mirror of https://github.com/torvalds/linux.git
3cb7cf1540
Most qdiscs maintain their backlog using qdisc_pkt_len(skb)
on the assumption it is invariant between the enqueue()
and dequeue() handlers.
Unfortunately syzbot can crash a host rather easily using
a TBF + SFQ combination, with an STAB on SFQ [1]
We can't support TCA_STAB on arbitrary level, this would
require to maintain per-qdisc storage.
[1]
[ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 88.798611] #PF: supervisor read access in kernel mode
[ 88.799014] #PF: error_code(0x0000) - not-present page
[ 88.799506] PGD 0 P4D 0
[ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI
[ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117
[ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00
All code
========
0: 0f b7 50 12 movzwl 0x12(%rax),%edx
4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax
b: 00
c: 48 89 d6 mov %rdx,%rsi
f: 48 29 d0 sub %rdx,%rax
12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx
19: 48 c1 e0 03 shl $0x3,%rax
1d: 48 01 c2 add %rax,%rdx
20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx)
25: 7e c0 jle 0xffffffffffffffe7
27: 48 8b 3a mov (%rdx),%rdi
2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction
2d: 4c 89 02 mov %r8,(%rdx)
30: 49 89 50 08 mov %rdx,0x8(%r8)
34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi)
3b: 00
3c: 48 rex.W
3d: c7 .byte 0xc7
3e: 07 (bad)
...
Code starting with the faulting instruction
===========================================
0: 4c 8b 07 mov (%rdi),%r8
3: 4c 89 02 mov %r8,(%rdx)
6: 49 89 50 08 mov %rdx,0x8(%r8)
a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi)
11: 00
12: 48 rex.W
13: c7 .byte 0xc7
14: 07 (bad)
...
[ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206
[ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800
[ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000
[ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f
[ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140
[ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac
[ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000
[ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0
[ 88.808165] Call Trace:
[ 88.808459] <TASK>
[ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
[ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)
[ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
[ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
[ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
[ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq
[ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_generic.c:1036)
[ 88.810950] tbf_reset (./include/linux/timekeeping.h:169 net/sched/sch_tbf.c:334) sch_tbf
[ 88.811208] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_generic.c:1036)
[ 88.811484] netif_set_real_num_tx_queues (./include/linux/spinlock.h:396 ./include/net/sch_generic.h:768 net/core/dev.c:2958)
[ 88.811870] __tun_detach (drivers/net/tun.c:590 drivers/net/tun.c:673)
[ 88.812271] tun_chr_close (drivers/net/tun.c:702 drivers/net/tun.c:3517)
[ 88.812505] __fput (fs/file_table.c:432 (discriminator 1))
[ 88.812735] task_work_run (kernel/task_work.c:230)
[ 88.813016] do_exit (kernel/exit.c:940)
[ 88.813372] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4))
[ 88.813639] ? handle_mm_fault (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/memcontrol.h:1022 ./include/linux/memcontrol.h:1045 ./include/linux/memcontrol.h:1052 mm/memory.c:5928 mm/memory.c:6088)
[ 88.813867] do_group_exit (kernel/exit.c:1070)
[ 88.814138] __x64_sys_exit_group (kernel/exit.c:1099)
[ 88.814490] x64_sys_call (??:?)
[ 88.814791] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
[ 88.815012] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 88.815495] RIP: 0033:0x7f44560f1975
Fixes:
|
||
|---|---|---|
| .. | ||
| 9p | ||
| bluetooth | ||
| caif | ||
| iucv | ||
| libeth | ||
| mana | ||
| netfilter | ||
| netns | ||
