From patchwork Thu Aug 23 06:50:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 144882 Delivered-To: patch@linaro.org Received: by 2002:a2e:164a:0:0:0:0:0 with SMTP id 10-v6csp756874ljw; Wed, 22 Aug 2018 23:50:51 -0700 (PDT) X-Google-Smtp-Source: AA+uWPz80hoHKHmuqXog9/JPVwF72tyJoITs/E/6erWJ1LK2JwBaxDHjU0nZz2COXQBg/9NtEySG X-Received: by 2002:a63:1d22:: with SMTP id d34-v6mr54689901pgd.133.1535007051363; Wed, 22 Aug 2018 23:50:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535007051; cv=none; d=google.com; s=arc-20160816; b=zlhgEYtq1gziuPubB9uKJACzb/tMYD+JiuLsA9iUoasdFe5xoNlFeO4Q4Ky29/6+6V FeKj9oe7sf+fYbu19hWM+YFVEAtipoKdVRWoAUNhRDhuVZ3EN14dz0kz1tWCBElWUPCR GyEX3+LdtzvqMqekKF+FU0upNSlz5SFeokhedVmJg0pkAQrTF81txBThIRN6u+q8G42T 3eNzW3CEFW3PDUawcZbK74208XvXkVCovRXJPpK4xvD3VcPDXeS/3NwQHp+baWOZwjHa 0NKpWkVt8DCxuFxEVSEAkq8mSofLTBgRYYi46WAvpgqpz0lTSGLgxwRiLgCWBI9dcFtn bWww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=+5W8UHsHaPcE1ERglFuyAWe7VoukgYl3M2lEo1iJdiE=; b=gEczJoQ5bLHlvw+g0kbwxM5Qd/ndMBYbIoZyOD3yHihnyY1kqJBAlBe+OKdYh/YrXY ttYpIy5T1wE8Ybg31g/XNMtm57Ojgd3tsFNXptmbC0IJzyoVGj9/8KcU0ILsCK2umv1n nYvHRFJwZyyOFL2/YXv6JfOK+ZZ1VdZIE8m6roJ/sl47p76wh6GOigTBr2GCWZGmDgvF Ajhbhb0z4Z7R8YkGT1ET5Ig2iVcQOHh4GZS59tWOCsgNl3IIWwC58OYfeIMMKUI5MObA 9e0OXUUkr9S4JlznZFKaXDvf/EC9Gg6nBfXFhpWbL45j2EWsKKptlrzOdZZTm33N8OQE NZqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=a3cv9eaB; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf13-v6si3685258plb.334.2018.08.22.23.50.50; Wed, 22 Aug 2018 23:50:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=a3cv9eaB; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726137AbeHWKS7 (ORCPT + 13 others); Thu, 23 Aug 2018 06:18:59 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:44674 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbeHWKS6 (ORCPT ); Thu, 23 Aug 2018 06:18:58 -0400 Received: by mail-pg1-f194.google.com with SMTP id r1-v6so2082971pgp.11 for ; Wed, 22 Aug 2018 23:50:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=+5W8UHsHaPcE1ERglFuyAWe7VoukgYl3M2lEo1iJdiE=; b=a3cv9eaBF9jjnQAiZg043rjl/AmhYDrj5M1D04nS+by3tM7ainviKfBiyT9QWUToxV 5Tgo/yRvwzmwxcHltQZhWbJLw4mgbPAxo/A/oK1r+/dSQvqEh7oQwahu14bQEZu2jOK6 BYckVC6Y1n7oPRwUrs1Gk4D74v1rFqiTjRlV0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=+5W8UHsHaPcE1ERglFuyAWe7VoukgYl3M2lEo1iJdiE=; b=ROdnPqgYRgajzSQ0D6SIlQ2A7OLn5SLnc1GuATDmheieRId61E/J9r9KSW315j6iSh qO5x9sCJ/H8Xy6NpDmfwpECkK0db4h99Z0oTWd+k/3z7rCNof8oVk5qsQUAWsz/5yYMM HOItlyur5waRz52rkT8msTJ+5eUebeXNAvBzoQUKHTToh0W2iKva/iIaG/5Fl5Xx7X3B 22VT9M3mhVriRxxpx6JaNAjMb5Q5oMiR+IagVOPD/+A+xELBjnlUchgneYtlhOBUUB+F Ssq8FS9JOg5HyWY3xbhclDWzQ9trNRlgVvN6TI3DP2zDNmIMz/xe31EXl2FesdbAhPgO 3RNw== X-Gm-Message-State: AOUpUlGRS+TV5zV2dbAU19YJA4YOPBSJb/mQYbIxORPhM6C3Ehd9I+Cf 8miopxIIPrmvP6kCfylYe8uPZA== X-Received: by 2002:a62:9f85:: with SMTP id v5-v6mr61092062pfk.27.1535007049110; Wed, 22 Aug 2018 23:50:49 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id l85-v6sm6274501pfk.34.2018.08.22.23.50.