From patchwork Thu Aug 23 06:50:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144882 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp756874ljw; Wed, 22 Aug 2018 23:50:51 -0700 (PDT) X-Google-Smtp-Source: AA+uWPz80hoHKHmuqXog9/JPVwF72tyJoITs/E/6erWJ1LK2JwBaxDHjU0nZz2COXQBg/9NtEySG X-Received: by 2002:a63:1d22:: with SMTP id d34-v6mr54689901pgd.133.1535007051363; Wed, 22 Aug 2018 23:50:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007051; cv=none; d=google.com; s=arc-20160816; b=zlhgEYtq1gziuPubB9uKJACzb/tMYD+JiuLsA9iUoasdFe5xoNlFeO4Q4Ky29/6+6V FeKj9oe7sf+fYbu19hWM+YFVEAtipoKdVRWoAUNhRDhuVZ3EN14dz0kz1tWCBElWUPCR GyEX3+LdtzvqMqekKF+FU0upNSlz5SFeokhedVmJg0pkAQrTF81txBThIRN6u+q8G42T 3eNzW3CEFW3PDUawcZbK74208XvXkVCovRXJPpK4xvD3VcPDXeS/3NwQHp+baWOZwjHa 0NKpWkVt8DCxuFxEVSEAkq8mSofLTBgRYYi46WAvpgqpz0lTSGLgxwRiLgCWBI9dcFtn bWww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=+5W8UHsHaPcE1ERglFuyAWe7VoukgYl3M2lEo1iJdiE=; b=gEczJoQ5bLHlvw+g0kbwxM5Qd/ndMBYbIoZyOD3yHihnyY1kqJBAlBe+OKdYh/YrXY ttYpIy5T1wE8Ybg31g/XNMtm57Ojgd3tsFNXptmbC0IJzyoVGj9/8KcU0ILsCK2umv1n nYvHRFJwZyyOFL2/YXv6JfOK+ZZ1VdZIE8m6roJ/sl47p76wh6GOigTBr2GCWZGmDgvF Ajhbhb0z4Z7R8YkGT1ET5Ig2iVcQOHh4GZS59tWOCsgNl3IIWwC58OYfeIMMKUI5MObA 9e0OXUUkr9S4JlznZFKaXDvf/EC9Gg6nBfXFhpWbL45j2EWsKKptlrzOdZZTm33N8OQE NZqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=a3cv9eaB; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.50.50; Wed, 22 Aug 2018 23:50:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=a3cv9eaB; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726137AbeHWKS7 (ORCPT + 13 others); Thu, 23 Aug 2018 06:18:59 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:44674 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKS6 (ORCPT ); Thu, 23 Aug 2018 06:18:58 -0400 Received: by mail-pg1-f194.google.com with SMTP id r1-v6so2082971pgp.11 for ; Wed, 22 Aug 2018 23:50:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=+5W8UHsHaPcE1ERglFuyAWe7VoukgYl3M2lEo1iJdiE=; b=a3cv9eaBF9jjnQAiZg043rjl/AmhYDrj5M1D04nS+by3tM7ainviKfBiyT9QWUToxV 5Tgo/yRvwzmwxcHltQZhWbJLw4mgbPAxo/A/oK1r+/dSQvqEh7oQwahu14bQEZu2jOK6 BYckVC6Y1n7oPRwUrs1Gk4D74v1rFqiTjRlV0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=+5W8UHsHaPcE1ERglFuyAWe7VoukgYl3M2lEo1iJdiE=; b=ROdnPqgYRgajzSQ0D6SIlQ2A7OLn5SLnc1GuATDmheieRId61E/J9r9KSW315j6iSh qO5x9sCJ/H8Xy6NpDmfwpECkK0db4h99Z0oTWd+k/3z7rCNof8oVk5qsQUAWsz/5yYMM HOItlyur5waRz52rkT8msTJ+5eUebeXNAvBzoQUKHTToh0W2iKva/iIaG/5Fl5Xx7X3B 22VT9M3mhVriRxxpx6JaNAjMb5Q5oMiR+IagVOPD/+A+xELBjnlUchgneYtlhOBUUB+F Ssq8FS9JOg5HyWY3xbhclDWzQ9trNRlgVvN6TI3DP2zDNmIMz/xe31EXl2FesdbAhPgO 3RNw== X-Gm-Message-State: AOUpUlGRS+TV5zV2dbAU19YJA4YOPBSJb/mQYbIxORPhM6C3Ehd9I+Cf 8miopxIIPrmvP6kCfylYe8uPZA== X-Received: by 2002:a62:9f85:: with SMTP id v5-v6mr61092062pfk.27.1535007049110; Wed, 22 Aug 2018 23:50:49 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id l85-v6sm6274501pfk.34.2018.08.22.23.50.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:50:48 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.9.y 1/5] sch_htb: fix crash on init failure Date: Thu, 23 Aug 2018 12:20:37 +0530 Message-Id: <1535007041-31605-2-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> References: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 88c2ace69dbef696edba77712882af03879abc9c upstream. The commit below added a call to the ->destroy() callback for all qdiscs which failed in their ->init(), but some were not prepared for such change and can't handle partially initialized qdisc. HTB is one of them and if any error occurs before the qdisc watchdog timer and qdisc work are initialized then we can hit either a null ptr deref (timer->base) when canceling in ->destroy or lockdep error info about trying to register a non-static key and a stack dump. So to fix these two move the watchdog timer and workqueue init before anything that can err out. To reproduce userspace needs to send broken htb qdisc create request, tested with a modified tc (q_htb.c). Trace log: [ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2710.897977] IP: hrtimer_active+0x17/0x8a [ 2710.898174] PGD 58fab067 [ 2710.898175] P4D 58fab067 [ 2710.898353] PUD 586c0067 [ 2710.898531] PMD 0 [ 2710.898710] [ 2710.899045] Oops: 0000 [#1] SMP [ 2710.899232] Modules linked in: [ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54 [ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000 [ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a [ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246 [ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000 [ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298 [ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001 [ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000 [ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0 [ 2710.901907] FS: 00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000 [ 2710.902277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0 [ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2710.903180] Call Trace: [ 2710.903332] hrtimer_try_to_cancel+0x1a/0x93 [ 2710.903504] hrtimer_cancel+0x15/0x20 [ 2710.903667] qdisc_watchdog_cancel+0x12/0x14 [ 2710.903866] htb_destroy+0x2e/0xf7 [ 2710.904097] qdisc_create+0x377/0x3fd [ 2710.904330] tc_modify_qdisc+0x4d2/0x4fd [ 2710.904511] rtnetlink_rcv_msg+0x188/0x197 [ 2710.904682] ? rcu_read_unlock+0x3e/0x5f [ 2710.904849] ? rtnl_newlink+0x729/0x729 [ 2710.905017] netlink_rcv_skb+0x6c/0xce [ 2710.905183] rtnetlink_rcv+0x23/0x2a [ 2710.905345] netlink_unicast+0x103/0x181 [ 2710.905511] netlink_sendmsg+0x326/0x337 [ 2710.905679] sock_sendmsg_nosec+0x14/0x3f [ 2710.905847] sock_sendmsg+0x29/0x2e [ 2710.906010] ___sys_sendmsg+0x209/0x28b [ 2710.906176] ? do_raw_spin_unlock+0xcd/0xf8 [ 2710.906346] ? _raw_spin_unlock+0x27/0x31 [ 2710.906514] ? __handle_mm_fault+0x651/0xdb1 [ 2710.906685] ? check_chain_key+0xb0/0xfd [ 2710.906855] __sys_sendmsg+0x45/0x63 [ 2710.907018] ? __sys_sendmsg+0x45/0x63 [ 2710.907185] SyS_sendmsg+0x19/0x1b [ 2710.907344] entry_SYSCALL_64_fastpath+0x23/0xc2 Note that probably this bug goes further back because the default qdisc handling always calls ->destroy on init failure too. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sched/sch_htb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index c798d0de8a9d..95fe75d441eb 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -1013,6 +1013,9 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) int err; int i; + qdisc_watchdog_init(&q->watchdog, sch); + INIT_WORK(&q->work, htb_work_func); + if (!opt) return -EINVAL; @@ -1033,8 +1036,6 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) for (i = 0; i < TC_HTB_NUMPRIO; i++) INIT_LIST_HEAD(q->drops + i); - qdisc_watchdog_init(&q->watchdog, sch); - INIT_WORK(&q->work, htb_work_func); qdisc_skb_head_init(&q->direct_queue); if (tb[TCA_HTB_DIRECT_QLEN]) From patchwork Thu Aug 23 06:50:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144883 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp756899ljw; Wed, 22 Aug 2018 23:50:53 -0700 (PDT) X-Google-Smtp-Source: AA+uWPyJrQhI8poWjBpFbwJYOLer+qReYzWjqnvLjmsE+Vwo0Gkhjy9xjXtnkgMLqxErB4t4rdwr X-Received: by 2002:a17:902:2f43:: with SMTP id s61-v6mr55999377plb.176.1535007053484; Wed, 22 Aug 2018 23:50:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007053; cv=none; d=google.com; s=arc-20160816; b=oZLQ4y5lOVHMGGYkqcEpaHsEBW8iZm0IdnhDGfyIQd79ptChQd92gMmIiAtAtYqNuG qDE29azsaZrbIV36mtqBTH7r/hlyfkxrFMtIvJDG9VHZmRPLA/AyapQhABz4dem5HUvi 824IjYN2pdL9enqiRmNmPzjhwZSMmsnv6fWmWHlYwI0iJJElS9KIdK1yvnQYB19eM1sd 3efwFRzuImFTDz9JEoT/Xasg52jdUQBbnZQfXD/LQxF4G9gXTJ4nMLjahNUnBwRbrXwM pQjsv+SqZVvZgMcQGGkZTKpB9SzWJ010cHe5ke7GUdYFfXImJ1zCfKDtY6Qh+kEDfn45 8Iig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=YPPTZBcirSnBHY2ji2HESr2mIS3fo0qH3/RyHn4RCcc=; b=s5wlmK4iceVV5GnAbucVp3JfpyeWhVs6pRuym4cfUhKkESebfLuoSO2jPAL0vHqAuD efvvfsdLOReZdW5EyZ6uNXCotMZj6BwxmGZ7QIlGu0zTOKA7Li65Jqm6VgbBtyELvD0w 7aXxFyiAGR1JhE4LCUH4ukY5WMUkIcEmkFNMcA/uCexPsCsB4KM9Xw8c2iE0RvzBoPB8 KwpEjwe5wmgJburHu/lYaToGrd083jkByVIASX5Dc/hHVWrDTjDBO5u8PcZOFFt9b3ae LPqbeuDMt2u+yOZgR2Rw36/m6ye26DGDaxoG00iT6uU7HaNsWYFktZEm8O4kl63+OnNj +Big== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=L5sWzgT4; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.50.53; Wed, 22 Aug 2018 23:50:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=L5sWzgT4; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726145AbeHWKTB (ORCPT + 13 others); Thu, 23 Aug 2018 06:19:01 -0400 Received: from mail-pl0-f68.google.com ([209.85.160.68]:35474 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKTB (ORCPT ); Thu, 23 Aug 2018 06:19:01 -0400 Received: by mail-pl0-f68.google.com with SMTP id d9-v6so1787966plr.2 for ; Wed, 22 Aug 2018 23:50:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=YPPTZBcirSnBHY2ji2HESr2mIS3fo0qH3/RyHn4RCcc=; b=L5sWzgT4RFu+XnTNQPuPg6qINJomEulMzN0Kk81lHJ1Nwzo27LBCiNLP1aao0Odrw8 tAFTSK1wA8/AiRJPygZCQSAlbWp3oAvQyzvbP5PwiaV7w3r26veabAD3ud/g6/z/o0u6 liUPNipyEvX9+gpDW9W6ZgODoAQByuzM2HVlc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=YPPTZBcirSnBHY2ji2HESr2mIS3fo0qH3/RyHn4RCcc=; b=VgkbcMdmdBz0AOx6MYUE36ECRhKcmEBt0wV1cI5+3ASL+fBxfWKfE4if3/vvTyNrJ0 BLLAHnvurg9HxGmIYHg4rfDkXKviIttRUdnfr6aQTYR5KpM7Ptl0A4zo7WbLclh3K+wt loZl+EwABIGNu/7quNh3bf5HgQF4hbAokINuFridrPfe8DLvdXXQdz4/Ei3QU2m8njsU YUlX4XkwRn4IrlPNXTzVbGt5XbQz7bF9jaNtFl+uzpbEaQBdMHguX5eNAV2H1nY7czz2 SwVLk8+dIUgoO8twhZPqc/lzaURDaGa+DAyGS6cCduIXM4KcO3hae2gRWobnVlzks6Q8 pvPA== X-Gm-Message-State: AOUpUlGe2WfnEayxfMjKta1kJiHhjg4qoFRV30dDY21RgT1MHU3Qkhex sLPu3ArnRhmO+Bf3Y6KbY8Iyqg== X-Received: by 2002:a17:902:6f16:: with SMTP id w22-v6mr38503734plk.127.1535007051976; Wed, 22 Aug 2018 23:50:51 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id l85-v6sm6274501pfk.34.2018.08.22.23.50.