From patchwork Thu Aug 23 06:51:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144888 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp757603ljw; Wed, 22 Aug 2018 23:52:05 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzJajQANvOac4JC/MrZ013yuXzs0kuNf8kqLDHdoKvh7/hgdkA1AnTlbbfzeHMyEYGW/ibW X-Received: by 2002:a17:902:44c:: with SMTP id 70-v6mr16558580ple.125.1535007125268; Wed, 22 Aug 2018 23:52:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007125; cv=none; d=google.com; s=arc-20160816; b=pqbNA1MxX5K6gSJhFeCbq+UcMXdL8gpJA6hsDaB3N5gS4BVauvFSV+5k1YkGKsG0M9 I2Ob81HZuA1GXdTRpjYm5juCAY1rSiBSGZMZ/ZteSwkZQ4j3KvHPOOux9PrPTDQRkKLY s8tFB5siUAYgSvUDQnVhtNSFWDpHfyy66h27h0rXhbu4SkLVhnKerB0z2iWes7Jy0Nc+ z7evC9ED58cikIZI67gzU3HSp8bSSxez4zWXMQbvOHK+l9Ld6cBPwmR7ek59KLscLUqA 2VBt3KUPoPNoVh8NdZhlsXfZnCgJ3+IVdo74eFqjq+z5NIIL4+5YoKez7vaTuj8HYXcu HUiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=cCK/HU3i3xinKCWKK2dyWNF8Qe2zvHlQFLobnGxcnZg=; b=AG/6zowS8KrpaUf7pc6HOhwBFFEcmg8nsMJfJPWzObBH0HXdEOFKv68e3FEDcDTnwy H78s6v9np92Jplujs/HXDXiXWqy3a1tCHwBFdjG00C+umSBjg9c/ksKpOqYUxH13JvLP n5h1XrzslFddjrmpCiOZMoMCvO2AHoYnnsquUnUJukLHF2cmITQ5Eq9BWC1WV93o4t5y IfGrz5wUODiYV9ycMITOjr0ZhEXpyOZmSYnLOi+JwLN1U7XyU2OyG1p0q6ssjr4Z4+F8 zGXv87uQv3Pxcl8ht+E47Ph0dyVtItZSxHGQVzmyESOOBj6MO9FD/Z2V22/lbQeJzQJ1 QCzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="bomcRr/v"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.52.05; Wed, 22 Aug 2018 23:52:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="bomcRr/v"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726207AbeHWKUN (ORCPT + 13 others); Thu, 23 Aug 2018 06:20:13 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:34074 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKUN (ORCPT ); Thu, 23 Aug 2018 06:20:13 -0400 Received: by mail-pg1-f194.google.com with SMTP id u10-v6so373204pgr.1 for ; Wed, 22 Aug 2018 23:52:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=cCK/HU3i3xinKCWKK2dyWNF8Qe2zvHlQFLobnGxcnZg=; b=bomcRr/vf4vU+2eDgMMBMzoakjahsCnvJegFENxqRyLB+isAVgBRobUV0M0mr4nFGn 9Je9CGG8Z4ta5t+WE8ZsMYzQUcmGHrzBdgwJB7L1lirOFKp8q6JV5VLZ9GfXvjgNEHV5 CsdmmZPFk7xRm6BzYOeOf1d+h3ZBlU40SxHAk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=cCK/HU3i3xinKCWKK2dyWNF8Qe2zvHlQFLobnGxcnZg=; b=i17CCO2xSiG0rdFVJ5/+WxjvvhNCxtdVE1YMWraUzmhrYfFrTLangiI0ReYPF4/itE ky+5Sr60chvPbBEppKNqNA0GU+pk9PtD4ssjUnhvjl8kvfm5G6Zugsq56lTF1LLQHamC rloxrDt9XaC7pP6Qiv7dDu61bd/xfz36VPuQXgMxT2OZVT9k/+mwDSivzu3txo0sP5hU OcGxy0IWH06OVHbJ9m9R4eIAUI/F+7NqRLgtYAZRmdBa/RuU8gy4m9C5OxISvi3yLvMa gMBFv8p6nq9t+RTuHKdEfI9jx2WfApj4bcp3q/4Rn+5lT0ns6DnmV+Vz+erBBpv7C4Mf S94w== X-Gm-Message-State: AOUpUlEM8tSOZ3+VvMPB7NhzsGMcjM84JPdgWe9E8AS4f5pDG5thXTgc Llq1ZcsP1cX5f0AC76eKn0GTN/eCsdo= X-Received: by 2002:a63:f206:: with SMTP id v6-v6mr55073708pgh.319.1535007123645; Wed, 22 Aug 2018 23:52:03 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id d132-v6sm7559932pgc.93.2018.08.22.23.52.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:52:02 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.4.y 1/5] sch_htb: fix crash on init failure Date: Thu, 23 Aug 2018 12:21:52 +0530 Message-Id: <1535007116-31801-2-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> References: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 88c2ace69dbef696edba77712882af03879abc9c upstream. The commit below added a call to the ->destroy() callback for all qdiscs which failed in their ->init(), but some were not prepared for such change and can't handle partially initialized qdisc. HTB is one of them and if any error occurs before the qdisc watchdog timer and qdisc work are initialized then we can hit either a null ptr deref (timer->base) when canceling in ->destroy or lockdep error info about trying to register a non-static key and a stack dump. So to fix these two move the watchdog timer and workqueue init before anything that can err out. To reproduce userspace needs to send broken htb qdisc create request, tested with a modified tc (q_htb.c). Trace log: [ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2710.897977] IP: hrtimer_active+0x17/0x8a [ 2710.898174] PGD 58fab067 [ 2710.898175] P4D 58fab067 [ 2710.898353] PUD 586c0067 [ 2710.898531] PMD 0 [ 2710.898710] [ 2710.899045] Oops: 0000 [#1] SMP [ 2710.899232] Modules linked in: [ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54 [ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000 [ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a [ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246 [ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000 [ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298 [ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001 [ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000 [ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0 [ 2710.901907] FS: 00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000 [ 2710.902277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0 [ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2710.903180] Call Trace: [ 2710.903332] hrtimer_try_to_cancel+0x1a/0x93 [ 2710.903504] hrtimer_cancel+0x15/0x20 [ 2710.903667] qdisc_watchdog_cancel+0x12/0x14 [ 2710.903866] htb_destroy+0x2e/0xf7 [ 2710.904097] qdisc_create+0x377/0x3fd [ 2710.904330] tc_modify_qdisc+0x4d2/0x4fd [ 2710.904511] rtnetlink_rcv_msg+0x188/0x197 [ 2710.904682] ? rcu_read_unlock+0x3e/0x5f [ 2710.904849] ? rtnl_newlink+0x729/0x729 [ 2710.905017] netlink_rcv_skb+0x6c/0xce [ 2710.905183] rtnetlink_rcv+0x23/0x2a [ 2710.905345] netlink_unicast+0x103/0x181 [ 2710.905511] netlink_sendmsg+0x326/0x337 [ 2710.905679] sock_sendmsg_nosec+0x14/0x3f [ 2710.905847] sock_sendmsg+0x29/0x2e [ 2710.906010] ___sys_sendmsg+0x209/0x28b [ 2710.906176] ? do_raw_spin_unlock+0xcd/0xf8 [ 2710.906346] ? _raw_spin_unlock+0x27/0x31 [ 2710.906514] ? __handle_mm_fault+0x651/0xdb1 [ 2710.906685] ? check_chain_key+0xb0/0xfd [ 2710.906855] __sys_sendmsg+0x45/0x63 [ 2710.907018] ? __sys_sendmsg+0x45/0x63 [ 2710.907185] SyS_sendmsg+0x19/0x1b [ 2710.907344] entry_SYSCALL_64_fastpath+0x23/0xc2 Note that probably this bug goes further back because the default qdisc handling always calls ->destroy on init failure too. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [AmitP: Rebased for linux-4.4.y] Signed-off-by: Amit Pundir --- net/sched/sch_htb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index 87b02ed3d5f2..daa01d5604c2 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -1025,6 +1025,9 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) int err; int i; + qdisc_watchdog_init(&q->watchdog, sch); + INIT_WORK(&q->work, htb_work_func); + if (!opt) return -EINVAL; @@ -1045,8 +1048,6 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) for (i = 0; i < TC_HTB_NUMPRIO; i++) INIT_LIST_HEAD(q->drops + i); - qdisc_watchdog_init(&q->watchdog, sch); - INIT_WORK(&q->work, htb_work_func); __skb_queue_head_init(&q->direct_queue); if (tb[TCA_HTB_DIRECT_QLEN]) From patchwork Thu Aug 23 06:51:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144889 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp757631ljw; Wed, 22 Aug 2018 23:52:08 -0700 (PDT) X-Google-Smtp-Source: ANB0VdajsaBTwidUVzUoM6DRgfgtt52uoOb75gHmaDvEb5xJpCcdUI1tG3wD+CR7RPrZcpBcP5Dm X-Received: by 2002:a17:902:720c:: with SMTP id ba12-v6mr4307133plb.236.1535007128172; Wed, 22 Aug 2018 23:52:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007128; cv=none; d=google.com; s=arc-20160816; b=ewI+nBnU989eW9ctXwSk8HFzgGTrRnUzXtqbVrat4DBW8tThnPDixaonOSiXxynUty rofUcNPgFceR2YuCaLAFe7ww6jqQZ1fOShSIcL+t0W0d9K2JCWCVYn34nsSrk92qe4O7 t9ohy+BP+kLwDKWKU/cLrjYiZDC3Xr32LuR0dGQ5ihSJ2qABVY5wsVkvG5Ow5vqbWy7b VsMiCpMQzFrT2MrJP3DKFx3z4jkyBT9peO1EPOJ1fWLbF+eiSl7KhDlkqY7hZlEejrgt 7s48ms8z0fiu7bNdkfxk8qufYiCcz3k8+CFxDsPsUiNcnn9n/AxCruWRHMC6IPRoHcom /wRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=uaLPsfAQTppZIvTykjYyAlXi0RR4Bp0vXkfVUTmR6mo=; b=LtRtYtO420gIrloLwIKrxYWiXVHTpM/EdGeAdr3GP7/D7Dds/TI385ZKUJoO9el4ew MZ8hlGy2BsGx2XR3yOi0OLqdjp6iFTWQxUe0dzXH/Yv1qCF9i7pl4Ks2YwF7ixdTruBw d6aKP7ungSa7DhsqXmJAUFlc484MLZ9AEYfbAi6Eqd+Expgr1cRsX/+91cVENz699XnY UuRtM4K1Li4E6JuTjDjsVgYAuT+LUAyIENv8AMyJeVApgzeNxSLoSyXoNLzsxukieFIL Tf7o8gvMRlZSl5yLTcxR/1k+G8BEBIekKf76+3KVe4SGanJuWfnQUCbkgYu6F7jWdkET Z3bA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="WQ0VU/fb"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.52.07; Wed, 22 Aug 2018 23:52:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="WQ0VU/fb"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726261AbeHWKUQ (ORCPT + 13 others); Thu, 23 Aug 2018 06:20:16 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:44871 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKUQ (ORCPT ); Thu, 23 Aug 2018 06:20:16 -0400 Received: by mail-pf1-f193.google.com with SMTP id k21-v6so2192802pff.11 for ; Wed, 22 Aug 2018 23:52:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=uaLPsfAQTppZIvTykjYyAlXi0RR4Bp0vXkfVUTmR6mo=; b=WQ0VU/fbuN6mv2R9zoW7usLH0Dgqdj8tJQ5o3+wVmP106olug1IokgtofrgycgJrls sTifWZGAosD99wLXo6mvqgkFmhNxUinaD8XDm9QuIGrDfw1SQwYxbJQzszd34PtTw1UY g2vYOj28lzHEZELLFNlZQkz9VRkZhJHExWUBU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=uaLPsfAQTppZIvTykjYyAlXi0RR4Bp0vXkfVUTmR6mo=; b=asLwusvmqSxJ3CZDdxy3Yn2KL9/AXKC38ULiMJiEK+RtW2svUmb5sDIYbD8Li54O/n AOVdLcwk9uFmaysP2XANY9ZBKLEGz2LanN4hyN53AqFt8y2CUGgvG483jXkUDmn6Iws+ ViIsqzdwZfqY/L6K4SAPzql33d4SrerToEarZ2egfSBgVwCWiLRmWuA8uW0SuZsT93NR m1NpvDN2BuLBEhmXyZGYQwIlhZVrvQg5FDsDaJZv20R+B7OL07w165orcJnbzGgP6MIj TucjfeTVMRU5zf2MDEZHEaUu/KQKOqkekIwd3ojS/yNmKWwzG2rtv6hK7S3VTP07LjJf OnrQ== X-Gm-Message-State: AOUpUlGK/NTr55U8TUxCGi2lte9bgTp+k+kG072P3nisPS8LvVKKzxGq JmJnkCN5kF0b9GA5YtNaITCKu+cp8Ds= X-Received: by 2002:a63:1b1f:: with SMTP id b31-v6mr11677203pgb.444.1535007126389; Wed, 22 Aug 2018 23:52:06 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id d132-v6sm7559932pgc.93.2018.08.22.23.52.