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Aug 2018 23:50:48 -0700 (PDT) From: Amit Pundir To: Greg KH , Nikolay Aleksandrov Cc: "David S . Miller" , Stable Subject: [PATCH v2 for-4.9.y 1/5] sch_htb: fix crash on init failure Date: Thu, 23 Aug 2018 12:20:37 +0530 Message-Id: <1535007041-31605-2-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> References: <1535007041-31605-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 88c2ace69dbef696edba77712882af03879abc9c upstream. The commit below added a call to the ->destroy() callback for all qdiscs which failed in their ->init(), but some were not prepared for such change and can't handle partially initialized qdisc. HTB is one of them and if any error occurs before the qdisc watchdog timer and qdisc work are initialized then we can hit either a null ptr deref (timer->base) when canceling in ->destroy or lockdep error info about trying to register a non-static key and a stack dump. So to fix these two move the watchdog timer and workqueue init before anything that can err out. To reproduce userspace needs to send broken htb qdisc create request, tested with a modified tc (q_htb.c). Trace log: [ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2710.897977] IP: hrtimer_active+0x17/0x8a [ 2710.898174] PGD 58fab067 [ 2710.898175] P4D 58fab067 [ 2710.898353] PUD 586c0067 [ 2710.898531] PMD 0 [ 2710.898710] [ 2710.899045] Oops: 0000 [#1] SMP [ 2710.899232] Modules linked in: [ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54 [ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000 [ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a [ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246 [ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000 [ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298 [ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001 [ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000 [ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0 [ 2710.901907] FS: 00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000 [ 2710.902277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0 [ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2710.903180] Call Trace: [ 2710.903332] hrtimer_try_to_cancel+0x1a/0x93 [ 2710.903504] hrtimer_cancel+0x15/0x20 [ 2710.903667] qdisc_watchdog_cancel+0x12/0x14 [ 2710.903866] htb_destroy+0x2e/0xf7 [ 2710.904097] qdisc_create+0x377/0x3fd [ 2710.904330] tc_modify_qdisc+0x4d2/0x4fd [ 2710.904511] rtnetlink_rcv_msg+0x188/0x197 [ 2710.904682] ? rcu_read_unlock+0x3e/0x5f [ 2710.904849] ? rtnl_newlink+0x729/0x729 [ 2710.905017] netlink_rcv_skb+0x6c/0xce [ 2710.905183] rtnetlink_rcv+0x23/0x2a [ 2710.905345] netlink_unicast+0x103/0x181 [ 2710.905511] netlink_sendmsg+0x326/0x337 [ 2710.905679] sock_sendmsg_nosec+0x14/0x3f [ 2710.905847] sock_sendmsg+0x29/0x2e [ 2710.906010] ___sys_sendmsg+0x209/0x28b [ 2710.906176] ? do_raw_spin_unlock+0xcd/0xf8 [ 2710.906346] ? _raw_spin_unlock+0x27/0x31 [ 2710.906514] ? __handle_mm_fault+0x651/0xdb1 [ 2710.906685] ? check_chain_key+0xb0/0xfd [ 2710.906855] __sys_sendmsg+0x45/0x63 [ 2710.907018] ? __sys_sendmsg+0x45/0x63 [ 2710.907185] SyS_sendmsg+0x19/0x1b [ 2710.907344] entry_SYSCALL_64_fastpath+0x23/0xc2 Note that probably this bug goes further back because the default qdisc handling always calls ->destroy on init failure too. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sched/sch_htb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index c798d0de8a9d..95fe75d441eb 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -1013,6 +1013,9 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) int err; int i; + qdisc_watchdog_init(&q->watchdog, sch); + INIT_WORK(&q->work, htb_work_func); + if (!opt) return -EINVAL; @@ -1033,8 +1036,6 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt) for (i = 0; i < TC_HTB_NUMPRIO; i++) INIT_LIST_HEAD(q->drops + i); - qdisc_watchdog_init(&q->watchdog, sch); - INIT_WORK(&q->work, htb_work_func); qdisc_skb_head_init(&q->direct_queue); if (tb[TCA_HTB_DIRECT_QLEN])