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:50:50 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.9.y 2/5] sch_multiq: fix double free on init failure Date: Thu, 23 Aug 2018 12:20:38 +0530 Message-Id: <1535007041-31605-3-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> References: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit e89d469e3be3ed3d7124a803211a463ff83d0964 upstream. The below commit added a call to ->destroy() on init failure, but multiq still frees ->queues on error in init, but ->queues is also freed by ->destroy() thus we get double free and corrupted memory. Very easy to reproduce (eth0 not multiqueue): $ tc qdisc add dev eth0 root multiq RTNETLINK answers: Operation not supported $ ip l add dumdum type dummy (crash) Trace log: [ 3929.467747] general protection fault: 0000 [#1] SMP [ 3929.468083] Modules linked in: [ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56 [ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 3929.469124] task: ffff88003716a700 task.stack: ffff88005872c000 [ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be [ 3929.469746] RSP: 0018:ffff88005872f6a0 EFLAGS: 00010246 [ 3929.470042] RAX: 00000000000002de RBX: 0000000058a59000 RCX: 00000000000002df [ 3929.470406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff821f7020 [ 3929.470770] RBP: ffff88005872f6e8 R08: 000000000001f010 R09: 0000000000000000 [ 3929.471133] R10: ffff88005872f730 R11: 0000000000008cdd R12: ff006d75646d7564 [ 3929.471496] R13: 00000000014000c0 R14: ffff88005b403c00 R15: ffff88005b403c00 [ 3929.471869] FS: 00007f0b70480740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 3929.472286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3929.472677] CR2: 00007ffcee4f3000 CR3: 0000000059d45000 CR4: 00000000000406e0 [ 3929.473209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3929.474109] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3929.474873] Call Trace: [ 3929.475337] ? kstrdup_const+0x23/0x25 [ 3929.475863] kstrdup+0x2e/0x4b [ 3929.476338] kstrdup_const+0x23/0x25 [ 3929.478084] __kernfs_new_node+0x28/0xbc [ 3929.478478] kernfs_new_node+0x35/0x55 [ 3929.478929] kernfs_create_link+0x23/0x76 [ 3929.479478] sysfs_do_create_link_sd.isra.2+0x85/0xd7 [ 3929.480096] sysfs_create_link+0x33/0x35 [ 3929.480649] device_add+0x200/0x589 [ 3929.481184] netdev_register_kobject+0x7c/0x12f [ 3929.481711] register_netdevice+0x373/0x471 [ 3929.482174] rtnl_newlink+0x614/0x729 [ 3929.482610] ? rtnl_newlink+0x17f/0x729 [ 3929.483080] rtnetlink_rcv_msg+0x188/0x197 [ 3929.483533] ? rcu_read_unlock+0x3e/0x5f [ 3929.483984] ? rtnl_newlink+0x729/0x729 [ 3929.484420] netlink_rcv_skb+0x6c/0xce [ 3929.484858] rtnetlink_rcv+0x23/0x2a [ 3929.485291] netlink_unicast+0x103/0x181 [ 3929.485735] netlink_sendmsg+0x326/0x337 [ 3929.486181] sock_sendmsg_nosec+0x14/0x3f [ 3929.486614] sock_sendmsg+0x29/0x2e [ 3929.486973] ___sys_sendmsg+0x209/0x28b [ 3929.487340] ? do_raw_spin_unlock+0xcd/0xf8 [ 3929.487719] ? _raw_spin_unlock+0x27/0x31 [ 3929.488092] ? __handle_mm_fault+0x651/0xdb1 [ 3929.488471] ? check_chain_key+0xb0/0xfd [ 3929.488847] __sys_sendmsg+0x45/0x63 [ 3929.489206] ? __sys_sendmsg+0x45/0x63 [ 3929.489576] SyS_sendmsg+0x19/0x1b [ 3929.489901] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 3929.490172] RIP: 0033:0x7f0b6fb93690 [ 3929.490423] RSP: 002b:00007ffcee4ed588 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 3929.490881] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f0b6fb93690 [ 3929.491198] RDX: 0000000000000000 RSI: 00007ffcee4ed5d0 RDI: 0000000000000003 [ 3929.491521] RBP: ffff88005872ff98 R08: 0000000000000001 R09: 0000000000000000 [ 3929.491801] R10: 00007ffcee4ed350 R11: 0000000000000246 R12: 0000000000000002 [ 3929.492075] R13: 000000000066f1a0 R14: 00007ffcee4f5680 R15: 0000000000000000 [ 3929.492352] ? trace_hardirqs_off_caller+0xa7/0xcf [ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44 89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d 8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01 [ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP: ffff88005872f6a0 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: f07d1501292b ("multiq: Further multiqueue cleanup") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [AmitP: Removed unused variable 'err' in multiq_init()] Signed-off-by: Amit Pundir --- net/sched/sch_multiq.