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:52:05 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.4.y 2/5] sch_multiq: fix double free on init failure Date: Thu, 23 Aug 2018 12:21:53 +0530 Message-Id: <1535007116-31801-3-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> References: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit e89d469e3be3ed3d7124a803211a463ff83d0964 upstream. The below commit added a call to ->destroy() on init failure, but multiq still frees ->queues on error in init, but ->queues is also freed by ->destroy() thus we get double free and corrupted memory. Very easy to reproduce (eth0 not multiqueue): $ tc qdisc add dev eth0 root multiq RTNETLINK answers: Operation not supported $ ip l add dumdum type dummy (crash) Trace log: [ 3929.467747] general protection fault: 0000 [#1] SMP [ 3929.468083] Modules linked in: [ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56 [ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 3929.469124] task: ffff88003716a700 task.stack: ffff88005872c000 [ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be [ 3929.469746] RSP: 0018:ffff88005872f6a0 EFLAGS: 00010246 [ 3929.470042] RAX: 00000000000002de RBX: 0000000058a59000 RCX: 00000000000002df [ 3929.470406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff821f7020 [ 3929.470770] RBP: ffff88005872f6e8 R08: 000000000001f010 R09: 0000000000000000 [ 3929.471133] R10: ffff88005872f730 R11: 0000000000008cdd R12: ff006d75646d7564 [ 3929.471496] R13: 00000000014000c0 R14: ffff88005b403c00 R15: ffff88005b403c00 [ 3929.471869] FS: 00007f0b70480740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 3929.472286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3929.472677] CR2: 00007ffcee4f3000 CR3: 0000000059d45000 CR4: 00000000000406e0 [ 3929.473209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3929.474109] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3929.474873] Call Trace: [ 3929.475337] ? kstrdup_const+0x23/0x25 [ 3929.475863] kstrdup+0x2e/0x4b [ 3929.476338] kstrdup_const+0x23/0x25 [ 3929.478084] __kernfs_new_node+0x28/0xbc [ 3929.478478] kernfs_new_node+0x35/0x55 [ 3929.478929] kernfs_create_link+0x23/0x76 [ 3929.479478] sysfs_do_create_link_sd.isra.2+0x85/0xd7 [ 3929.480096] sysfs_create_link+0x33/0x35 [ 3929.480649] device_add+0x200/0x589 [ 3929.481184] netdev_register_kobject+0x7c/0x12f [ 3929.481711] register_netdevice+0x373/0x471 [ 3929.482174] rtnl_newlink+0x614/0x729 [ 3929.482610] ? rtnl_newlink+0x17f/0x729 [ 3929.483080] rtnetlink_rcv_msg+0x188/0x197 [ 3929.483533] ? rcu_read_unlock+0x3e/0x5f [ 3929.483984] ? rtnl_newlink+0x729/0x729 [ 3929.484420] netlink_rcv_skb+0x6c/0xce [ 3929.484858] rtnetlink_rcv+0x23/0x2a [ 3929.485291] netlink_unicast+0x103/0x181 [ 3929.485735] netlink_sendmsg+0x326/0x337 [ 3929.486181] sock_sendmsg_nosec+0x14/0x3f [ 3929.486614] sock_sendmsg+0x29/0x2e [ 3929.486973] ___sys_sendmsg+0x209/0x28b [ 3929.487340] ? do_raw_spin_unlock+0xcd/0xf8 [ 3929.487719] ? _raw_spin_unlock+0x27/0x31 [ 3929.488092] ? __handle_mm_fault+0x651/0xdb1 [ 3929.488471] ? check_chain_key+0xb0/0xfd [ 3929.488847] __sys_sendmsg+0x45/0x63 [ 3929.489206] ? __sys_sendmsg+0x45/0x63 [ 3929.489576] SyS_sendmsg+0x19/0x1b [ 3929.489901] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 3929.490172] RIP: 0033:0x7f0b6fb93690 [ 3929.490423] RSP: 002b:00007ffcee4ed588 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 3929.490881] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f0b6fb93690 [ 3929.491198] RDX: 0000000000000000 RSI: 00007ffcee4ed5d0 RDI: 0000000000000003 [ 3929.491521] RBP: ffff88005872ff98 R08: 0000000000000001 R09: 0000000000000000 [ 3929.491801] R10: 00007ffcee4ed350 R11: 0000000000000246 R12: 0000000000000002 [ 3929.492075] R13: 000000000066f1a0 R14: 00007ffcee4f5680 R15: 0000000000000000 [ 3929.492352] ? trace_hardirqs_off_caller+0xa7/0xcf [ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44 89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d 8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01 [ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP: ffff88005872f6a0 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: f07d1501292b ("multiq: Further multiqueue cleanup") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [AmitP: Removed unused variable 'err' in multiq_init()] Signed-off-by: Amit Pundir --- net/sched/sch_multiq.