AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
551143d8d9
kernel_optimize_test/include/net
History
Eric Dumazet 551143d8d9 net_sched: fix a refcount_t issue with noop_qdisc 
syzkaller reported a refcount_t warning [1]

Issue here is that noop_qdisc refcnt was never really considered as
a true refcount, since qdisc_destroy() found TCQ_F_BUILTIN set :

if (qdisc->flags & TCQ_F_BUILTIN ||
    !refcount_dec_and_test(&qdisc->refcnt)))
	return;

Meaning that all atomic_inc() we did on noop_qdisc.refcnt were not
really needed, but harmless until refcount_t came.

To fix this problem, we simply need to not increment noop_qdisc.refcnt,
since we never decrement it.

[1]
refcount_t: increment on 0; use-after-free.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 21754 at lib/refcount.c:152 refcount_inc+0x47/0x50 lib/refcount.c:152
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 21754 Comm: syz-executor7 Not tainted 4.13.0-rc6+ #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 panic+0x1e4/0x417 kernel/panic.c:180
 __warn+0x1c4/0x1d9 kernel/panic.c:541
 report_bug+0x211/0x2d0 lib/bug.c:183
 fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:190
 do_trap_no_signal arch/x86/kernel/traps.c:224 [inline]
 do_trap+0x260/0x390 arch/x86/kernel/traps.c:273
 do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:310
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:323
 invalid_op+0x1e/0x30 arch/x86/entry/entry_64.S:846
RIP: 0010:refcount_inc+0x47/0x50 lib/refcount.c:152
RSP: 0018:ffff8801c43477a0 EFLAGS: 00010282
RAX: 000000000000002b RBX: ffffffff86093c14 RCX: 0000000000000000
RDX: 000000000000002b RSI: ffffffff8159314e RDI: ffffed0038868ee8
RBP: ffff8801c43477a8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff86093ac0
R13: 0000000000000001 R14: ffff8801d0f3bac0 R15: dffffc0000000000
 attach_default_qdiscs net/sched/sch_generic.c:792 [inline]
 dev_activate+0x7d3/0xaa0 net/sched/sch_generic.c:833
 __dev_open+0x227/0x330 net/core/dev.c:1380
 __dev_change_flags+0x695/0x990 net/core/dev.c:6726
 dev_change_flags+0x88/0x140 net/core/dev.c:6792
 dev_ifsioc+0x5a6/0x930 net/core/dev_ioctl.c:256
 dev_ioctl+0x2bc/0xf90 net/core/dev_ioctl.c:554
 sock_do_ioctl+0x94/0xb0 net/socket.c:968
 sock_ioctl+0x2c2/0x440 net/socket.c:1058
 vfs_ioctl fs/ioctl.c:45 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:685
 SYSC_ioctl fs/ioctl.c:700 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691

