[SRU][B][PATCH 0/7] net_sched: fix NULL pointer dereference and memory leaks

Kleber Souza kleber.souza at canonical.com
Tue Jul 2 12:15:14 UTC 2019 

On 5/15/19 3:02 PM, Andrea Righi wrote:
> Buglink: https://bugs.launchpad.net/bugs/1825942

Our tools are case sensitive, and the link reference needs to be exactly
as:

BugLink: <url>

I have ammended the commits and updated the branch.

Thanks,
Kleber

> 
> [Impact]
> 
> It is possible to trigger a NULL pointer dereference in tcindex_delete() with a
> simple reproducer script, this is because in tcindex_set_parms() when old_r
> doesn't exist we set the new exts to cr.exts that can be uninitialized,
> triggering the NULL pointer dereference.
> 
> In addition to that we may also hit a race condition in tcindex_destroy() (as
> pointed out in the original bug report and also here:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542#10), that is also
> fixed upstream, but it requires 4b79817f7add "net_sched: switch to rcu_work".
> 
> However adding these changes introduces three memory leak problems in
> cls_tcindex (that can be easily verified using the same test case). These leaks
> are also fixed upstream by 711ff09f3330 "net_sched: fix a memory leak in
> cls_tcindex" and 000d2aeda70c "net_sched: fix two more memory leaks in
> cls_tcindex", so we need to backport also these two additional fixes.
> 
> After all these fixes are applied the test case doesn't seem to trigger any
> bug.
> 
> [Test Case]
> 
> #!/bin/sh -ex
> 
> modprobe ifb
> 
> while true; do
>     tc qdisc add dev ifb0 root handle 2:0 prio bands 5
>     tc qdisc add dev ifb0 parent 2:5 sfq
>     tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on
>     tc qdisc del dev ifb0 root || true
> done
> 
> [Fix]
> 
> Fixes required to solve this problem:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2df8bee5654bb2b7312662ca6810d4dc16b0b67f
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8015d93ebd27484418d4952284fd02172fa4b0b2
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=033b228e7f26b29ae37f8bfa1bc6b209a5365e9f
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1db817e75f5b9387b8db11e37d5f0624eb9223e0
> 
> [Regression Potential]
> 
> All upstream fixes, tested on the affected platform, backport changes are
> minimal (mostly offset adjustments).
> 
> Cong Wang (5):
>       net_sched: switch to rcu_work
>       net_sched: fix a race condition in tcindex_destroy()
>       net_sched: fix a memory leak in cls_tcindex
>       net_sched: initialize net pointer inside tcf_exts_init()
>       net_sched: fix two more memory leaks in cls_tcindex
> 
> Hangbin Liu (1):
>       net_sched: fix NULL pointer dereference when delete tcindex filter
> 
> Tejun Heo (1):
>       RCU, workqueue: Implement rcu_work
> 
>  include/linux/workqueue.h |  23 ++++++++++++
>  include/net/pkt_cls.h     |   7 ++--
>  kernel/workqueue.c        |  54 +++++++++++++++++++++++++++
>  net/sched/cls_api.c       |   6 +--
>  net/sched/cls_basic.c     |  26 ++++---------
>  net/sched/cls_bpf.c       |  24 ++++--------
>  net/sched/cls_cgroup.c    |  25 +++----------
>  net/sched/cls_flow.c      |  26 ++++---------
>  net/sched/cls_flower.c    |  42 ++++++---------------
>  net/sched/cls_fw.c        |  29 +++++----------
>  net/sched/cls_matchall.c  |  23 +++---------
>  net/sched/cls_route.c     |  25 +++++--------
>  net/sched/cls_rsvp.h      |  27 +++++---------
>  net/sched/cls_tcindex.c   | 141 +++++++++++++++++++++++++++++++++-------------------------------------
>  net/sched/cls_u32.c       |  45 +++++++----------------
>  15 files changed, 239 insertions(+), 284 deletions(-)
> 
>

More information about the kernel-team mailing list