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c index bcdd54bb101c..cef36ad691dd 100644 --- a/net/sched/sch_multiq.c +++ b/net/sched/sch_multiq.c @@ -254,7 +254,7 @@ static int multiq_tune(struct Qdisc *sch, struct nlattr *opt) static int multiq_init(struct Qdisc *sch, struct nlattr *opt) { struct multiq_sched_data *q = qdisc_priv(sch); - int i, err; + int i; q->queues = NULL; @@ -269,12 +269,7 @@ static int multiq_init(struct Qdisc *sch, struct nlattr *opt) for (i = 0; i < q->max_bands; i++) q->queues[i] = &noop_qdisc; - err = multiq_tune(sch, opt); - - if (err) - kfree(q->queues); - - return err; + return multiq_tune(sch, opt); } static int multiq_dump(struct Qdisc *sch, struct sk_buff *skb) From patchwork Thu Aug 23 06:51:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144890 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp757662ljw; Wed, 22 Aug 2018 23:52:10 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxUUSSMlfuVNvN7OiOXjYknQFwnqQUv1EgYl9KcWqa7jjV8CbqWOjyso+nD6pRxjO5qtrfr X-Received: by 2002:a17:902:2f43:: with SMTP id s61-v6mr56002591plb.176.1535007130609; Wed, 22 Aug 2018 23:52:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007130; cv=none; d=google.com; s=arc-20160816; b=Ql1Cf+SQnrALDvAsFcrragLKVJwF1hT7RnEZYbv8Q0YHhufxOqrOIGX/OdLmP8mfeb kTsOnt4G+knzhJFVkL9ZYWZlHbrO73Zji7v2M7XRmdRJd/M6td+Kf8n+vK32OEqYIJPU yzsNG4k8NVP1XwL2XSZdYM6tuN9GZagtvU1+SDcC1KpnzeYYzngXFtyN77mZn2MJxHmU Wlqwkn+nMKGXHpNBnpyeIjm41NZmg8paKw4OeaY9wVV5UCFd1KCmFRvMbMGZJUkSZ9Y2 hzlEJKDhrKENk3f9sqaEmda8yYQoIap7rFpa87gzvwOgbwggFBGgtvrS1e5/a5K2oAV2 DRHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=8EvYZpG55yMb3RV9RLTPZQQ0d3uJk4fPbb/sOy7Qi1k=; b=GASRK4XY9bknyfmuP6WJcYtqAKuWmYcNqJGHePP+VVSwmBxC7zfzp9nQmVDJNZ7RjM qMQNgdvERvTUpcVKyaRinnIWvZ3/CP9Tia2GXUcbUPdfB3rmbX95FnzGPTeEsFXeb13u TRBnF8IfZ/+anltZSiNbSXvwCazrb+09KTBL/s3jxdbNt7/y/eFDT1UPH5EzTfpmUSvh cl//DfsLRswisGsrmUYf7g3ocOYtsTvhzi881ZkrVTx9kq371r/wzs7aRWlRFp6uWvad 2sZRJiDnkv+9E8MRYfYm6UVIgItt1IWQvpq0/R8pj49p2VRZbAvo4tYtoBRVaCZzKEzO QENw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=c+ySGmhS; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.52.10; Wed, 22 Aug 2018 23:52:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=c+ySGmhS; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726268AbeHWKUT (ORCPT + 13 others); Thu, 23 Aug 2018 06:20:19 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:45962 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKUS (ORCPT ); Thu, 23 Aug 2018 06:20:18 -0400 Received: by mail-pg1-f196.google.com with SMTP id m4-v6so1571485pgv.12 for ; Wed, 22 Aug 2018 23:52:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=8EvYZpG55yMb3RV9RLTPZQQ0d3uJk4fPbb/sOy7Qi1k=; b=c+ySGmhSDWz/mv8Su8XclnV8sN1vSaEFZDPeshA8mXJdadzT3bwyEaxtdVt3Hyde7w ookkfKjn/5lyy1nPHpjE276zNNHnbM4bn57NTW0u8v1Y/xU5CAPqzNi6aU9qAeDIDTIr 5WYmBv5JKcfYaZjVJRe0C4J6hGPREBhVY3Hl0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=8EvYZpG55yMb3RV9RLTPZQQ0d3uJk4fPbb/sOy7Qi1k=; b=BsO8TVJ/Ytt/XCLWR75aE3FhT4c5cksDFetLGc6FA52YUMoFO1F5Z4i0twYDuFkZpV U5TZ8Td7S4zlRXQYALSc9mfnFe/qFtEAyV3bjZFpAtdVvP/htssApuaxDtYpNN+7AzlN Q2dOcav28r5gOp0Q2Kje4vPTD9cWD+xfeZ1NE4KVQbWBjjK63gqIXUOO9+RJePT3iiE+ mA35S/2tKeja3y3kelYPXNl8kSLDB5BLw1v5I977SqkHPlVauifRBF15/e9cA1tIlOiA Yz2yZoLYGkWsPTxeGFUr+/UWGE1YSgiWmzjVTe7iI5A/NX3BKQjy65DDFptESyo0vi5R VKBQ== X-Gm-Message-State: AOUpUlE8tV8MlqPo88foPSMm3WYt2nPd81prnKZjxodu8CUwxNQp2LGU 9vY3Yt3un2nlOEMgSYSKYIrvLA== X-Received: by 2002:a63:454d:: with SMTP id u13-v6mr12503042pgk.342.1535007129115; Wed, 22 Aug 2018 23:52:09 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id d132-v6sm7559932pgc.93.2018.08.22.23.52.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:52:07 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.4.y 3/5] sch_hhf: fix null pointer dereference on init failure Date: Thu, 23 Aug 2018 12:21:54 +0530 Message-Id: <1535007116-31801-4-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> References: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 32db864d33c21fd70a217ba53cb7224889354ffb upstream. If sch_hhf fails in its ->init() function (either due to wrong user-space arguments as below or memory alloc failure of hh_flows) it will do a null pointer deref of q->hh_flows in its ->destroy() function. To reproduce the crash: $ tc qdisc add dev eth0 root hhf quantum 2000000 non_hh_weight 10000000 Crash log: [ 690.654882] BUG: unable to handle kernel NULL pointer dereference at (null) [ 690.655565] IP: hhf_destroy+0x48/0xbc [ 690.655944] PGD 37345067 [ 690.655948] P4D 37345067 [ 690.656252] PUD 58402067 [ 690.656554] PMD 0 [ 690.656857] [ 690.657362] Oops: 0000 [#1] SMP [ 690.657696] Modules linked in: [ 690.658032] CPU: 3 PID: 920 Comm: tc Not tainted 4.13.0-rc6+ #57 [ 690.658525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 690.659255] task: ffff880058578000 task.stack: ffff88005acbc000 [ 690.659747] RIP: 0010:hhf_destroy+0x48/0xbc [ 690.660146] RSP: 0018:ffff88005acbf9e0 EFLAGS: 00010246 [ 690.660601] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 [ 690.661155] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff821f63f0 [ 690.661710] RBP: ffff88005acbfa08 R08: ffffffff81b10a90 R09: 0000000000000000 [ 690.662267] R10: 00000000f42b7019 R11: ffff880058578000 R12: 00000000ffffffea [ 690.662820] R13: ffff8800372f6400 R14: 0000000000000000 R15: 0000000000000000 [ 690.663769] FS: 00007f8ae5e8b740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 690.667069] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 690.667965] CR2: 0000000000000000 CR3: 0000000058523000 CR4: 00000000000406e0 [ 690.668918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 690.669945] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 690.671003] Call Trace: [ 690.671743] qdisc_create+0x377/0x3fd [ 690.672534] tc_modify_qdisc+0x4d2/0x4fd [ 690.673324] rtnetlink_rcv_msg+0x188/0x197 [ 690.674204] ? rcu_read_unlock+0x3e/0x5f [ 690.675091] ? rtnl_newlink+0x729/0x729 [ 690.675877] netlink_rcv_skb+0x6c/0xce [ 690.676648] rtnetlink_rcv+0x23/0x2a [ 690.677405] netlink_unicast+0x103/0x181 [ 690.678179] netlink_sendmsg+0x326/0x337 [ 690.678958] sock_sendmsg_nosec+0x14/0x3f [ 690.679743] sock_sendmsg+0x29/0x2e [ 690.680506] ___sys_sendmsg+0x209/0x28b [ 690.681283] ? __handle_mm_fault+0xc7d/0xdb1 [ 690.681915] ? check_chain_key+0xb0/0xfd [ 690.682449] __sys_sendmsg+0x45/0x63 [ 690.682954] ? __sys_sendmsg+0x45/0x63 [ 690.683471] SyS_sendmsg+0x19/0x1b [ 690.683974] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 690.684516] RIP: 0033:0x7f8ae529d690 [ 690.685016] RSP: 002b:00007fff26d2d6b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 690.685931] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f8ae529d690 [ 690.686573] RDX: 0000000000000000 RSI: 00007fff26d2d700 RDI: 0000000000000003 [ 690.687047] RBP: ffff88005acbff98 R08: 0000000000000001 R09: 0000000000000000 [ 690.687519] R10: 00007fff26d2d480 R11: 0000000000000246 R12: 0000000000000002 [ 690.687996] R13: 0000000001258070 R14: 0000000000000001 R15: 0000000000000000 [ 690.688475] ? trace_hardirqs_off_caller+0xa7/0xcf [ 690.688887] Code: 00 00 e8 2a 02 ae ff 49 8b bc 1d 60 02 00 00 48 83 c3 08 e8 19 02 ae ff 48 83 fb 20 75 dc 45 31 f6 4d 89 f7 4d 03 bd 20 02 00 00 <49> 8b 07 49 39 c7 75 24 49 83 c6 10 49 81 fe 00 40 00 00 75 e1 [ 690.690200] RIP: hhf_destroy+0x48/0xbc RSP: ffff88005acbf9e0 [ 690.690636] CR2: 0000000000000000 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sched/sch_hhf.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.7.4 diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c index 45d4b2f22f62..aff2a1b46f7f 100644 --- a/net/sched/sch_hhf.c +++ b/net/sched/sch_hhf.c @@ -501,6 +501,9 @@ static void hhf_destroy(struct Qdisc *sch) hhf_free(q->hhf_valid_bits[i]); } + if (!q->hh_flows) + return; + for (i = 0; i < HH_FLOWS_CNT; i++) { struct hh_flow_state *flow, *next; struct list_head *head = &q->hh_flows[i]; From patchwork Thu Aug 23 06:51:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144891 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp757692ljw; Wed, 22 Aug 2018 23:52:13 -0700 (PDT) X-Google-Smtp-Source: AA+uWPyfMg0Xgc+xpgOoVaERV721g+0a2T61O1HXH0C9ggZ4dCG0HrysVRqgWVp3Dj7J6WBFLgIH X-Received: by 2002:a63:7d48:: with SMTP id m8-v6mr55146948pgn.0.1535007133371; Wed, 22 Aug 2018 23:52:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007133; cv=none; d=google.com; s=arc-20160816; b=rZIu969JGZmfu5BN3SG440erelN1Q29Ok8JMpJnFsj5B5XRIw8yJ+B04Nbviy6PXtA LbnkoqzlONEB+v2NWxjx7O6gtV1GZQ8NzCseNiXBMLVAxdMEUrsbL6q9YkWzTKiy8i5L Ot1+TTgAlfDoEsZ7wMhvrMDt1AsLfPdTrhnPjQMc2J+X5cVMxJU7p8aQD/8SDrOfY5WG Wd2AO8yvLCRlVQvSUhZfXBHUP/sq7kduMZ3CuWqhy+LOJNVSXnX5WOWcJgeypTFski25 /qZGTtOcEbq9924jFJcywYfpHXXHq93NNUdRz8WiNlYI/L4dC3ygud6W2Zn3cg0qR3Re OJgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=FO1OiUvUGFGRcngUcmdFC97SkgP7sAxZmmtjGPihLPA=; b=oLJgrOD7nh4IdnTX7kkuo7o/YND5QgKd46eOFF0x4Equjmqo+BKY+yD27bv4aFSK+6 tzoYpA5bIhavX06sWIUXEsLwFfW7qWjZXvIVDnCJlA9ihI9RYuh0KacQ8aMr47EIPOFr 1een8cXJnJywMkypQw+yD/njS2GUW7rEn1zlivNhLL+NsByPrr0rnLQvXvZ0KOVHR9PM nmzqODutMUEsu6X1jGInHlV1yjHH4D7W4W3TzHNhwDIAXLKnAAtx9S3eClKE2VmP490s g+xjjzB8g85UAmC1b/cUqtjkxAofQdblhQyd4JpuTKznfC+zBPtv/BxNeyn7Ie7Jalch qEgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ot1YAxXs; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.52.13; Wed, 22 Aug 2018 23:52:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ot1YAxXs; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726274AbeHWKUV (ORCPT + 13 others); Thu, 23 Aug 2018 06:20:21 -0400 Received: from mail-pl0-f66.google.com ([209.85.160.66]:34482 "EHLO mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKUV (ORCPT ); Thu, 23 Aug 2018 06:20:21 -0400 Received: by mail-pl0-f66.google.com with SMTP id f6-v6so1980302plo.1 for ; Wed, 22 Aug 2018 23:52:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=FO1OiUvUGFGRcngUcmdFC97SkgP7sAxZmmtjGPihLPA=; b=Ot1YAxXsR1RcIN39+oC2yHoNAJpUdWu5kdYjO+jfimB+Cuzv3VYB9Idwf82MKizHVE qReYwvTnjbWgaJM9FlltIxM0lpXXYB4dmBFuSg9y4SUt1PNbEn8kFZ72lbpx6NJE/S/7 Uzv6bBb/MeH68PNOrSUNUOi/ftSYFVsSSKUXs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FO1OiUvUGFGRcngUcmdFC97SkgP7sAxZmmtjGPihLPA=; b=QVwrv+wsllqzI97P2FtlWDCqHIWFexOluT2gJM1ZgHiQAWCRDKFGxmAHcZ3ApIRih8 vcIas12Tu5uqdW61aechPmRBAFG+so8DkaAOgUqObqGOdWhnYTEZUyi2w63kpbyTxSSm yhorXmDYdDT41L+CYEErFIvjWQFLBtKF/6ApvrKPNOSVbiSN7UT7YYjnohmMiAjCbkDR yRVp5ywcHLNfw9YeSTJTOPNakn8ZvjQN93OQ2n+BAcJ/Dg5pkd3sKoynB2eC7K00OxQJ CME040W89DhaB2pkz2Mkuw7wbRPweKL/9UqmLsFqiE1qXm4oknRRLrSXk/3L8v2OmYl1 GEWw== X-Gm-Message-State: AOUpUlEqXt37L5wWpLUp382aEpfSvo92lqNW4LAV+D/Qd7DilvFT13eY 0tpEBo9gtCFUlZId8+JuLEoz433FDMY= X-Received: by 2002:a17:902:7009:: with SMTP id y9-v6mr57401920plk.249.1535007131816; Wed, 22 Aug 2018 23:52:11 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id d132-v6sm7559932pgc.93.2018.08.22.23.52.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:52:10 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.4.y 4/5] sch_netem: avoid null pointer deref on init failure Date: Thu, 23 Aug 2018 12:21:55 +0530 Message-Id: <1535007116-31801-5-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> References: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 634576a1844dba15bc5e6fc61d72f37e13a21615 upstream. netem can fail in ->init due to missing options (either not supplied by user-space or used as a default qdisc) causing a timer->base null pointer deref in its ->destroy() and ->reset() callbacks. Reproduce: $ sysctl net.core.default_qdisc=netem $ ip l set ethX up Crash log: [ 1814.846943] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1814.847181] IP: hrtimer_active+0x17/0x8a [ 1814.847270] PGD 59c34067 [ 1814.847271] P4D 59c34067 [ 1814.847337] PUD 37374067 [ 1814.847403] PMD 0 [ 1814.847468] [ 1814.847582] Oops: 0000 [#1] SMP [ 1814.847655] Modules linked in: sch_netem(O) sch_fq_codel(O) [ 1814.847761] CPU: 3 PID: 1573 Comm: ip Tainted: G O 4.13.0-rc6+ #62 [ 1814.847884] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 1814.848043] task: ffff88003723a700 task.stack: ffff88005adc8000 [ 1814.848235] RIP: 0010:hrtimer_active+0x17/0x8a [ 1814.848407] RSP: 0018:ffff88005adcb590 EFLAGS: 00010246 [ 1814.848590] RAX: 0000000000000000 RBX: ffff880058e359d8 RCX: 0000000000000000 [ 1814.848793] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880058e359d8 [ 1814.848998] RBP: ffff88005adcb5b0 R08: 00000000014080c0 R09: 00000000ffffffff [ 1814.849204] R10: ffff88005adcb660 R11: 0000000000000020 R12: 0000000000000000 [ 1814.849410] R13: ffff880058e359d8 R14: 00000000ffffffff R15: 0000000000000001 [ 1814.849616] FS: 00007f733bbca740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 1814.849919] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1814.850107] CR2: 0000000000000000 CR3: 0000000059f0d000 CR4: 00000000000406e0 [ 1814.850313] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1814.850518] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1814.850723] Call Trace: [ 1814.850875] hrtimer_try_to_cancel+0x1a/0x93 [ 1814.851047] hrtimer_cancel+0x15/0x20 [ 1814.851211] qdisc_watchdog_cancel+0x12/0x14 [ 1814.851383] netem_reset+0xe6/0xed [sch_netem] [ 1814.851561] qdisc_destroy+0x8b/0xe5 [ 1814.851723] qdisc_create_dflt+0x86/0x94 [ 1814.851890] ? dev_activate+0x129/0x129 [ 1814.852057] attach_one_default_qdisc+0x36/0x63 [ 1814.852232] netdev_for_each_tx_queue+0x3d/0x48 [ 1814.852406] dev_activate+0x4b/0x129 [ 1814.852569] __dev_open+0xe7/0x104 [ 1814.852730] __dev_change_flags+0xc6/0x15c [ 1814.852899] dev_change_flags+0x25/0x59 [ 1814.853064] do_setlink+0x30c/0xb3f [ 1814.853228] ? check_chain_key+0xb0/0xfd [ 1814.853396] ? check_chain_key+0xb0/0xfd [ 1814.853565] rtnl_newlink+0x3a4/0x729 [ 1814.853728] ? rtnl_newlink+0x117/0x729 [ 1814.853905] ? ns_capable_common+0xd/0xb1 [ 1814.854072] ? ns_capable+0x13/0x15 [ 1814.854234] rtnetlink_rcv_msg+0x188/0x197 [ 1814.854404] ? rcu_read_unlock+0x3e/0x5f [ 1814.854572] ? rtnl_newlink+0x729/0x729 [ 1814.854737] netlink_rcv_skb+0x6c/0xce [ 1814.854902] rtnetlink_rcv+0x23/0x2a [ 1814.855064] netlink_unicast+0x103/0x181 [ 1814.855230] netlink_sendmsg+0x326/0x337 [ 1814.855398] sock_sendmsg_nosec+0x14/0x3f [ 1814.855584] sock_sendmsg+0x29/0x2e [ 1814.855747] ___sys_sendmsg+0x209/0x28b [ 1814.855912] ? do_raw_spin_unlock+0xcd/0xf8 [ 1814.856082] ? _raw_spin_unlock+0x27/0x31 [ 1814.856251] ? __handle_mm_fault+0x651/0xdb1 [ 1814.856421] ? check_chain_key+0xb0/0xfd [ 1814.856592] __sys_sendmsg+0x45/0x63 [ 1814.856755] ? __sys_sendmsg+0x45/0x63 [ 