| nfc | ||
| page_pool | ||
| phonet | ||
| sctp | ||
| tc_act | ||
| 6lowpan.h | ||
| Space.h | ||
| act_api.h | ||
| addrconf.h | ||
| af_ieee802154.h | ||
| af_rxrpc.h | ||
| af_unix.h | ||
| af_vsock.h | ||
| ah.h | ||
| amt.h | ||
| arp.h | ||
| atmclip.h | ||
| ax25.h | ||
| ax88796.h | ||
| bareudp.h | ||
| bond_3ad.h | ||
| bond_alb.h | ||
| bond_options.h | ||
| bonding.h | ||
| bpf_sk_storage.h | ||
| busy_poll.h | ||
| calipso.h | ||
| cfg80211-wext.h | ||
| cfg80211.h | ||
| cfg802154.h | ||
| checksum.h | ||
| cipso_ipv4.h | ||
| cls_cgroup.h | ||
| codel.h | ||
| codel_impl.h | ||
| codel_qdisc.h | ||
| compat.h | ||
| datalink.h | ||
| dcbevent.h | ||
| dcbnl.h | ||
| devlink.h | ||
| dropreason-core.h | ||
| dropreason.h | ||
| dsa.h | ||
| dsa_stubs.h | ||
| dscp.h | ||
| dsfield.h | ||
| dst.h | ||
| dst_cache.h | ||
| dst_metadata.h | ||
| dst_ops.h | ||
| eee.h | ||
| erspan.h | ||
| esp.h | ||
| espintcp.h | ||
| ethoc.h | ||
| failover.h | ||
| fib_notifier.h | ||
| fib_rules.h | ||
| firewire.h | ||
| flow.h | ||
| flow_dissector.h | ||
| flow_offload.h | ||
| fou.h | ||
| fq.h | ||
| fq_impl.h | ||
| garp.h | ||
| gen_stats.h | ||
| genetlink.h | ||
| geneve.h | ||
| gre.h | ||
| gro.h | ||
| gro_cells.h | ||
| gso.h | ||
| gtp.h | ||
| gue.h | ||
| handshake.h | ||
| hotdata.h | ||
| hwbm.h | ||
| icmp.h | ||
| ieee8021q.h | ||
| ieee80211_radiotap.h | ||
| ieee802154_netdev.h | ||
| if_inet6.h | ||
| ife.h | ||
| inet6_connection_sock.h | ||
| inet6_hashtables.h | ||
| inet_common.h | ||
| inet_connection_sock.h | ||
| inet_dscp.h | ||
| inet_ecn.h | ||
| inet_frag.h | ||
| inet_hashtables.h | ||
| inet_sock.h | ||
| inet_timewait_sock.h | ||
| inetpeer.h | ||
| ioam6.h | ||
| ip.h | ||
| ip6_checksum.h | ||
| ip6_fib.h | ||
| ip6_route.h | ||
| ip6_tunnel.h | ||
| ip_fib.h | ||
| ip_tunnels.h | ||
| ip_vs.h | ||
| ipcomp.h | ||
| ipconfig.h | ||
| ipv6.h | ||
| ipv6_frag.h | ||
| ipv6_stubs.h | ||
| iw_handler.h | ||
| kcm.h | ||
| l3mdev.h | ||
| lag.h | ||
| lapb.h | ||
| lib80211.h | ||
| llc.h | ||
| llc_c_ac.h | ||
| llc_c_ev.h | ||
| llc_c_st.h | ||
| llc_conn.h | ||
| llc_if.h | ||
| llc_pdu.h | ||
| llc_s_ac.h | ||
| llc_s_ev.h | ||
| llc_s_st.h | ||
| llc_sap.h | ||
| lwtunnel.h | ||
| mac80211.h | ||
| mac802154.h | ||
| macsec.h | ||
| mctp.h | ||
| mctpdevice.h | ||
| mip6.h | ||
| mld.h | ||
| mpls.h | ||
| mpls_iptunnel.h | ||
| mptcp.h | ||
| mrp.h | ||
| ncsi.h | ||
| ndisc.h | ||
| neighbour.h | ||
| net_debug.h | ||
| net_failover.h | ||
| net_namespace.h | ||
| net_ratelimit.h | ||
| net_trackers.h | ||
| netdev_queues.h | ||
| netdev_rx_queue.h | ||
| netevent.h | ||
| netkit.h | ||
| netlabel.h | ||
| netlink.h | ||
| netmem.h | ||
| netprio_cgroup.h | ||
| netrom.h | ||
| nexthop.h | ||
| nl802154.h | ||
| nsh.h | ||
| p8022.h | ||
| pfcp.h | ||
| pie.h | ||
| ping.h | ||
| pkt_cls.h | ||
| pkt_sched.h | ||
| pptp.h | ||
| proto_memory.h | ||
| protocol.h | ||
| psample.h | ||
| psnap.h | ||
| raw.h | ||
| rawv6.h | ||
| red.h | ||
| regulatory.h | ||
| request_sock.h | ||
| rose.h | ||
| route.h | ||
| rpl.h | ||
| rps.h | ||
| rsi_91x.h | ||
| rstreason.h | ||
| rtnetlink.h | ||
| rtnh.h | ||
| sch_generic.h | ||
| scm.h | ||
| secure_seq.h | ||
| seg6.h | ||
| seg6_hmac.h | ||
| seg6_local.h | ||
| selftests.h | ||
| slhc_vj.h | ||
| smc.h | ||
| snmp.h | ||
| sock.h | ||
| sock_reuseport.h | ||
| stp.h | ||
| strparser.h | ||
| switchdev.h | ||
| tc_wrapper.h | ||
| tcp.h | ||
| tcp_ao.h | ||
| tcp_states.h | ||
| tcx.h | ||
| timewait_sock.h | ||
| tipc.h | ||
| tls.h | ||
| tls_prot.h | ||
| tls_toe.h | ||
| transp_v6.h | ||
| tso.h | ||
| tun_proto.h | ||
| udp.h | ||
| udp_tunnel.h | ||
| udplite.h | ||
| vsock_addr.h | ||
| vxlan.h | ||
| wext.h | ||
| x25.h | ||
| x25device.h | ||
| xdp.h | ||
| xdp_priv.h | ||
| xdp_sock.h | ||
| xdp_sock_drv.h | ||
| xfrm.h | ||
| xsk_buff_pool.h | ||