On Thu, Oct 31, 2019 at 11:42:59AM -0700, Zubin Mithra wrote:
From: Cong Wang <xiyou.wangcong@xxxxxxxxx> commit 8b142a00edcf8422ca48b8de88d286efb500cb53 upstream At least sch_red and sch_tbf don't implement ->tcf_block() while still have a non-zero tc "class". Instead of adding nop implementations to each of such qdisc's, we can just relax the check of cops->tcf_block() in tc_bind_tclass(). They don't support TC filter anyway. Reported-by: syzbot+21b29db13c065852f64b@xxxxxxxxxxxxxxxxxxxxxxxxx Cc: Jamal Hadi Salim <jhs@xxxxxxxxxxxx> Cc: Jiri Pirko <jiri@xxxxxxxxxxx> Signed-off-by: Cong Wang <xiyou.wangcong@xxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Zubin Mithra <zsm@xxxxxxxxxxxx> --- Notes: * Syzkaller triggered a NULL pointer dereference with the following stacktrace: tc_bind_tclass+0x139/0x550 net/sched/sch_api.c:1697 tc_ctl_tclass+0x9de/0xb30 net/sched/sch_api.c:1831 rtnetlink_rcv_msg+0x545/0x1010 net/core/rtnetlink.c:4287 netlink_rcv_skb+0x15e/0x3a0 net/netlink/af_netlink.c:2432 rtnetlink_rcv+0x22/0x30 net/core/rtnetlink.c:4299 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x4ac/0x6a0 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x943/0xec0 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xd5/0x110 net/socket.c:656 ___sys_sendmsg+0x754/0x890 net/socket.c:2062 __sys_sendmsg+0xd2/0x1f0 net/socket.c:2096 C_SYSC_sendmsg net/compat.c:744 [inline] compat_SyS_sendmsg+0x2f/0x40 net/compat.c:742 do_syscall_32_irqs_on arch/x86/entry/common.c:352 [inline] do_fast_syscall_32+0x3bb/0xdd1 arch/x86/entry/common.c:415 entry_SYSENTER_compat+0x84/0x96 arch/x86/entry/entry_64_compat.S:139 * This commit is present in linux-4.19.y. * Tests run: Chrome OS tryjobs, Syzkaller reproducer
Queued up for 4.14, thank you. -- Thanks, Sasha