1814.856923] SyS_sendmsg+0x19/0x1b [ 1814.857083] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 1814.857256] RIP: 0033:0x7f733b2dd690 [ 1814.857419] RSP: 002b:00007ffe1d3387d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 1814.858238] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f733b2dd690 [ 1814.858445] RDX: 0000000000000000 RSI: 00007ffe1d338820 RDI: 0000000000000003 [ 1814.858651] RBP: ffff88005adcbf98 R08: 0000000000000001 R09: 0000000000000003 [ 1814.858856] R10: 00007ffe1d3385a0 R11: 0000000000000246 R12: 0000000000000002 [ 1814.859060] R13: 000000000066f1a0 R14: 00007ffe1d3408d0 R15: 0000000000000000 [ 1814.859267] ? trace_hardirqs_off_caller+0xa7/0xcf [ 1814.859446] Code: 10 55 48 89 c7 48 89 e5 e8 45 a1 fb ff 31 c0 5d c3 31 c0 c3 66 66 66 66 90 55 48 89 e5 41 56 41 55 41 54 53 49 89 fd 49 8b 45 30 <4c> 8b 20 41 8b 5c 24 38 31 c9 31 d2 48 c7 c7 50 8e 1d 82 41 89 [ 1814.860022] RIP: hrtimer_active+0x17/0x8a RSP: ffff88005adcb590 [ 1814.860214] CR2: 0000000000000000 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sched/sch_netem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c index b7c29d5b6f04..743ff23885da 100644 --- a/net/sched/sch_netem.c +++ b/net/sched/sch_netem.c @@ -943,11 +943,11 @@ static int netem_init(struct Qdisc *sch, struct nlattr *opt) struct netem_sched_data *q = qdisc_priv(sch); int ret; + qdisc_watchdog_init(&q->watchdog, sch); + if (!opt) return -EINVAL; - qdisc_watchdog_init(&q->watchdog, sch); - q->loss_model = CLG_RANDOM; ret = netem_change(sch, opt); if (ret) From patchwork Thu Aug 23 06:51:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144892 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp757719ljw; Wed, 22 Aug 2018 23:52:16 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbRsU6OrdLH80yERscz3nVytuGCgQWVuGHHRZQ8UE3VF/tuGZPKrHKQXZBFGlLPT6BxX62i X-Received: by 2002:a63:5343:: with SMTP id t3-v6mr3516227pgl.425.1535007136434; Wed, 22 Aug 2018 23:52:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007136; cv=none; d=google.com; s=arc-20160816; b=l+rq9hhizLG0YvBak9v/gvoFPX1q+XSGQkXD3KstDaztLCTOemFXN92saDKilNHFPl iqQwtGwZSXMKbelvcGZMLSaGlnq+ohp1LV0v/c/wSwRv/2mFGaAad+Pv+ZJH9dcETm14 51l/soGHRGb8QAHmHmFeUS0PfIAFWYunkw7pZe38m0L8oKLc1qXMuFe9Rrg1HZek0otM FAjhQVCif944lo302bdhG1iYwYE0GF6jRv0Dp2laKjE0SZRKAt/OAV/oRFY9l1ZWKZJl ZD3oxkngy8u21Ig6AfW4fZypc2wt53pqW0SdDxoC8QpN+Gaa+V60tVYPt0hMwzV20IuZ 09Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=wW/JB5r657EY9jTutY1AjNy3NOVa6lZDU4vsdgWAMfk=; b=O5n/qL5luRzE9BZjHEbYRPfFhpVu4k+oOjTRDQLtdRT8Wsknze8dVmJT8QXDl19/qt PL1/tTu7d/55QiA0C8MAeEMiPC+aOb+KfLHweJvCeRzFMuqt+XrvsCvX0eGSCRhAQudM hNmfwy4lyi9vvrkFVmFuPJSwnRO14BwP6h0PvPej+Crbc32lnpBGOGm0i9yo01G9hy8E Nq5x+xtA6T7jCWH7vvT7P0pRXLfIzDUD1lyqjYUkqhmFA7kT+5g2MkFYUjNBhU38synA OgaoPH3Bf/fDuM+8xiWxMZZ7zgQsXqzsm4+FwnR8HNLoetqrqmzBgNto7W+VMAEwA183 /yYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=EMNiiByf; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.52.16; Wed, 22 Aug 2018 23:52:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=EMNiiByf; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726301AbeHWKUY (ORCPT + 13 others); Thu, 23 Aug 2018 06:20:24 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:33638 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726285AbeHWKUY (ORCPT ); Thu, 23 Aug 2018 06:20:24 -0400 Received: by mail-pg1-f196.google.com with SMTP id t14-v6so2107075pgf.0 for ; Wed, 22 Aug 2018 23:52:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=wW/JB5r657EY9jTutY1AjNy3NOVa6lZDU4vsdgWAMfk=; b=EMNiiByf9SGoe8qU2xGK7LP8/DIOt7JmAWq+GQryNGJ4Gi1tkMn+bZfysFaijTc18w tv+jYg2hKiTsZp9Ng07vwn3dNnF+uNEw9c+JBBMYpKBovIweNIwnTejwhZbmbRLox7ur woGqOnHfwa5k3Kmg3YlghK/+MQgK0LEhxGNjU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=wW/JB5r657EY9jTutY1AjNy3NOVa6lZDU4vsdgWAMfk=; b=t8cJGfwfF42VDbof698iwmth58cOWaC9LsorwzXeKbpn28iBuOCS2of/W1mevFog8H ST+3RHGBPssnPVwlIWOoMI0My2QYY7j0EIltIBPBXpjLKF9Vt2zvNVQXECuGOqQhz8ub K0GYb5tJNfiPiUp/vM/qRlRPSAQrF1M6rY5i/PZDzsSJh5cpt8Y1YxBp/ob1iB//bV4H 4sjDZVNaSwvb5rUUovB2YAyZUTJLnuhjHcqFtGl7WHr2QGXZAwMJxh46BN6cohxU1u9t PE0KhImzug1zS3I4TkboT048o9jcVOL800i99PIMLYeboAaFj6qc7LFI1p2NUeWZ5g6L 1cxA== X-Gm-Message-State: APzg51AiPmZDBrQxIZNIFXvHLT/uiDFdKCrEEZTwfyUM2QAvCgDJe5as tI+Dxf45g0t7nnCXQNfACjjfgA== X-Received: by 2002:a63:4a44:: with SMTP id j4-v6mr2724918pgl.167.1535007134635; Wed, 22 Aug 2018 23:52:14 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id d132-v6sm7559932pgc.93.2018.08.22.23.52.