From patchwork Thu Aug 23 06:51:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144888 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp757603ljw; Wed, 22 Aug 2018 23:52:05 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzJajQANvOac4JC/MrZ013yuXzs0kuNf8kqLDHdoKvh7/hgdkA1AnTlbbfzeHMyEYGW/ibW X-Received: by 2002:a17:902:44c:: with SMTP id 70-v6mr16558580ple.125.1535007125268; Wed, 22 Aug 2018 23:52:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007125; cv=none; d=google.com; s=arc-20160816; b=pqbNA1MxX5K6gSJhFeCbq+UcMXdL8gpJA6hsDaB3N5gS4BVauvFSV+5k1YkGKsG0M9 I2Ob81HZuA1GXdTRpjYm5juCAY1rSiBSGZMZ/ZteSwkZQ4j3KvHPOOux9PrPTDQRkKLY s8tFB5siUAYgSvUDQnVhtNSFWDpHfyy66h27h0rXhbu4SkLVhnKerB0z2iWes7Jy0Nc+ z7evC9ED58cikIZI67gzU3HSp8bSSxez4zWXMQbvOHK+l9Ld6cBPwmR7ek59KLscLUqA 2VBt3KUPoPNoVh8NdZhlsXfZnCgJ3+IVdo74eFqjq+z5NIIL4+5YoKez7vaTuj8HYXcu HUiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=cCK/HU3i3xinKCWKK2dyWNF8Qe2zvHlQFLobnGxcnZg=; b=AG/6zowS8KrpaUf7pc6HOhwBFFEcmg8nsMJfJPWzObBH0HXdEOFKv68e3FEDcDTnwy H78s6v9np92Jplujs/HXDXiXWqy3a1tCHwBFdjG00C+umSBjg9c/ksKpOqYUxH13JvLP n5h1XrzslFddjrmpCiOZMoMCvO2AHoYnnsquUnUJukLHF2cmITQ5Eq9BWC1WV93o4t5y IfGrz5wUODiYV9ycMITOjr0ZhEXpyOZmSYnLOi+JwLN1U7XyU2OyG1p0q6ssjr4Z4+F8 zGXv87uQv3Pxcl8ht+E47Ph0dyVtItZSxHGQVzmyESOOBj6MO9FD/Z2V22/lbQeJzQJ1 QCzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="bomcRr/v"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.52.05; Wed, 22 Aug 2018 23:52:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="bomcRr/v"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726207AbeHWKUN (ORCPT + 13 others); Thu, 23 Aug 2018 06:20:13 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:34074 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKUN (ORCPT ); Thu, 23 Aug 2018 06:20:13 -0400 Received: by mail-pg1-f194.google.com with SMTP id u10-v6so373204pgr.1 for ; Wed, 22 Aug 2018 23:52:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=cCK/HU3i3xinKCWKK2dyWNF8Qe2zvHlQFLobnGxcnZg=; b=bomcRr/vf4vU+2eDgMMBMzoakjahsCnvJegFENxqRyLB+isAVgBRobUV0M0mr4nFGn 9Je9CGG8Z4ta5t+WE8ZsMYzQUcmGHrzBdgwJB7L1lirOFKp8q6JV5VLZ9GfXvjgNEHV5 CsdmmZPFk7xRm6BzYOeOf1d+h3ZBlU40SxHAk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=cCK/HU3i3xinKCWKK2dyWNF8Qe2zvHlQFLobnGxcnZg=; b=i17CCO2xSiG0rdFVJ5/+WxjvvhNCxtdVE1YMWraUzmhrYfFrTLangiI0ReYPF4/itE ky+5Sr60chvPbBEppKNqNA0GU+pk9PtD4ssjUnhvjl8kvfm5G6Zugsq56lTF1LLQHamC rloxrDt9XaC7pP6Qiv7dDu61bd/xfz36VPuQXgMxT2OZVT9k/+mwDSivzu3txo0sP5hU OcGxy0IWH06OVHbJ9m9R4eIAUI/F+7NqRLgtYAZRmdBa/RuU8gy4m9C5OxISvi3yLvMa gMBFv8p6nq9t+RTuHKdEfI9jx2WfApj4bcp3q/4Rn+5lT0ns6DnmV+Vz+erBBpv7C4Mf S94w== X-Gm-Message-State: AOUpUlEM8tSOZ3+VvMPB7NhzsGMcjM84JPdgWe9E8AS4f5pDG5thXTgc Llq1ZcsP1cX5f0AC76eKn0GTN/eCsdo= X-Received: by 2002:a63:f206:: with SMTP id v6-v6mr55073708pgh.319.1535007123645; Wed, 22 Aug 2018 23:52:03 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id d132-v6sm7559932pgc.93.2018.08.22.23.52.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:52:02 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.4.y 1/5] sch_htb: fix crash on init failure Date: Thu, 23 Aug 2018 12:21:52 +0530 Message-Id: <1535007116-31801-2-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> References: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 88c2ace69dbef696edba77712882af03879abc9c upstream. The commit below added a call to the ->destroy() callback for all qdiscs which failed in their ->init(), but some were not prepared for