[v4.14.y] net_sched: check cops->tcf_block in tc_bind_tclass()

Zubin Mithra <zsm@xxxxxxxxxxxx> · Thu, 31 Oct 2019 11:42:59 -0700

From: Cong Wang <xiyou.wangcong@xxxxxxxxx>

commit 8b142a00edcf8422ca48b8de88d286efb500cb53 upstream

At least sch_red and sch_tbf don't implement ->tcf_block()
while still have a non-zero tc "class".

Instead of adding nop implementations to each of such qdisc's,
we can just relax the check of cops->tcf_block() in
tc_bind_tclass(). They don't support TC filter anyway.

Reported-by: syzbot+21b29db13c065852f64b@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
Cc: Jiri Pirko <jiri@xxxxxxxxxxx>
Signed-off-by: Cong Wang <xiyou.wangcong@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Zubin Mithra <zsm@xxxxxxxxxxxx>
---
Notes:
* Syzkaller triggered a NULL pointer dereference with the following
stacktrace:
 tc_bind_tclass+0x139/0x550 net/sched/sch_api.c:1697
 tc_ctl_tclass+0x9de/0xb30 net/sched/sch_api.c:1831
 rtnetlink_rcv_msg+0x545/0x1010 net/core/rtnetlink.c:4287
 netlink_rcv_skb+0x15e/0x3a0 net/netlink/af_netlink.c:2432
 rtnetlink_rcv+0x22/0x30 net/core/rtnetlink.c:4299
 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
 netlink_unicast+0x4ac/0x6a0 net/netlink/af_netlink.c:1312
 netlink_sendmsg+0x943/0xec0 net/netlink/af_netlink.c:1877
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xd5/0x110 net/socket.c:656
 ___sys_sendmsg+0x754/0x890 net/socket.c:2062
 __sys_sendmsg+0xd2/0x1f0 net/socket.c:2096
 C_SYSC_sendmsg net/compat.c:744 [inline]
 compat_SyS_sendmsg+0x2f/0x40 net/compat.c:742
 do_syscall_32_irqs_on arch/x86/entry/common.c:352 [inline]
 do_fast_syscall_32+0x3bb/0xdd1 arch/x86/entry/common.c:415
 entry_SYSENTER_compat+0x84/0x96 arch/x86/entry/entry_64_compat.S:139

* This commit is present in linux-4.19.y.

* Tests run: Chrome OS tryjobs, Syzkaller reproducer

 net/sched/sch_api.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 637949b576c63..296e95f72eb15 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1695,6 +1695,8 @@ static void tc_bind_tclass(struct Qdisc *q, u32 portid, u32 clid,
 	cl = cops->find(q, portid);
 	if (!cl)
 		return;
+	if (!cops->tcf_block)
+		return;
 	block = cops->tcf_block(q, cl);
 	if (!block)
 		return;
-- 
2.24.0.rc0.303.g954a862665-goog







