000058a59000 RCX: 00000000000002df
[ 3929.470406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff821f7020
[ 3929.470770] RBP: ffff88005872f6e8 R08: 000000000001f010 R09: 0000000000000000
[ 3929.471133] R10: ffff88005872f730 R11: 0000000000008cdd R12: ff006d75646d7564
[ 3929.471496] R13: 00000000014000c0 R14: ffff88005b403c00 R15: ffff88005b403c00
[ 3929.471869] FS:  00007f0b70480740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
[ 3929.472286] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3929.472677] CR2: 00007ffcee4f3000 CR3: 0000000059d45000 CR4: 00000000000406e0
[ 3929.473209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 3929.474109] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 3929.474873] Call Trace:
[ 3929.475337]  ? kstrdup_const+0x23/0x25
[ 3929.475863]  kstrdup+0x2e/0x4b
[ 3929.476338]  kstrdup_const+0x23/0x25
[ 3929.478084]  __kernfs_new_node+0x28/0xbc
[ 3929.478478]  kernfs_new_node+0x35/0x55
[ 3929.478929]  kernfs_create_link+0x23/0x76
[ 3929.479478]  sysfs_do_create_link_sd.isra.2+0x85/0xd7
[ 3929.480096]  sysfs_create_link+0x33/0x35
[ 3929.480649]  device_add+0x200/0x589
[ 3929.481184]  netdev_register_kobject+0x7c/0x12f
[ 3929.481711]  register_netdevice+0x373/0x471
[ 3929.482174]  rtnl_newlink+0x614/0x729
[ 3929.482610]  ? rtnl_newlink+0x17f/0x729
[ 3929.483080]  rtnetlink_rcv_msg+0x188/0x197
[ 3929.483533]  ? rcu_read_unlock+0x3e/0x5f
[ 3929.483984]  ? rtnl_newlink+0x729/0x729
[ 3929.484420]  netlink_rcv_skb+0x6c/0xce
[ 3929.484858]  rtnetlink_rcv+0x23/0x2a
[ 3929.485291]  netlink_unicast+0x103/0x181
[ 3929.485735]  netlink_sendmsg+0x326/0x337
[ 3929.486181]  sock_sendmsg_nosec+0x14/0x3f
[ 3929.486614]  sock_sendmsg+0x29/0x2e
[ 3929.486973]  ___sys_sendmsg+0x209/0x28b
[ 3929.487340]  ? do_raw_spin_unlock+0xcd/0xf8
[ 3929.487719]  ? _raw_spin_unlock+0x27/0x31
[ 3929.488092]  ? __handle_mm_fault+0x651/0xdb1
[ 3929.488471]  ? check_chain_key+0xb0/0xfd
[ 3929.488847]  __sys_sendmsg+0x45/0x63
[ 3929.489206]  ? __sys_sendmsg+0x45/0x63
[ 3929.489576]  SyS_sendmsg+0x19/0x1b
[ 3929.489901]  entry_SYSCALL_64_fastpath+0x23/0xc2
[ 3929.490172] RIP: 0033:0x7f0b6fb93690
[ 3929.490423] RSP: 002b:00007ffcee4ed588 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 3929.490881] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f0b6fb93690
[ 3929.491198] RDX: 0000000000000000 RSI: 00007ffcee4ed5d0 RDI: 0000000000000003
[ 3929.491521] RBP: ffff88005872ff98 R08: 0000000000000001 R09: 0000000000000000
[ 3929.491801] R10: 00007ffcee4ed350 R11: 0000000000000246 R12: 0000000000000002
[ 3929.492075] R13: 000000000066f1a0 R14: 00007ffcee4f5680 R15: 0000000000000000
[ 3929.492352]  ? trace_hardirqs_off_caller+0xa7/0xcf
[ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44
89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d
8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01
[ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP: ffff88005872f6a0

Fixes: 87b60cfacf ("net_sched: fix error recovery at qdisc creation")
Fixes: f07d150129 ("multiq: Further multiqueue cleanup")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-30 15:26:11 -07:00
..