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c index 9ffbb025b37e..66b6e807b4ec 100644 --- a/net/sched/sch_multiq.c +++ b/net/sched/sch_multiq.c @@ -234,7 +234,7 @@ static int multiq_tune(struct Qdisc *sch, struct nlattr *opt) static int multiq_init(struct Qdisc *sch, struct nlattr *opt) { struct multiq_sched_data *q = qdisc_priv(sch); - int i, err; + int i; q->queues = NULL; @@ -249,12 +249,7 @@ static int multiq_init(struct Qdisc *sch, struct nlattr *opt) for (i = 0; i < q->max_bands; i++) q->queues[i] = &noop_qdisc; - err = multiq_tune(sch, opt); - - if (err) - kfree(q->queues); - - return err; + return multiq_tune(sch, opt); } static int multiq_dump(struct Qdisc *sch, struct sk_buff *skb) From patchwork Thu Aug 23 06:50:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144884 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp756924ljw; Wed, 22 Aug 2018 23:50:56 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdbwx1rF7zeLJygqvfC66udtqXWtGauAsMLN0xpJt0UD91GlQwN1Llfg6RtnN3nzMrXry8bJ X-Received: by 2002:a17:902:8605:: with SMTP id f5-v6mr271238plo.271.1535007056286; Wed, 22 Aug 2018 23:50:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007056; cv=none; d=google.com; s=arc-20160816; b=efDTPyRiESk2KaAC9LpeXgnQv2WNIE5V+YESzjfFagVcaEwBpQ5NBRPMqQblgF+vAt ZOj/FhkgjhkSsiPhQOueiHXI3NaKbq0VpZIC5pbxi4DdBHuaXlgTsoEedRNx8U79U41L CnknWBYs+B9DZ4BWN8ES4u7mKFNKDaWHErVpJ8gua0mHbeGQoYaifjJJdenqnPjHot+0 D4yPB3+TL1SMpGM0xYKWxhGy0k3ljW0MSAEtkY7PbHaSvHHav7+yhfzUiswa1CFDr8BS bxIYvx6CHfkLI4Ki9u+hjsyKMFJaGZayNQfZJa7FUIA4JBWTbfZqOzFKtypluFkGIVgN kP4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=NYtRbdLO1qdw7Ez45DttdxIKsPausq1OJYQDzbEjc2A=; b=zyDKPE9X0wNorVXSi8Z7szePVXW9TpdKatRpUrVNKq+AgBYjGPquBrnI8PTJie2pBU 9H4aNHSlVmsAOIqD+eDfB/aiXUkdfezdyvE2NVZAZL4xWh8ZD0gXd/11j8KRPsiL7Lxh WAQvmY5LWeTV5j+Yr5WCMRv8chJug0NgwUn1F8iPSoIHQGOqcgKMtm/uaFDI7ohTi5h4 qAOFgUoTcREvrcffEHaVtBpFiv/4dythdaowEVqYJwqzuU+U6N9dBYnCJ/GwyYDH7Dbq v50UUfSSxnDIrcjP2qcxBxbhyaQdNCt97VHPor28jhtLIyC0WRkTxpRpQpsevhu0xAqR a/2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GhKvnzeV; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.50.56; Wed, 22 Aug 2018 23:50:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GhKvnzeV; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726156AbeHWKTE (ORCPT + 13 others); Thu, 23 Aug 2018 06:19:04 -0400 Received: from mail-pl0-f68.google.com ([209.85.160.68]:37732 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKTE (ORCPT ); Thu, 23 Aug 2018 06:19:04 -0400 Received: by mail-pl0-f68.google.com with SMTP id c6-v6so1974422pls.4 for ; Wed, 22 Aug 2018 23:50:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=NYtRbdLO1qdw7Ez45DttdxIKsPausq1OJYQDzbEjc2A=; b=GhKvnzeVG/NIQKFXgmt2fqjsYjiosm2k4RlqeAzZELtV3ubaNiRy50FgHUXOtUnxSo mn1nSvBf/AuB5pTFSBEwPXh98lGvLsOyLgqtGKDlfWlP3WEk7VJ1fsn4QOZjmg+I4PLm 6rCN5//iYwV+7BCCfpitQn15XF7aJ3xD3vSso= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=NYtRbdLO1qdw7Ez45DttdxIKsPausq1OJYQDzbEjc2A=; b=R71U2/Dd8va6P8Lwlak8dk5Ap5Oqr7dQX5Mxg6pXsUfftA2Nwz4U3jak4t4MSpzd2M BmQmOh/DzQRkqo9HGM5tapkXhDimWefislPU4QFW32UhFBITHIdsKiE4ErR8n03BSCkb xy9FbBWKGpNTjzi6b1Vo5/qYXwz2JwZQIuvNb0ZX3GYZCVZvi1VGm8EAHSIRnx5b+WNP qMruTp6YN76mJv46KYysvNNsDinLTOXd0ldzYQOiuFpdOIXcgzNtK3N5eKPisqktaO/s 08y91lZVryD5RdZmLJECaTnHHcoy/n/KRS0Tx8hJpnlfPWDByMbdEhw6U7TIwduVd0KH M03g== X-Gm-Message-State: AOUpUlHNIEOYdyqVjKJhMctFLTC0lDipKMrXIpwWq/CER1TMy5eA/uCS s19lz7Th4+tdrcBC/Qw8J8jbd56jPmo= X-Received: by 2002:a17:902:b688:: with SMTP id c8-v6mr20229232pls.114.1535007054736; Wed, 22 Aug 2018 23:50:54 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id l85-v6sm6274501pfk.34.2018.08.22.23.50.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:50:53 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.9.y 3/5] sch_hhf: fix null pointer dereference on init failure Date: Thu, 23 Aug 2018 12:20:39 +0530 Message-Id: <1535007041-31605-4-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> References: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 32db864d33c21fd70a217ba53cb7224889354ffb upstream. If sch_hhf fails in its ->init() function (either due to wrong user-space arguments as below or memory alloc failure of hh_flows) it will do a null pointer deref of q->hh_flows in its ->destroy() function. To reproduce the crash: $ tc qdisc add dev eth0 root hhf quantum 2000000 non_hh_weight 10000000 Crash log: [ 690.654882] BUG: unable to handle kernel NULL pointer dereference at (null) [ 690.655565] IP: hhf_destroy+0x48/0xbc [ 690.655944] PGD 37345067 [ 690.655948] P4D 37345067 [ 690.656252] PUD 58402067 [ 690.656554] PMD 0 [ 690.656857] [ 690.657362] Oops: 0000 [#1] SMP [ 690.657696] Modules linked in: [ 690.658032] CPU: 3 PID: 920 Comm: tc Not tainted 4.13.0-rc6+ #57 [ 690.658525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 690.659255] task: ffff880058578000 task.stack: ffff88005acbc000 [ 690.659747] RIP: 0010:hhf_destroy+0x48/0xbc [ 690.660146] RSP: 