Fixes: 7b93640502 ("net, sched: convert Qdisc.refcnt from atomic_t to refcount_t")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Reshetova, Elena <elena.reshetova@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-24 21:28:24 -07:00
..
9p 9p: Implement show_options 2017-07-11 06:08:58 -04:00
bluetooth Bluetooth: Set LE Default PHY preferences 2017-05-18 13:52:49 +02:00
caif
irda scripts/spelling.txt: add "overide" pattern and fix typo instances 2017-03-09 17:01:09 -08:00
iucv
netfilter net: convert nf_bridge_info.use from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
netns tcp: Namespaceify sysctl_tcp_timestamps 2017-06-08 10:53:29 -04:00
nfc NFC: Add nfc_dbg() macro 2017-04-05 10:15:20 +02:00
phonet
sctp sctp: fix the check for _sctp_walk_params and _sctp_walk_errors 2017-07-27 00:03:12 -07:00
tc_act net: sched: introduce helper to identify gact trap action 2017-06-06 12:45:23 -04:00
6lowpan.h 6lowpan: Fix IID format for Bluetooth 2017-04-12 22:02:36 +02:00
act_api.h net: sched: add termination action to allow goto chain 2017-05-17 15:22:13 -04:00
addrconf.h ipv6: fix NULL dereference in ip6_route_dev_notify() 2017-08-15 17:06:34 -07:00
af_ieee802154.h
af_rxrpc.h rxrpc: Provide a cmsg to specify the amount of Tx data for a call 2017-06-07 17:15:46 +01:00
af_unix.h Now that IPC and other changes have landed, enable manual markings for 2017-07-19 08:55:18 -07:00
af_vsock.h VSOCK: Add vsockmon tap functions 2017-04-24 12:35:56 -04:00
ah.h
arp.h net: convert neighbour.refcnt from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
atmclip.h
ax25.h net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t 2017-07-04 22:35:19 +01:00
ax88796.h
bond_3ad.h
bond_alb.h
bond_options.h bonding: Prevent duplicate userspace notification 2017-05-27 18:51:41 -04:00
bonding.h bonding: require speed/duplex only for 802.3ad, alb and tlb 2017-08-11 14:21:42 -07:00
busy_poll.h net: fix compilation when busy poll is not enabled 2017-08-11 14:59:24 -07:00
calipso.h net, calipso: convert calipso_doi.refcount from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
cfg80211-wext.h
cfg80211.h nl80211: add authorized flag to ROAM event 2017-06-13 11:04:37 +02:00
cfg802154.h
checksum.h csum: eliminate sparse warning in remcsum_unadjust() 2017-01-20 12:12:13 -05:00
cipso_ipv4.h net, ipv4: convert cipso_v4_doi.refcount from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
cls_cgroup.h
codel_impl.h
codel_qdisc.h
codel.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h net/devlink: Add E-Switch encapsulation control 2017-04-22 20:26:37 +03:00
dn_dev.h
dn_fib.h net, decnet: convert dn_fib_info.fib_clntref from atomic_t to refcount_t 2017-07-04 22:35:15 +01:00
dn_neigh.h
dn_nsp.h
dn_route.h
dn.h
dsa.h net: dsa: Associate slave network device with CPU port 2017-06-13 16:35:03 -04:00
dsfield.h
dst_cache.h
dst_metadata.h net: store port/representator id in metadata_dst 2017-06-25 11:42:01 -04:00
dst_ops.h net: add confirm_neigh method to dst_ops 2017-02-07 13:07:46 -05:00
dst.h net: add debug atomic_inc_not_zero() in dst_hold() 2017-06-17 22:54:01 -04:00
esp.h esp6: Reorganize esp_output 2017-04-14 10:06:42 +02:00
ethoc.h
fib_rules.h net: convert fib_rule.refcnt from atomic_t to refcount_t 2017-07-01 07:39:09 -07:00
firewire.h
flow_dissector.h net/flow_dissector: add support for dissection of misc ip header fields 2017-06-04 18:12:23 -04:00
flow.h flowcache: make flow_key_size() return "unsigned int" 2017-04-03 19:04:48 -07:00
flowcache.h flowcache: more "unsigned int" 2017-04-03 19:04:48 -07:00
fou.h
fq_impl.h
fq.h
garp.h
gen_stats.h
genetlink.h genetlink: remove ops_list from genetlink header. 2017-06-05 10:54:55 -04:00
geneve.h
gre.h
gro_cells.h gro_cells: move to net/core/gro_cells.c 2017-02-08 14:38:18 -05:00
gtp.h
gue.h
hwbm.h
icmp.h
ieee80211_radiotap.h wireless: radiotap: rewrite the radiotap header file 2017-01-25 16:00:33 +01:00
ieee802154_netdev.h
if_inet6.h net, ipv6: convert ifacaddr6.aca_refcnt from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
ife.h net: Introduce ife encapsulation module 2017-02-03 15:16:45 -05:00
ila.h
inet_common.h net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
inet_connection_sock.h tcp: ULP infrastructure 2017-06-15 12:12:40 -04:00
inet_ecn.h
inet_frag.h Merge branch 'for-4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu 2017-07-06 08:59:41 -07:00
inet_hashtables.h net: make sk_ehashfn() static 2017-07-03 03:29:14 -07:00
