mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 13:53:33 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Taehee Yoo 402e43234d sch_dsmark: fix a NULL deref in qdisc_reset() 
[ Upstream commit 9b76eade16 ]

If Qdisc_ops->init() is failed, Qdisc_ops->reset() would be called.
When dsmark_init(Qdisc_ops->init()) is failed, it possibly doesn't
initialize dsmark_qdisc_data->q. But dsmark_reset(Qdisc_ops->reset())
uses dsmark_qdisc_data->q pointer wihtout any null checking.
So, panic would occur.

Test commands:
    sysctl net.core.default_qdisc=dsmark -w
    ip link add dummy0 type dummy
    ip link add vw0 link dummy0 type virt_wifi
    ip link set vw0 up

Splat looks like:
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 3 PID: 684 Comm: ip Not tainted 5.12.0+ #910
RIP: 0010:qdisc_reset+0x2b/0x680
Code: 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 41 57 41 56 41 55 41 54
55 48 89 fd 48 83 c7 18 53 48 89 fa 48 c1 ea 03 48 83 ec 20 <80> 3c 02
00 0f 85 09 06 00 00 4c 8b 65 18 0f 1f 44 00 00 65 8b 1d
RSP: 0018:ffff88800fda6bf8 EFLAGS: 00010282
RAX: dffffc0000000000 RBX: ffff8880050ed800 RCX: 0000000000000000
RDX: 0000000000000003 RSI: ffffffff99e34100 RDI: 0000000000000018
RBP: 0000000000000000 R08: fffffbfff346b553 R09: fffffbfff346b553
R10: 0000000000000001 R11: fffffbfff346b552 R12: ffffffffc0824940
R13: ffff888109e83800 R14: 00000000ffffffff R15: ffffffffc08249e0
FS:  00007f5042287680(0000) GS:ffff888119800000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ae1f4dbd90 CR3: 0000000006760002 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ? rcu_read_lock_bh_held+0xa0/0xa0
 dsmark_reset+0x3d/0xf0 [sch_dsmark]
 qdisc_reset+0xa9/0x680
 qdisc_destroy+0x84/0x370
 qdisc_create_dflt+0x1fe/0x380
 attach_one_default_qdisc.constprop.41+0xa4/0x180
 dev_activate+0x4d5/0x8c0
 ? __dev_open+0x268/0x390
 __dev_open+0x270/0x390

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-06-03 08:36:25 +02:00
..
6lowpan
9p net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid 2020-11-05 11:06:57 +01:00
802
8021q net: vlan: avoid leaks on register_vlan_dev() failures 2021-01-17 13:58:58 +01:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-04-07 12:47:02 +02:00
atm atm: fix a memory leak of vcc->user_back 2020-10-01 13:12:42 +02:00
ax25 AX.25: Prevent integer overflows in connect and sendmsg 2020-07-31 16:44:44 +02:00
batman-adv batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field 2021-04-16 11:57:48 +02:00
bluetooth Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails 2021-06-03 08:36:18 +02:00
bpf
bridge net: bridge: use switchdev for port flags set through sysfs too 2021-03-07 11:27:43 +01:00
caif
can can: af_can: prevent potential access of uninitialized member in canfd_rcv() 2020-11-24 13:05:47 +01:00
ceph libceph: clear con->out_msg on Policy::stateful_server faults 2020-11-05 11:07:03 +01:00
core bpf: Set mac_len in bpf_skb_change_head 2021-06-03 08:36:24 +02:00
dcb net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands 2021-01-23 15:48:46 +01:00
dccp ipv6: weaken the v4mapped source check 2021-04-07 12:47:00 +02:00
decnet
dns_resolver
dsa
ethernet
hsr hsr: use netdev_err() instead of WARN_ONCE() 2021-05-22 10:57:24 +02:00
ieee802154 net: ieee802154: forbid monitor for add llsec seclevel 2021-04-28 12:08:41 +02:00
ife
ipv4 netfilter: x_tables: fix compat match/target pad out-of-bound write 2021-04-16 11:57:53 +02:00
ipv6 ipv6: record frag_max_size in atomic fragments in input path 2021-06-03 08:36:25 +02:00
ipx
iucv net/af_iucv: set correct sk_protocol for child sockets 2020-12-08 10:17:32 +01:00
kcm
key af_key: relax availability checks for skb size calculation 2021-02-23 14:00:29 +01:00
l2tp l2tp: remove skb_dst_set() from l2tp_xmit_skb() 2020-07-22 09:22:19 +02:00
l3mdev
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:12:08 +01:00
llc llc: make sure applications use ARPHRD_ETHER 2020-07-22 09:22:20 +02:00
mac80211 mac80211: extend protection against mixed key and fragment cache attacks 2021-06-03 08:36:14 +02:00
mac802154 net: mac802154: Fix general protection fault 2021-04-16 11:57:52 +02:00
mpls net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 2021-03-17 16:34:28 +01:00
ncsi net/ncsi: Avoid GFP_KERNEL in response handler 2021-04-16 11:57:51 +02:00
netfilter netfilter: x_tables: Use correct memory barriers. 2021-06-03 08:36:11 +02:00
netlabel cipso,calipso: resolve a number of problems with the DOI refcounts 2021-03-17 16:34:29 +01:00
netlink genetlink: remove genl_bind 2020-07-22 09:22:19 +02:00
netrom
nfc NFC: nci: fix memory leak in nci_allocate_device 2021-06-03 08:36:11 +02:00
nsh
openvswitch openvswitch: fix stack OOB read while fragmenting IPv4 packets 2021-05-22 10:57:21 +02:00
packet net/packet: fix overflow in tpacket_rcv 2020-10-14 09:51:09 +02:00
phonet
psample
qrtr net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() 2021-03-30 14:40:12 +02:00
rds rds: Prevent kernel-infoleak in rds_notify_queue_get() 2020-08-05 10:06:50 +02:00
rfkill
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-12-08 10:17:32 +01:00
rxrpc rxrpc: Fix handling of an unsupported token type in rxrpc_read() 2021-01-23 15:48:47 +01:00
sched sch_dsmark: fix a NULL deref in qdisc_reset() 2021-06-03 08:36:25 +02:00
sctp sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b 2021-05-22 10:57:38 +02:00
smc
strparser
sunrpc rpc: fix NULL dereference on kmalloc failure 2021-04-07 12:47:00 +02:00
switchdev
tipc tipc: skb_linearize the head skb when reassembling msgs 2021-06-03 08:36:19 +02:00
tls
unix skbuff: fix a data race in skb_queue_len() 2020-10-01 13:12:33 +02:00
vmw_vsock vsock/vmci: log once the failed queue pair allocation 2021-05-22 10:57:34 +02:00
wimax
wireless cfg80211: mitigate A-MSDU aggregation attacks 2021-06-03 08:36:13 +02:00
x25 net/x25: prevent a couple of overflows 2020-12-08 10:17:33 +01:00
xfrm xfrm: Fix oops in xfrm_replay_advance_bmp 2021-02-03 23:22:22 +01:00
compat.c net/compat: Add missing sock updates for SCM_RIGHTS 2020-08-21 09:48:18 +02:00
Kconfig
Makefile
socket.c net: Set fput_needed iff FDPUT_FPUT is set 2020-08-21 09:48:14 +02:00
sysctl_net.c