0018:ffff88005acbf9e0 EFLAGS: 00010246 [ 690.660601] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 [ 690.661155] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff821f63f0 [ 690.661710] RBP: ffff88005acbfa08 R08: ffffffff81b10a90 R09: 0000000000000000 [ 690.662267] R10: 00000000f42b7019 R11: ffff880058578000 R12: 00000000ffffffea [ 690.662820] R13: ffff8800372f6400 R14: 0000000000000000 R15: 0000000000000000 [ 690.663769] FS: 00007f8ae5e8b740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 690.667069] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 690.667965] CR2: 0000000000000000 CR3: 0000000058523000 CR4: 00000000000406e0 [ 690.668918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 690.669945] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 690.671003] Call Trace: [ 690.671743] qdisc_create+0x377/0x3fd [ 690.672534] tc_modify_qdisc+0x4d2/0x4fd [ 690.673324] rtnetlink_rcv_msg+0x188/0x197 [ 690.674204] ? rcu_read_unlock+0x3e/0x5f [ 690.675091] ? rtnl_newlink+0x729/0x729 [ 690.675877] netlink_rcv_skb+0x6c/0xce [ 690.676648] rtnetlink_rcv+0x23/0x2a [ 690.677405] netlink_unicast+0x103/0x181 [ 690.678179] netlink_sendmsg+0x326/0x337 [ 690.678958] sock_sendmsg_nosec+0x14/0x3f [ 690.679743] sock_sendmsg+0x29/0x2e [ 690.680506] ___sys_sendmsg+0x209/0x28b [ 690.681283] ? __handle_mm_fault+0xc7d/0xdb1 [ 690.681915] ? check_chain_key+0xb0/0xfd [ 690.682449] __sys_sendmsg+0x45/0x63 [ 690.682954] ? __sys_sendmsg+0x45/0x63 [ 690.683471] SyS_sendmsg+0x19/0x1b [ 690.683974] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 690.684516] RIP: 0033:0x7f8ae529d690 [ 690.685016] RSP: 002b:00007fff26d2d6b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 690.685931] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f8ae529d690 [ 690.686573] RDX: 0000000000000000 RSI: 00007fff26d2d700 RDI: 0000000000000003 [ 690.687047] RBP: ffff88005acbff98 R08: 0000000000000001 R09: 0000000000000000 [ 690.687519] R10: 00007fff26d2d480 R11: 0000000000000246 R12: 0000000000000002 [ 690.687996] R13: 0000000001258070 R14: 0000000000000001 R15: 0000000000000000 [ 690.688475] ? trace_hardirqs_off_caller+0xa7/0xcf [ 690.688887] Code: 00 00 e8 2a 02 ae ff 49 8b bc 1d 60 02 00 00 48 83 c3 08 e8 19 02 ae ff 48 83 fb 20 75 dc 45 31 f6 4d 89 f7 4d 03 bd 20 02 00 00 <49> 8b 07 49 39 c7 75 24 49 83 c6 10 49 81 fe 00 40 00 00 75 e1 [ 690.690200] RIP: hhf_destroy+0x48/0xbc RSP: ffff88005acbf9e0 [ 690.690636] CR2: 0000000000000000 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sched/sch_hhf.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.7.4 diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c index 2fae8b5f1b80..f4b2d69973c3 100644 --- a/net/sched/sch_hhf.c +++ b/net/sched/sch_hhf.c @@ -492,6 +492,9 @@ static void hhf_destroy(struct Qdisc *sch) hhf_free(q->hhf_valid_bits[i]); } + if (!q->hh_flows) + return; + for (i = 0; i < HH_FLOWS_CNT; i++) { struct hh_flow_state *flow, *next; struct list_head *head = &q->hh_flows[i]; From patchwork Thu Aug 23 06:50:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144885 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp756951ljw; Wed, 22 Aug 2018 23:50:59 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwiW0WFYFST2rfcb0cQJ7bGHuhHC/Qft+zIZU9nqdY9RLjBepyJNmo51Hg+nv26JAXkGdE0 X-Received: by 2002:a63:5e45:: with SMTP id s66-v6mr54569771pgb.151.1535007059373; Wed, 22 Aug 2018 23:50:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007059; cv=none; d=google.com; s=arc-20160816; b=QZ3n1E8md+froP9WUlL1MMAZ41C94IfTUt+ph8/IzoFFJ4El4lJcC41fo0XLEx6wtT U/neiC4lSf9ZfeD3+FkNJAhits2zo82RwfIn4sDTQ8lVMXR7Ov0umWro9uzg8TKDT2F7 nJCvaFLLRA++zmFCS2rPp0eH6WOLpYfetju9cagbWV7gpgnfDzibQb2Tf/wRm21hhUER 0/Hk9vSPFUD3vQdflcZ7iQ/ETP2fQtwI8B9psPUXI8juBcf/vnPYLRJBT1bdYEPRdlWV hkhJ22n5tb1uyjs73HI4RHETY7WYKjxue4Q/9wZZI0xJBWbqGTt0HlhJI/JLUMa3n8M+ Chkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=f/C+senbndULJWNdGhdDtynwSqspcIgbzLuXwF13ouQ=; b=PJ0PRGh82Tycc/XTmKVI+9oHKwJKo2pdWo60rvKkWY7hMVN5rN9YGlldg3RHz7X2/2 ZVaGmUbIvA8TJjnGV99j5IwSyR8+yxd9A4yd7st6cXKnbs58DDJRdrUR+8I2GTW2Zbrp AXMA1eM9K66E7IOPGkqEOGAQZxLqGquG8sowEYSAO9acKVURvfjnGNuGvyHUUsQigKt7 rUQwIWOUGgeahmq//ErOHlugHkMTzc4uPtVzYETqhC683AVEcI47c29jGmGJ5gZ9AG5S mpKIpZfdq7Ooz6+7/qrNYC3Ee+lD5Hd1co4mSFYhno3LraYHswxifNkh2/J99XGxMToc 0ESw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=F6EaWKmI; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.50.59; Wed, 22 Aug 2018 23:50:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=F6EaWKmI; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726182AbeHWKTH (ORCPT + 13 others); Thu, 23 Aug 2018 06:19:07 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:40273 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKTH (ORCPT ); Thu, 23 Aug 2018 06:19:07 -0400 Received: by