inet_sock.h net/tcp-fastopen: Add new API support 2017-01-25 14:04:38 -05:00
inet_timewait_sock.h
inet6_connection_sock.h inet: drop ->bind_conflict 2017-01-18 13:04:28 -05:00
inet6_hashtables.h
inetpeer.h net: convert inet_peer.refcnt from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
ip_fib.h net, ipv4: convert fib_info.fib_clntref from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
ip_tunnels.h ip_tunnel: Allow policy-based routing through tunnels 2017-04-21 13:21:31 -04:00
ip_vs.h ipvs: remove unused function ip_vs_set_state_timeout 2017-04-28 12:00:10 +02:00
ip.h ipv4: better IP_MAX_MTU enforcement 2017-08-16 16:28:47 -07:00
ip6_checksum.h
ip6_fib.h ipv6: add rcu grace period before freeing fib6_node 2017-08-22 11:03:19 -07:00
ip6_route.h net: ipv6: Compare lwstate in detecting duplicate nexthops 2017-07-06 10:48:01 +01:00
ip6_tunnel.h ip6_tunnel: Allow policy-based routing through tunnels 2017-04-21 13:21:30 -04:00
ipcomp.h
ipconfig.h
ipv6.h net, ipv6: convert ipv6_txoptions.refcnt from atomic_t to refcount_t 2017-07-04 01:29:03 -07:00
ipx.h net, ipx: convert ipx_route.refcnt from atomic_t to refcount_t 2017-07-04 22:35:17 +01:00
iw_handler.h wext: uninline stream addition functions 2017-01-13 09:38:42 +01:00
kcm.h
l3mdev.h
lapb.h net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h net, llc: convert llc_sap.refcnt from atomic_t to refcount_t 2017-07-04 22:35:15 +01:00
lwtunnel.h net: add extack arg to lwtunnel build state 2017-05-30 11:55:32 -04:00
mac80211.h mac80211: add api to start ba session timer expired flow 2017-08-09 09:49:42 +03:00
mac802154.h
mip6.h
mld.h
mpls_iptunnel.h net: mpls: Increase max number of labels for lwt encap 2017-04-01 20:21:44 -07:00
mpls.h
mrp.h
ncsi.h
ndisc.h net: convert neighbour.refcnt from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
neighbour.h Now that IPC and other changes have landed, enable manual markings for 2017-07-19 08:55:18 -07:00
net_namespace.h Now that IPC and other changes have landed, enable manual markings for 2017-07-19 08:55:18 -07:00
net_ratelimit.h
netevent.h
netlabel.h net: convert netlbl_lsm_cache.refcount from atomic_t to refcount_t 2017-07-01 07:39:09 -07:00
netlink.h netlink: correctly document nla_put_u64_64bit() 2017-07-13 09:26:27 -07:00
netprio_cgroup.h
netrom.h net, netrom: convert nr_node.refcount from atomic_t to refcount_t 2017-07-04 22:35:17 +01:00
nexthop.h
nl802154.h
p8022.h
ping.h
pkt_cls.h sched: add helper for updating statistics on all actions 2017-05-31 17:58:13 -04:00
pkt_sched.h net: sched: move tc_classify function to cls_api.c 2017-05-17 15:22:13 -04:00
pptp.h
protocol.h net: Add sysctl to toggle early demux for tcp and udp 2017-03-24 13:17:07 -07:00
psample.h net: Introduce psample, a new genetlink channel for packet sampling 2017-01-24 13:44:28 -05:00
psnap.h
raw.h
rawv6.h
red.h
regulatory.h
request_sock.h net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
rose.h
route.h ipv4: call dst_hold_safe() properly 2017-06-17 22:54:00 -04:00
rtnetlink.h net: add netlink_ext_ack argument to rtnl_link_ops.slave_validate 2017-06-26 23:13:22 -04:00
sch_generic.h net_sched: fix a refcount_t issue with noop_qdisc 2017-08-24 21:28:24 -07:00
scm.h sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h> 2017-03-02 08:42:31 +01:00
secure_seq.h tcp: Namespaceify sysctl_tcp_timestamps 2017-06-08 10:53:29 -04:00
seg6_hmac.h
seg6.h
slhc_vj.h
smc.h
snmp.h
sock_reuseport.h
sock.h datagram: When peeking datagrams with offset < 0 don't skip empty skbs 2017-08-18 15:12:54 -07:00
Space.h
stp.h
strparser.h
switchdev.h net: switchdev: add SET_SWITCHDEV_OPS helper 2017-07-01 08:51:32 -07:00
tcp_states.h
tcp.h tcp: introduce tcp_rto_delta_us() helper for xmit timer fix 2017-08-03 15:38:30 -07:00
timewait_sock.h
tls.h tls: kernel TLS support 2017-06-15 12:12:40 -04:00
transp_v6.h
tso.h
udp_tunnel.h
udp.h udp: fix linear skb reception with PEEK_OFF 2017-08-14 22:26:51 -07:00
udplite.h udp: use a separate rx queue for packet reception 2017-05-16 15:41:29 -04:00
vsock_addr.h
vxlan.h net, vxlan: convert vxlan_sock.refcnt from atomic_t to refcount_t 2017-07-04 22:35:15 +01:00
wext.h dev_ioctl: copy only the smaller struct iwreq for wext 2017-06-14 13:52:44 +02:00
wimax.h
x25.h net, x25: convert x25_neigh.refcnt from atomic_t to refcount_t 2017-07-04 22:35:18 +01:00
x25device.h
xfrm.h net, xfrm: convert sec_path.refcnt from atomic_t to refcount_t 2017-07-04 22:35:18 +01:00