[SRU][B][PATCH 0/7] net_sched: fix NULL pointer dereference and memory leaks
Andrea Righi
andrea.righi at canonical.com
Wed May 15 13:02:34 UTC 2019
Buglink: https://bugs.launchpad.net/bugs/1825942
[Impact]
It is possible to trigger a NULL pointer dereference in tcindex_delete() with a
simple reproducer script, this is because in tcindex_set_parms() when old_r
doesn't exist we set the new exts to cr.exts that can be uninitialized,
triggering the NULL pointer dereference.
In addition to that we may also hit a race condition in tcindex_destroy() (as
pointed out in the original bug report and also here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542#10), that is also
fixed upstream, but it requires 4b79817f7add "net_sched: switch to rcu_work".
However adding these changes introduces three memory leak problems in
cls_tcindex (that can be easily verified using the same test case). These leaks
are also fixed upstream by 711ff09f3330 "net_sched: fix a memory leak in
cls_tcindex" and 000d2aeda70c "net_sched: fix two more memory leaks in
cls_tcindex", so we need to backport also these two additional fixes.
After all these fixes are applied the test case doesn't seem to trigger any
bug.
[Test Case]
#!/bin/sh -ex
modprobe ifb
while true; do
tc qdisc add dev ifb0 root handle 2:0 prio bands 5
tc qdisc add dev ifb0 parent 2:5 sfq
tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on
tc qdisc del dev ifb0 root || true
done
[Fix]
Fixes required to solve this problem:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2df8bee5654bb2b7312662ca6810d4dc16b0b67f
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8015d93ebd27484418d4952284fd02172fa4b0b2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=033b228e7f26b29ae37f8bfa1bc6b209a5365e9f
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1db817e75f5b9387b8db11e37d5f0624eb9223e0
[Regression Potential]
All upstream fixes, tested on the affected platform, backport changes are
minimal (mostly offset adjustments).
Cong Wang (5):
net_sched: switch to rcu_work
net_sched: fix a race condition in tcindex_destroy()
net_sched: fix a memory leak in cls_tcindex
net_sched: initialize net pointer inside tcf_exts_init()
net_sched: fix two more memory leaks in cls_tcindex
Hangbin Liu (1):
net_sched: fix NULL pointer dereference when delete tcindex filter
Tejun Heo (1):
RCU, workqueue: Implement rcu_work
include/linux/workqueue.h | 23 ++++++++++++
include/net/pkt_cls.h | 7 ++--
kernel/workqueue.c | 54 +++++++++++++++++++++++++++
net/sched/cls_api.c | 6 +--
net/sched/cls_basic.c | 26 ++++---------
net/sched/cls_bpf.c | 24 ++++--------
net/sched/cls_cgroup.c | 25 +++----------
net/sched/cls_flow.c | 26 ++++---------
net/sched/cls_flower.c | 42 ++++++---------------
net/sched/cls_fw.c | 29 +++++----------
net/sched/cls_matchall.c | 23 +++---------
net/sched/cls_route.c | 25 +++++--------
net/sched/cls_rsvp.h | 27 +++++---------
net/sched/cls_tcindex.c | 141 +++++++++++++++++++++++++++++++++-------------------------------------
net/sched/cls_u32.c | 45 +++++++----------------
15 files changed, 239 insertions(+), 284 deletions(-)
More information about the kernel-team
mailing list