From patchwork Tue Jul 31 18:40:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 143204 Delivered-To: patch@linaro.org Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp5668214ljj; Tue, 31 Jul 2018 11:40:15 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcbTxm1nC3ujRfHJQOH6g/A8+karYKtZAGG33BxshTveSPleh4rnn5zz7jW+qyN1FzPxQlL X-Received: by 2002:a65:5284:: with SMTP id y4-v6mr20693058pgp.283.1533062415632; Tue, 31 Jul 2018 11:40:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533062415; cv=none; d=google.com; s=arc-20160816; b=J+5K+t5oFMkW6NSFNHJ7AY7t4sIgJZVwCwEq7CJYOm9WMh/XV5DRq6YufAba/UVxaM 0mFijQUoPuVGdHLqyvOAy7gUi/3nx1iZp6OcyMU2eS0LBZ4ux2GrhDa89OYT/eZzKfCS rbWtB8dCYAxDHIhGqEV8VPRs/HPxfIbFViYlIc3UB6v7aGznZygt0VaAXTTV74HF3Nk5 oPIamfvf3axsUfwIbAOucoezeSMl0KJD/N6NEOmruyOMpCdKBUu6QhH8Hlghr4kdtj3q Bu6LtwYRg5j5JjZ/KAXV0fEJEgZSoFY8liG1tRmSqmXj+16U5ajh/FH2bLP5zhTDuxTX B0og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=+5W8UHsHaPcE1ERglFuyAWe7VoukgYl3M2lEo1iJdiE=; b=xjnCKo0HoDVc/VXFJ9HpueccyRECmgRQyyMDwfya72+lehZVTBlMy+aoMlzeWYQhps jMWzvfMpAfWqO9KT4LD5MYY89kYewt+mjFRGYJNnLNNKcOY51hDYlMP+ctmOLYdeNq79 nYT+aJWedqnH1zp1JTr8wMiJCdzJluqJtoB18RhH2Kohb7xyCanw5BE4+s5qbGHHFRKQ xwx2dTXLjrWZd2MJl04YsOELAypP5M2m20M691Na23GKBnDeIxUeLqsAqWFNDVQauf0T RZchfImrYyAnLHnpHBZxRkmWnhMwp3l3SloplyXPZUzN+IYnOHT4nSj3BeGcpS5eBCHb YhPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YHI9DWrQ; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x3-v6si13746391pgo.542.2018.07.31.11.40.15; Tue, 31 Jul 2018 11:40:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YHI9DWrQ; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729774AbeGaUVt (ORCPT + 13 others); Tue, 31 Jul 2018 16:21:49 -0400 Received: from mail-pl0-f66.google.com ([209.85.160.66]:37636 "EHLO mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729645AbeGaUVt (ORCPT ); Tue, 31 Jul 2018 16:21:49 -0400 Received: by mail-pl0-f66.google.com with SMTP id d5-v6so2010123pll.4 for ; Tue, 31 Jul 2018 11:40:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=+5W8UHsHaPcE1ERglFuyAWe7VoukgYl3M2lEo1iJdiE=; b=YHI9DWrQhtqgtfxPn+LYvRB+SzeO1aqTntly1V3kfxnmsADOyg+88JmsOQWJvQvELs 81c/b92d7X4lYrmzL1LYlPH1JjW4Fpm8Qgin9x7jmj9HSZSI0tINV/Q/N6sn0amancZp pWdeWxRKktup+yVvU+u8rGkmqA8NKZMxYVO5E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=+5W8UHsHaPcE1ERglFuyAWe7VoukgYl3M2lEo1iJdiE=; b=FhAcLDQlLbV5VSwBhp7eMEFx8hmjIfiRjH2iQ2qQPmtwr9QWEx6Qdt6ni6QbHB452e cnZ1k0z1V9K84DcwfzTp0Cfy1fTAnpFlOKyKM2SPDEjZE+xqhCLkgR9+H7oYgtfPlZUw dUyJSkyJvK6C856++Hn54in9WzcJyPwue4sx+m8AmyzK8EXvS8djInxwqQvMrDH8G31G SUeSRLRNzQzFP4UX0FdSy8EZP5xpgFI65ZxjWGu3UBi18uG/bIt5hGeTTp9lHuK4DSg9 aksIg5TK+WSAsm/3VqQt3itcDGFMPLZFgizMypqPWKM+x+P+cRycFUmrfBvREKYUAVgd 583Q== X-Gm-Message-State: AOUpUlEYXZb8O9BQ8xRLiXKbWgXR9WN7N7ufmpoMnyZYDQAO8TL0iSuH iNrcCjhQpwtd+Iozrxp7r2z4CQ== X-Received: by 2002:a17:902:7c89:: with SMTP id y9-v6mr21516133pll.187.1533062413476; Tue, 31 Jul 2018 11:40:13 -0700 (PDT) Received: from localhost.localdomain ([106.51.18.123]) by smtp.gmail.com with ESMTPSA id d191-v6sm15467977pfg.172.2018.07.31.11.40.