mail-pg1-f196.google.com with SMTP id z25-v6so2092367pgu.7 for ; Wed, 22 Aug 2018 23:50:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=f/C+senbndULJWNdGhdDtynwSqspcIgbzLuXwF13ouQ=; b=F6EaWKmIw7GtFSUjeoOjpcdVFyHnU211KWisIKQEgNkShovUHW8q4vJP8xrYBeFJ9t Slb0GLKbvpJ2uz2N3TsChevNY2qtwHWG/sv5GhoEzcO+kz11z7TMDxLJ13k5JJNkwY6s a8PRauuybCkJC+Fxi36lrXCTPLvZnJCN+QNNA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=f/C+senbndULJWNdGhdDtynwSqspcIgbzLuXwF13ouQ=; b=DfBABhBO3GFX8INPxd89KGdxphQizjAWRtwoKvvPz8CqEJmUZoNUEAXpuw7l8a0MSA 6R4pe2+yOG23ofxNSCaYHUSOe0lumz6UrFihSbpC9y/O5PjdqYcSTK2q0AGwqa9+D9qB x0HzNEWvStYPvOL3RxS6ag687Aplezh8nj4jDKb1WDWUtP1E7uQuUf9PMG3NEDRM+eyY xfszEo5cIua3S5xNzh5Ezw1xQ1QKukLZ8Igepi/QDmd60/9L15P48iqMLv9oi620ggXb qjPwqvjdXOurOl8XK3Eqpp1rOXiNwCI7SY3R++pKYk9sUR3RgLCFXlwW3Ikm7v2mf/lf P6cg== X-Gm-Message-State: AOUpUlEabk4XeQxfypEJLrpH/SLvxV5v/e0SYEAbiaTZMPJCIKdqsnkf dRaIdULVuhmh+BkBDxOHtjAZzQ== X-Received: by 2002:a63:24c:: with SMTP id 73-v6mr55906516pgc.252.1535007057611; Wed, 22 Aug 2018 23:50:57 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id l85-v6sm6274501pfk.34.2018.08.22.23.50.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:50:56 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.9.y 4/5] sch_netem: avoid null pointer deref on init failure Date: Thu, 23 Aug 2018 12:20:40 +0530 Message-Id: <1535007041-31605-5-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> References: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 634576a1844dba15bc5e6fc61d72f37e13a21615 upstream. netem can fail in ->init due to missing options (either not supplied by user-space or used as a default qdisc) causing a timer->base null pointer deref in its ->destroy() and ->reset() callbacks. Reproduce: $ sysctl net.core.default_qdisc=netem $ ip l set ethX up Crash log: [ 1814.846943] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1814.847181] IP: hrtimer_active+0x17/0x8a [ 1814.847270] PGD 59c34067 [ 1814.847271] P4D 59c34067 [ 1814.847337] PUD 37374067 [ 1814.847403] PMD 0 [ 1814.847468] [ 1814.847582] Oops: 0000 [#1] SMP [ 1814.847655] Modules linked in: sch_netem(O) sch_fq_codel(O) [ 1814.847761] CPU: 3 PID: 1573 Comm: ip Tainted: G O 4.13.0-rc6+ #62 [ 1814.847884] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 1814.848043] task: ffff88003723a700 task.stack: ffff88005adc8000 [ 1814.848235] RIP: 0010:hrtimer_active+0x17/0x8a [ 1814.848407] RSP: 0018:ffff88005adcb590 EFLAGS: 00010246 [ 1814.848590] RAX: 0000000000000000 RBX: ffff880058e359d8 RCX: 0000000000000000 [ 1814.848793] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880058e359d8 [ 1814.848998] RBP: ffff88005adcb5b0 R08: 00000000014080c0 R09: 00000000ffffffff [ 1814.849204] R10: ffff88005adcb660 R11: 0000000000000020 R12: 0000000000000000 [ 1814.849410] R13: ffff880058e359d8 R14: 00000000ffffffff R15: 0000000000000001 [ 1814.849616] FS: 00007f733bbca740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 1814.849919] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1814.850107] CR2: 0000000000000000 CR3: 0000000059f0d000 CR4: 00000000000406e0 [ 1814.850313] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1814.850518] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1814.850723] Call Trace: [ 1814.850875] hrtimer_try_to_cancel+0x1a/0x93 [ 1814.851047] hrtimer_cancel+0x15/0x20 [ 1814.851211] qdisc_watchdog_cancel+0x12/0x14 [ 1814.851383] netem_reset+0xe6/0xed [sch_netem] [ 1814.851561] qdisc_destroy+0x8b/0xe5 [ 1814.851723] qdisc_create_dflt+0x86/0x94 [ 1814.851890] ? dev_activate+0x129/0x129 [ 1814.852057] attach_one_default_qdisc+0x36/0x63 [ 1814.852232] netdev_for_each_tx_queue+0x3d/0x48 [ 1814.852406] dev_activate+0x4b/0x129 [ 1814.852569] __dev_open+0xe7/0x104 [ 1814.852730] __dev_change_flags+0xc6/0x15c [ 1814.852899] dev_change_flags+0x25/0x59 [ 1814.853064] do_setlink+0x30c/0xb3f [ 1814.853228] ? check_chain_key+0xb0/0xfd [ 1814.853396] ? check_chain_key+0xb0/0xfd [ 1814.853565] rtnl_newlink+0x3a4/0x729 [ 1814.853728] ? rtnl_newlink+0x117/0x729 [ 1814.853905] ? ns_capable_common+0xd/0xb1 [ 1814.854072] ? ns_capable+0x13/0x15 [ 1814.854234] rtnetlink_rcv_msg+0x188/0x197 [ 1814.854404] ? rcu_read_unlock+0x3e/0x5f [ 1814.854572] ? rtnl_newlink+0x729/0x729 [ 1814.854737] netlink_rcv_skb+0x6c/0xce [ 1814.854902] rtnetlink_rcv+0x23/0x2a [ 1814.855064] netlink_unicast+0x103/0x181 [ 1814.855230] netlink_sendmsg+0x326/0x337 [ 1814.855398] sock_sendmsg_nosec+0x14/0x3f [ 1814.855584] sock_sendmsg+0x29/0x2e [ 1814.855747] ___sys_sendmsg+0x209/0x28b [ 1814.855912] ? do_raw_spin_unlock+0xcd/0xf8 [ 1814.856082] ? _raw_spin_unlock+0x27/0x31 [ 1814.856251] ? __handle_mm_fault+0x651/0xdb1 [ 1814.856421] ? check_chain_key+0xb0/0xfd [ 1814.856592] __sys_sendmsg+0x45/0x63 [ 1814.856755] ? __sys_sendmsg+0x45/0x63 [ 