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:52:13 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.4.y 5/5] sch_tbf: fix two null pointer dereferences on init failure Date: Thu, 23 Aug 2018 12:21:56 +0530 Message-Id: <1535007116-31801-6-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> References: <1535007116-31801-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit c2d6511e6a4f1f3673d711569c00c3849549e9b0 upstream. sch_tbf calls qdisc_watchdog_cancel() in both its ->reset and ->destroy callbacks but it may fail before the timer is initialized due to missing options (either not supplied by user-space or set as a default qdisc), also q->qdisc is used by ->reset and ->destroy so we need it initialized. Reproduce: $ sysctl net.core.default_qdisc=tbf $ ip l set ethX up Crash log: [ 959.160172] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [ 959.160323] IP: qdisc_reset+0xa/0x5c [ 959.160400] PGD 59cdb067 [ 959.160401] P4D 59cdb067 [ 959.160466] PUD 59ccb067 [ 959.160532] PMD 0 [ 959.160597] [ 959.160706] Oops: 0000 [#1] SMP [ 959.160778] Modules linked in: sch_tbf sch_sfb sch_prio sch_netem [ 959.160891] CPU: 2 PID: 1562 Comm: ip Not tainted 4.13.0-rc6+ #62 [ 959.160998] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 959.161157] task: ffff880059c9a700 task.stack: ffff8800376d0000 [ 959.161263] RIP: 0010:qdisc_reset+0xa/0x5c [ 959.161347] RSP: 0018:ffff8800376d3610 EFLAGS: 00010286 [ 959.161531] RAX: ffffffffa001b1dd RBX: ffff8800373a2800 RCX: 0000000000000000 [ 959.161733] RDX: ffffffff8215f160 RSI: ffffffff8215f160 RDI: 0000000000000000 [ 959.161939] RBP: ffff8800376d3618 R08: 00000000014080c0 R09: 00000000ffffffff [ 959.162141] R10: ffff8800376d3578 R11: 0000000000000020 R12: ffffffffa001d2c0 [ 959.162343] R13: ffff880037538000 R14: 00000000ffffffff R15: 0000000000000001 [ 959.162546] FS: 00007fcc5126b740(0000) GS:ffff88005d900000(0000) knlGS:0000000000000000 [ 959.162844] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 959.163030] CR2: 0000000000000018 CR3: 000000005abc4000 CR4: 00000000000406e0 [ 959.163233] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 959.163436] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 959.163638] Call Trace: [ 959.163788] tbf_reset+0x19/0x64 [sch_tbf] [ 959.163957] qdisc_destroy+0x8b/0xe5 [ 959.164119] qdisc_create_dflt+0x86/0x94 [ 959.164284] ? dev_activate+0x129/0x129 [ 959.164449] attach_one_default_qdisc+0x36/0x63 [ 959.164623] netdev_for_each_tx_queue+0x3d/0x48 [ 959.164795] dev_activate+0x4b/0x129 [ 959.164957] __dev_open+0xe7/0x104 [ 959.165118] __dev_change_flags+0xc6/0x15c [ 959.165287] dev_change_flags+0x25/0x59 [ 959.165451] do_setlink+0x30c/0xb3f [ 959.165613] ? check_chain_key+0xb0/0xfd [ 959.165782] rtnl_newlink+0x3a4/0x729 [ 959.165947] ? rtnl_newlink+0x117/0x729 [ 959.166121] ? ns_capable_common+0xd/0xb1 [ 959.166288] ? ns_capable+0x13/0x15 [ 959.166450] rtnetlink_rcv_msg+0x188/0x197 [ 959.166617] ? rcu_read_unlock+0x3e/0x5f [ 959.166783] ? rtnl_newlink+0x729/0x729 [ 959.166948] netlink_rcv_skb+0x6c/0xce [ 959.167113] rtnetlink_rcv+0x23/0x2a [ 959.167273] netlink_unicast+0x103/0x181 [ 959.167439] netlink_sendmsg+0x326/0x337 [ 959.167607] sock_sendmsg_nosec+0x14/0x3f [ 959.167772] sock_sendmsg+0x29/0x2e [ 959.167932] ___sys_sendmsg+0x209/0x28b [ 959.168098] ? do_raw_spin_unlock+0xcd/0xf8 [ 959.168267] ? _raw_spin_unlock+0x27/0x31 [ 959.168432] ? __handle_mm_fault+0x651/0xdb1 [ 959.168602] ? check_chain_key+0xb0/0xfd [ 959.168773] __sys_sendmsg+0x45/0x63 [ 959.168934] ? __sys_sendmsg+0x45/0x63 [ 959.169100] SyS_sendmsg+0x19/0x1b [ 959.169260] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 959.169432] RIP: 0033:0x7fcc5097e690 [ 959.169592] RSP: 002b:00007ffd0d5c7b48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 959.169887] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007fcc5097e690 [ 959.170089] RDX: 0000000000000000 RSI: 00007ffd0d5c7b90 RDI: 0000000000000003 [ 959.170292] RBP: ffff8800376d3f98 R08: 0000000000000001 R09: 0000000000000003 [ 959.170494] R10: 00007ffd0d5c7910 R11: 0000000000000246 R12: 0000000000000006 [ 959.170697] R13: 000000000066f1a0 R14: 00007ffd0d5cfc40 R15: 0000000000000000 [ 959.170900] ? trace_hardirqs_off_caller+0xa7/0xcf [ 959.171076] Code: 00 41 c7 84 24 14 01 00 00 00 00 00 00 41 c7 84 24 98 00 00 00 00 00 00 00 41 5c 41 5d 41 5e 5d c3 66 66 66 66 90 55 48 89 e5 53 <48> 8b 47 18 48 89 fb 48 8b 40 48 48 85 c0 74 02 ff d0 48 8b bb [ 959.171637] RIP: qdisc_reset+0xa/0x5c RSP: ffff8800376d3610 [ 959.171821] CR2: 0000000000000018 Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sched/sch_tbf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c index c2fbde742f37..a06c9d6bfc9c 100644 --- a/net/sched/sch_tbf.c +++ b/net/sched/sch_tbf.c @@ -432,12 +432,13 @@ static int tbf_init(struct Qdisc *sch, struct nlattr *opt) { struct tbf_sched_data *q = qdisc_priv(sch); + qdisc_watchdog_init(&q->watchdog, sch); + q->qdisc = &noop_qdisc; + if (opt == NULL) return -EINVAL; q->t_c = ktime_get_ns(); - qdisc_watchdog_init(&q->watchdog, sch); - q->qdisc = &noop_qdisc; return tbf_change(sch, opt); }