such change and can't handle partially initialized qdisc. HTB is one of them and if any error occurs before the qdisc watchdog timer and qdisc work are initialized then we can hit either a null ptr deref (timer->base) when canceling in ->destroy or lockdep error info about trying to register a non-static key and a stack dump. So to fix these two move the watchdog timer and workqueue init before anything that can err out. To reproduce userspace needs to send broken htb qdisc create request, tested with a modified tc (q_htb.c). Trace log: [ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2710.897977] IP: hrtimer_active+0x17/0x8a [ 2710.898174] PGD 58fab067 [ 2710.898175] P4D 58fab067 [ 2710.898353] PUD 586c0067 [ 2710.898531] PMD 0 [ 2710.898710] [ 2710.899045] Oops: 0000 [#1] SMP [ 2710.899232] Modules linked in: [ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54 [ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000 [ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a [ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246 [ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000 [ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298 [ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001 [ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000 [ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0 [ 2710.901907] FS: 00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000 [ 2710.902277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0 [ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2710.903180] Call Trace: [ 2710.903332] hrtimer_try_to_cancel+0x1a/0x93 [ 2710.903504] hrtimer_cancel+0x15/0x20 [ 2710.903667] qdisc_watchdog_cancel+0x12/0x14 [ 2710.903866] htb_destroy+0x2e/0xf7 [ 2710.904097] qdisc_create+0x377/0x3fd [ 2710.904330] tc_modify_qdisc+0x4d2/0x4fd [ 2710.904511] rtnetlink_rcv_msg+0x188/0x197 [ 2710.904682] ? rcu_read_unlock+0x3e/0x5f [ 2710.904849] ? rtnl_newlink+0x729/0x729 [ 2710.905017] netlink_rcv_skb+0x6c/0xce [ 2710.905183] rtnetlink_rcv+0x23/0x2a [ 2710.905345] netlink_unicast+0x103/0x181 [ 2710.905511] netlink_sendmsg+0x326/0x337 [ 2710.905679] sock_sendmsg_nosec+0x14/0x3f [ 2710.905847] sock_sendmsg+0x29/0x2e [ 2710.906010] ___sys_sendmsg+0x209/0x28b [ 2710.906176] ? do_raw_spin_unlock+0xcd/0xf8 [ 2710.906346] ? _raw_spin_unlock+0x27/0x31 [ 2710.906514] ? __handle_mm_fault+0x651/0xdb1 [ 2710.906685] ? check_chain_key+0xb0/0xfd [ 2710.906855] __sys_sendmsg+0x45/0x63 [ 2710.907018] ? __sys_sendmsg+0x45/0x63 [ 2710.907185] SyS_sendmsg+0x19/0x1b [ 2710.907344] entry_SYSCALL_64_fastpath+0x23/0xc2 Note that probably this bug goes further back because the default qdisc handling always calls ->destroy on init failure too. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [AmitP: Rebased for linux-4.4.y] Signed-off-by: Amit Pundir --- net/sched/sch_htb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index 87b02ed3d5f2..daa01d5604c2 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -1025,6 +1025,9 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) int err; int i; + qdisc_watchdog_init(&q->watchdog, sch); + INIT_WORK(&q->work, htb_work_func); + if (!opt) return -EINVAL; @@ -1045,8 +1048,6 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) for (i = 0; i < TC_HTB_NUMPRIO; i++) INIT_LIST_HEAD(q->drops + i); - qdisc_watchdog_init(&q->watchdog, sch); - INIT_WORK(&q->work, htb_work_func); __skb_queue_head_init(&q->direct_queue); if (tb[TCA_HTB_DIRECT_QLEN])