1814.856923] SyS_sendmsg+0x19/0x1b [ 1814.857083] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 1814.857256] RIP: 0033:0x7f733b2dd690 [ 1814.857419] RSP: 002b:00007ffe1d3387d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 1814.858238] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f733b2dd690 [ 1814.858445] RDX: 0000000000000000 RSI: 00007ffe1d338820 RDI: 0000000000000003 [ 1814.858651] RBP: ffff88005adcbf98 R08: 0000000000000001 R09: 0000000000000003 [ 1814.858856] R10: 00007ffe1d3385a0 R11: 0000000000000246 R12: 0000000000000002 [ 1814.859060] R13: 000000000066f1a0 R14: 00007ffe1d3408d0 R15: 0000000000000000 [ 1814.859267] ? trace_hardirqs_off_caller+0xa7/0xcf [ 1814.859446] Code: 10 55 48 89 c7 48 89 e5 e8 45 a1 fb ff 31 c0 5d c3 31 c0 c3 66 66 66 66 90 55 48 89 e5 41 56 41 55 41 54 53 49 89 fd 49 8b 45 30 <4c> 8b 20 41 8b 5c 24 38 31 c9 31 d2 48 c7 c7 50 8e 1d 82 41 89 [ 1814.860022] RIP: hrtimer_active+0x17/0x8a RSP: ffff88005adcb590 [ 1814.860214] CR2: 0000000000000000 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sched/sch_netem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c index e899d9eb76cb..3f87ddb1777d 100644 --- a/net/sched/sch_netem.c +++ b/net/sched/sch_netem.c @@ -937,11 +937,11 @@ static int netem_init(struct Qdisc *sch, struct nlattr *opt) struct netem_sched_data *q = qdisc_priv(sch); int ret; + qdisc_watchdog_init(&q->watchdog, sch); + if (!opt) return -EINVAL; - qdisc_watchdog_init(&q->watchdog, sch); - q->loss_model = CLG_RANDOM; ret = netem_change(sch, opt); if (ret) From patchwork Thu Aug 23 06:50:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144886 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp756982ljw; Wed, 22 Aug 2018 23:51:02 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxqeeraERy4eRH5LvIuzQVb2PP+Ij3KmN1/IyCCZkhCsrPoS5Wnqdfn6a03Lj5r57I60k6v X-Received: by 2002:a63:1d22:: with SMTP id d34-v6mr54690414pgd.133.1535007062421; Wed, 22 Aug 2018 23:51:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007062; cv=none; d=google.com; s=arc-20160816; b=iSpNUbnJf67DaQS0JQ5jVoasGVeT6EPBjjHv+5e4oDJwNyXIxTNoVN1Ahvqx+yMwr8 yJXL7fFfchCij50XM0OY01lFOx4Pl/eu0qNMqkbDDxRUkLdQ+3tUDHtUUFgE7RjiTrPn fL2TJ7d915NkuhOg8MS/zh3Azp2BCICHT4Aje2y4vWlR9tFpzKZgyi0inq4toAH2NM1q X+eHtRCBofpPbbON3nxBOjEg8yvEh4qv0SpOnha3tujPcK458exmTnkqkRO0P7BoOx7B zu7oVh/6ul91MK8ZWsoftUUubCXvZy+IP4OXkAgCro0KmaP17mtG/3Cns7DoJEmoN4gE Yupw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=pPCSTeC84yOQxgyM8e/R+qVuuNtbJ5jVzPqymIzroPU=; b=MAoxlLGWQakM8g5LZrfJqznMUxn2HYHMDaD6CDn1dsNy1Zke75BwghO4Bw7nRMkRLQ UYp7gYfTpmHQ4nynkvmPbg9YzyJaEqE9rquq98idiWbABGm2Fx5DNUelvOwVE8FXQpbx ETwwmWLxiwg4vdzNRogNPNnJ+voW69sf35kZC+Mf31dNHCAxrU5l5YjHNABOBcbGqR0n W3uQe9OFxCOx2WVwqJikqksIkCF5ucWwb/7T5hLTc22I2dcm/i93wWrw4Bt8OxM8NNXA 3CXRCwMODI0ViAmABpE6/dRQ34Z/IcEQkMt07FUQVT1Y4xqIiBcK1AOrgeoXQRKvmCpN qv+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ByqD4iHt; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.51.02; Wed, 22 Aug 2018 23:51:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ByqD4iHt; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726194AbeHWKTK (ORCPT + 13 others); Thu, 23 Aug 2018 06:19:10 -0400 Received: from mail-pl0-f68.google.com ([209.85.160.68]:39362 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKTK (ORCPT ); Thu, 23 Aug 2018 06:19:10 -0400 Received: by mail-pl0-f68.google.com with SMTP id w14-v6so1970206plp.6 for ; Wed, 22 Aug 2018 23:51:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=pPCSTeC84yOQxgyM8e/R+qVuuNtbJ5jVzPqymIzroPU=; b=ByqD4iHtEsRHCTQvNTkbl7iKZCOnBi0/6t6BaRibmQ5K/Gis/10mF3dmdpHMGLx4n2 qfKTqzbnSyDpsOvgEDbrxS5Y74K1EY76J6H4I4103qm9uWTpwKZu8UxyKWZwjIQFE66c D1xKpKvFn6Xou6kzz7j8PUImyHoNU63wwBtec= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=pPCSTeC84yOQxgyM8e/R+qVuuNtbJ5jVzPqymIzroPU=; b=MTiGJeW/fPHLLMVniT3hGXJ/014rpmXUNN2jVlHHWhIb3YRTOdOq79p6+enkeg0Nef x64zDzm1DLWDqcRuiopfC500eR7T7JWQNFz6lzwXhJQlvIpwrRb30JhqFzuDExd8SJyE 9VydUmmd90ie1Twoic9lZRLv0/VLp+vKmTk1w8qWvz1d8ofdW8gCEPs/4f8rXMgrAc4g n/Rreli8GueTgbJapsll6Gctpdp2XkTUiMsc2F15fwyzFQDZvwFIw8bxB2wB/kqCQUw7 N9fEw5mTZWukccKE0pLWgK1mqH8Cf2Wvf4YIkAp2WhZbXiYnAErM5a2JstE98EYK1En4 wYIQ== X-Gm-Message-State: AOUpUlEq03CsXThS9gN5ouKtGGT77CLUw08SDzeXAQStrTVekR0UEF+L XMl4NY1mPIU7P2fKTG1VWkdZ8Q== X-Received: by 2002:a17:902:7147:: with SMTP id u7-v6mr57546106plm.154.1535007060398; Wed, 22 Aug 2018 23:51:00 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id l85-v6sm6274501pfk.34.2018.08.22.23.50.