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 31 Jul 2018 11:40:12 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH for-4.9.y 1/5] sch_htb: fix crash on init failure Date: Wed, 1 Aug 2018 00:10:01 +0530 Message-Id: <1533062405-32524-2-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1533062405-32524-1-git-send-email-amit.pundir@linaro.org> References: <1533062405-32524-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 88c2ace69dbef696edba77712882af03879abc9c upstream. The commit below added a call to the ->destroy() callback for all qdiscs which failed in their ->init(), but some were not prepared for such change and can't handle partially initialized qdisc. HTB is one of them and if any error occurs before the qdisc watchdog timer and qdisc work are initialized then we can hit either a null ptr deref (timer->base) when canceling in ->destroy or lockdep error info about trying to register a non-static key and a stack dump. So to fix these two move the watchdog timer and workqueue init before anything that can err out. To reproduce userspace needs to send broken htb qdisc create request, tested with a modified tc (q_htb.c). Trace log: [ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2710.897977] IP: hrtimer_active+0x17/0x8a [ 2710.898174] PGD 58fab067 [ 2710.898175] P4D 58fab067 [ 2710.898353] PUD 586c0067 [ 2710.898531] PMD 0 [ 2710.898710] [ 2710.899045] Oops: 0000 [#1] SMP [ 2710.899232] Modules linked in: [ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54 [ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000 [ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a [ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246 [ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000 [ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298 [ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001 [ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000 [ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0 [ 2710.901907] FS: 00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000 [ 2710.902277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0 [ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2710.903180] Call Trace: [ 2710.903332] hrtimer_try_to_cancel+0x1a/0x93 [ 2710.903504] hrtimer_cancel+0x15/0x20 [ 2710.903667] qdisc_watchdog_cancel+0x12/0x14 [ 2710.903866] htb_destroy+0x2e/0xf7 [ 2710.904097] qdisc_create+0x377/0x3fd [ 2710.904330] tc_modify_qdisc+0x4d2/0x4fd [ 2710.904511] rtnetlink_rcv_msg+0x188/0x197 [ 2710.904682] ? rcu_read_unlock+0x3e/0x5f [ 2710.904849] ? rtnl_newlink+0x729/0x729 [ 2710.905017] netlink_rcv_skb+0x6c/0xce [ 2710.905183] rtnetlink_rcv+0x23/0x2a [ 2710.905345] netlink_unicast+0x103/0x181 [ 2710.905511] netlink_sendmsg+0x326/0x337 [ 2710.905679] sock_sendmsg_nosec+0x14/0x3f [ 2710.905847] sock_sendmsg+0x29/0x2e [ 2710.906010] ___sys_sendmsg+0x209/0x28b [ 2710.906176] ? do_raw_spin_unlock+0xcd/0xf8 [ 2710.906346] ? _raw_spin_unlock+0x27/0x31 [ 2710.906514] ? __handle_mm_fault+0x651/0xdb1 [ 2710.906685] ? check_chain_key+0xb0/0xfd [ 2710.906855] __sys_sendmsg+0x45/0x63 [ 2710.907018] ? __sys_sendmsg+0x45/0x63 [ 2710.907185] SyS_sendmsg+0x19/0x1b [ 2710.907344] entry_SYSCALL_64_fastpath+0x23/0xc2 Note that probably this bug goes further back because the default qdisc handling always calls ->destroy on init failure too. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sched/sch_htb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index c798d0de8a9d..95fe75d441eb 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -1013,6 +1013,9 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) int err; int i; + qdisc_watchdog_init(&q->watchdog, sch); + INIT_WORK(&q->work, htb_work_func); + if (!opt) return -EINVAL; @@ -1033,8 +1036,6 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) for (i = 0; i < TC_HTB_NUMPRIO; i++) INIT_LIST_HEAD(q->drops + i); - qdisc_watchdog_init(&q->watchdog, sch); - INIT_WORK(&q->work, htb_work_func); qdisc_skb_head_init(&q->direct_queue); if (tb[TCA_HTB_DIRECT_QLEN])