act_api.c net sched actions: rename act_get_notify() to tcf_get_notify() 2017-07-14 08:52:33 -07:00
act_bpf.c bpf: expose prog id for cls_bpf and act_bpf 2017-06-21 15:14:23 -04:00
act_connmark.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
act_csum.c net: use skb->csum_not_inet to identify packets needing crc32c 2017-05-19 19:21:29 -04:00
act_gact.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
act_ife.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
act_ipt.c net: sched: fix NULL pointer dereference when action calls some targets 2017-08-18 16:25:49 -07:00
act_meta_mark.c Support to encoding decoding skb mark on IFE action 2016-03-01 17:15:23 -05:00
act_meta_skbprio.c Support to encoding decoding skb prio on IFE action 2016-03-01 17:15:23 -05:00
act_meta_skbtcindex.c net sched ife action: Introduce skb tcindex metadata encap decap 2016-09-19 21:55:28 -04:00
act_mirred.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
act_nat.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
act_pedit.c net/act_pedit: fix an error code 2017-06-14 15:24:18 -04:00
act_police.c net_sched: move tcf_lock down after gen_replace_estimator() 2017-06-14 14:39:19 -04:00
act_sample.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
act_simple.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
act_skbedit.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
act_skbmod.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
act_tunnel_key.c net: sched: act_tunnel_key: make UDP checksum configurable 2017-06-15 14:21:03 -04:00
act_vlan.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
cls_api.c net: sched: don't do tcf_chain_flush from tcf_chain_destroy 2017-08-22 14:39:58 -07:00
cls_basic.c net_sched: move the empty tp check from ->destroy() to ->delete() 2017-04-21 13:58:15 -04:00
cls_bpf.c bpf: expose prog id for cls_bpf and act_bpf 2017-06-21 15:14:23 -04:00
cls_cgroup.c net_sched: move the empty tp check from ->destroy() to ->delete() 2017-04-21 13:58:15 -04:00
cls_flow.c net_sched: move the empty tp check from ->destroy() to ->delete() 2017-04-21 13:58:15 -04:00
cls_flower.c net: propagate tc filter chain index down the ndo_setup_tc call 2017-06-08 09:55:53 -04:00
cls_fw.c net_sched: remove useless NULL to tp->root 2017-04-21 13:58:15 -04:00
cls_matchall.c net: propagate tc filter chain index down the ndo_setup_tc call 2017-06-08 09:55:53 -04:00
cls_route.c net_sched: remove useless NULL to tp->root 2017-04-21 13:58:15 -04:00
cls_rsvp6.c
cls_rsvp.c
cls_rsvp.h net_sched: remove useless NULL to tp->root 2017-04-21 13:58:15 -04:00
cls_tcindex.c net_sched: move the empty tp check from ->destroy() to ->delete() 2017-04-21 13:58:15 -04:00
cls_u32.c net: propagate tc filter chain index down the ndo_setup_tc call 2017-06-08 09:55:53 -04:00
em_canid.c
em_cmp.c
em_ipset.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
em_meta.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
em_nbyte.c
em_text.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
em_u32.c
ematch.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
Kconfig net: sched: select cls when cls_act is enabled 2017-06-05 10:56:36 -04:00
Makefile net/sched: Introduce sample tc action 2017-01-24 13:44:28 -05:00
sch_api.c net_sched: fix a refcount_t issue with noop_qdisc 2017-08-24 21:28:24 -07:00
sch_atm.c net_sched: reset pointers to tcf blocks in classful qdiscs' destructors 2017-08-15 17:16:39 -07:00
sch_blackhole.c net_sched: drop packets after root qdisc lock is released 2016-06-25 12:19:35 -04:00
sch_cbq.c net_sched: reset pointers to tcf blocks in classful qdiscs' destructors 2017-08-15 17:16:39 -07:00
sch_choke.c treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
sch_codel.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_drr.c net: sched: introduce a TRAP control action 2017-06-06 12:45:23 -04:00
sch_dsmark.c net: sched: introduce a TRAP control action 2017-06-06 12:45:23 -04:00
sch_fifo.c sched: don't use skb queue helpers 2016-09-19 01:47:18 -04:00
sch_fq_codel.c net: sched: introduce a TRAP control action 2017-06-06 12:45:23 -04:00
sch_fq.c mm, tree wide: replace __GFP_REPEAT by __GFP_RETRY_MAYFAIL with more useful semantic 2017-07-12 16:26:03 -07:00
sch_generic.c net_sched: fix a refcount_t issue with noop_qdisc 2017-08-24 21:28:24 -07:00
sch_gred.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_hfsc.c net_sched: reset pointers to tcf blocks in classful qdiscs' destructors 2017-08-15 17:16:39 -07:00
sch_hhf.c treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
sch_htb.c sch_htb: fix crash on init failure 2017-08-30 15:26:11 -07:00
sch_ingress.c net: sched: introduce tcf block infractructure 2017-05-17 15:22:13 -04:00
sch_mq.c net: sched: make default fifo qdiscs appear in the dump 2017-03-12 22:53:02 -07:00
sch_mqprio.c net: propagate tc filter chain index down the ndo_setup_tc call 2017-06-08 09:55:53 -04:00
sch_multiq.c sch_multiq: fix double free on init failure 2017-08-30 15:26:11 -07:00
sch_netem.c treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
sch_pie.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_plug.c net_sched: drop packets after root qdisc lock is released 2016-06-25 12:19:35 -04:00
sch_prio.c net: sched: introduce a TRAP control action 2017-06-06 12:45:23 -04:00
sch_qfq.c net: sched: introduce a TRAP control action 2017-06-06 12:45:23 -04:00
sch_red.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_sfb.c net: sched: introduce a TRAP control action 2017-06-06 12:45:23 -04:00
sch_sfq.c net_sched/sfq: update hierarchical backlog when drop packet 2017-08-15 17:16:39 -07:00
sch_tbf.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_teql.c net: make ndo_get_stats64 a void function 2017-01-08 17:51:44 -05:00