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:50:59 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.9.y 5/5] sch_tbf: fix two null pointer dereferences on init failure Date: Thu, 23 Aug 2018 12:20:41 +0530 Message-Id: <1535007041-31605-6-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> References: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit c2d6511e6a4f1f3673d711569c00c3849549e9b0 upstream. sch_tbf calls qdisc_watchdog_cancel() in both its ->reset and ->destroy callbacks but it may fail before the timer is initialized due to missing options (either not supplied by user-space or set as a default qdisc), also q->qdisc is used by ->reset and ->destroy so we need it initialized. Reproduce: $ sysctl net.core.default_qdisc=tbf $ ip l set ethX up Crash log: [ 959.160172] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [ 959.160323] IP: qdisc_reset+0xa/0x5c [ 959.160400] PGD 59cdb067 [ 959.160401] P4D 59cdb067 [ 959.160466] PUD 59ccb067 [ 959.160532] PMD 0 [ 959.160597] [ 959.160706] Oops: 0000 [#1] SMP [ 959.160778] Modules linked in: sch_tbf sch_sfb sch_prio sch_netem [ 959.160891] CPU: 2 PID: 1562 Comm: ip Not tainted 4.13.0-rc6+ #62 [ 959.160998] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 959.161157] task: ffff880059c9a700 task.stack: ffff8800376d0000 [ 959.161263] RIP: 0010:qdisc_reset+0xa/0x5c [ 959.161347] RSP: 0018:ffff8800376d3610 EFLAGS: 00010286 [ 959.161531] RAX: ffffffffa001b1dd RBX: ffff8800373a2800 RCX: 0000000000000000 [ 959.161733] RDX: ffffffff8215f160 RSI: ffffffff8215f160 RDI: 0000000000000000 [ 959.161939] RBP: ffff8800376d3618 R08: 00000000014080c0 R09: 00000000ffffffff [ 959.162141] R10: ffff8800376d3578 R11: 0000000000000020 R12: ffffffffa001d2c0 [ 959.162343] R13: ffff880037538000 R14: 00000000ffffffff R15: 0000000000000001 [ 959.162546] FS: 00007fcc5126b740(0000) GS:ffff88005d900000(0000) knlGS:0000000000000000 [ 959.162844] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 959.163030] CR2: 0000000000000018 CR3: 000000005abc4000 CR4: 00000000000406e0 [ 959.163233] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 959.163436] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 959.163638] Call Trace: [ 959.163788] tbf_reset+0x19/0x64 [sch_tbf] [ 959.163957] qdisc_destroy+0x8b/0xe5 [ 959.164119] qdisc_create_dflt+0x86/0x94 [ 959.164284] ? dev_activate+0x129/0x129 [ 959.164449] attach_one_default_qdisc+0x36/0x63 [ 959.164623] netdev_for_each_tx_queue+0x3d/0x48 [ 959.164795] dev_activate+0x4b/0x129 [ 959.164957] __dev_open+0xe7/0x104 [ 959.165118] __dev_change_flags+0xc6/0x15c [ 959.165287] dev_change_flags+0x25/0x59 [ 959.165451] do_setlink+0x30c/0xb3f [ 959.165613] ? check_chain_key+0xb0/0xfd [ 959.165782] rtnl_newlink+0x3a4/0x729 [ 959.165947] ? rtnl_newlink+0x117/0x729 [ 959.166121] ? ns_capable_common+0xd/0xb1 [ 959.166288] ? ns_capable+0x13/0x15 [ 959.166450] rtnetlink_rcv_msg+0x188/0x197 [ 959.166617] ? rcu_read_unlock+0x3e/0x5f [ 959.166783] ? rtnl_newlink+0x729/0x729 [ 959.166948] netlink_rcv_skb+0x6c/0xce [ 959.167113] rtnetlink_rcv+0x23/0x2a [ 959.167273] netlink_unicast+0x103/0x181 [ 959.167439] netlink_sendmsg+0x326/0x337 [ 959.167607] sock_sendmsg_nosec+0x14/0x3f [ 959.167772] sock_sendmsg+0x29/0x2e [ 959.167932] ___sys_sendmsg+0x209/0x28b [ 959.168098] ? do_raw_spin_unlock+0xcd/0xf8 [ 959.168267] ? _raw_spin_unlock+0x27/0x31 [ 959.168432] ? __handle_mm_fault+0x651/0xdb1 [ 959.168602] ? check_chain_key+0xb0/0xfd [ 959.168773] __sys_sendmsg+0x45/0x63 [ 959.168934] ? __sys_sendmsg+0x45/0x63 [ 959.169100] SyS_sendmsg+0x19/0x1b [ 959.169260] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 959.169432] RIP: 0033:0x7fcc5097e690 [ 959.169592] RSP: 002b:00007ffd0d5c7b48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 959.169887] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007fcc5097e690 [ 959.170089] RDX: 0000000000000000 RSI: 00007ffd0d5c7b90 RDI: 0000000000000003 [ 959.170292] RBP: ffff8800376d3f98 R08: 0000000000000001 R09: 0000000000000003 [ 959.170494] R10: 00007ffd0d5c7910 R11: 0000000000000246 R12: 0000000000000006 [ 959.170697] R13: 000000000066f1a0 R14: 00007ffd0d5cfc40 R15: 0000000000000000 [ 959.170900] ? trace_hardirqs_off_caller+0xa7/0xcf [ 959.171076] Code: 00 41 c7 84 24 14 01 00 00 00 00 00 00 41 c7 84 24 98 00 00 00 00 00 00 00 41 5c 41 5d 41 5e 5d c3 66 66 66 66 90 55 48 89 e5 53 <48> 8b 47 18 48 89 fb 48 8b 40 48 48 85 c0 74 02 ff d0 48 8b bb [ 959.171637] RIP: qdisc_reset+0xa/0x5c RSP: ffff8800376d3610 [ 959.171821] CR2: 0000000000000018 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sched/sch_tbf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c index 303355c449ab..b3f7980b0f27 100644 --- a/net/sched/sch_tbf.c +++ b/net/sched/sch_tbf.c @@ -423,12 +423,13 @@ static int tbf_init(struct Qdisc *sch, struct nlattr *opt) { struct tbf_sched_data *q = qdisc_priv(sch); + qdisc_watchdog_init(&q->watchdog, sch); + q->qdisc = &noop_qdisc; + if (opt == NULL) return -EINVAL; q->t_c = ktime_get_ns(); - qdisc_watchdog_init(&q->watchdog, sch); - q->qdisc = &noop_qdisc; return tbf_change(sch, opt); }