kernel_optimize_test/net/sched
Eric Dumazet cce6294cc2 net: sched: fix uses after free
syzbot reported one use-after-free in pfifo_fast_enqueue() [1]

Issue here is that we can not reuse skb after a successful skb_array_produce()
since another cpu might have consumed it already.

I believe a similar problem exists in try_bulk_dequeue_skb_slow()
in case we put an skb into qdisc_enqueue_skb_bad_txq() for lockless qdisc.

[1]
BUG: KASAN: use-after-free in qdisc_pkt_len include/net/sch_generic.h:610 [inline]
BUG: KASAN: use-after-free in qdisc_qstats_cpu_backlog_inc include/net/sch_generic.h:712 [inline]
BUG: KASAN: use-after-free in pfifo_fast_enqueue+0x4bc/0x5e0 net/sched/sch_generic.c:639
Read of size 4 at addr ffff8801cede37e8 by task syzkaller717588/5543

CPU: 1 PID: 5543 Comm: syzkaller717588 Not tainted 4.16.0-rc4+ #265
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 qdisc_pkt_len include/net/sch_generic.h:610 [inline]
 qdisc_qstats_cpu_backlog_inc include/net/sch_generic.h:712 [inline]
 pfifo_fast_enqueue+0x4bc/0x5e0 net/sched/sch_generic.c:639
 __dev_xmit_skb net/core/dev.c:3216 [inline]

Fixes: c5ad119fb6 ("net: sched: pfifo_fast use skb_array")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+ed43b6903ab968b16f54@syzkaller.appspotmail.com
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc:	Cong Wang <xiyou.wangcong@gmail.com>
Cc:	Jiri Pirko <jiri@resnulli.us>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-17 17:03:45 -04:00
..
act_api.c idr: Rename idr_for_each_entry_ext 2018-02-06 16:41:28 -05:00
act_bpf.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
act_connmark.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
act_csum.c net: use skb_is_gso_sctp() instead of open-coding 2018-03-09 11:41:47 -05:00
act_gact.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-09 10:37:00 -05:00
act_ife.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
act_ipt.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
act_meta_mark.c net: remove duplicate includes 2017-12-13 13:18:46 -05:00
act_meta_skbprio.c net sched actions: change IFE modules alias names 2017-10-12 22:13:20 -07:00
act_meta_skbtcindex.c net: remove duplicate includes 2017-12-13 13:18:46 -05:00
act_mirred.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-09 10:37:00 -05:00
act_nat.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
act_pedit.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
act_police.c net: sch: api: add extack support in qdisc_get_rtab 2017-12-21 12:32:50 -05:00
act_sample.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
act_simple.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
act_skbedit.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
act_skbmod.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
act_tunnel_key.c net sched actions: return explicit error when tunnel_key mode is not specified 2018-03-15 14:43:41 -04:00
act_vlan.c net_sched: switch to exit_batch for action pernet ops 2017-12-13 13:58:41 -05:00
cls_api.c net: sched: report if filter is too large to dump 2018-02-20 21:57:17 -05:00
cls_basic.c cls_basic: Convert to use idr_alloc_u32 2018-02-06 16:41:26 -05:00
cls_bpf.c cls_bpf: Convert to use idr_alloc_u32 2018-02-06 16:41:26 -05:00
cls_cgroup.c net: sched: propagate extack to cls->destroy callbacks 2018-01-24 16:01:09 -05:00
cls_flow.c net: sched: propagate extack to cls->destroy callbacks 2018-01-24 16:01:09 -05:00
cls_flower.c cls_flower: Convert to idr_alloc_u32 2018-02-06 16:41:26 -05:00
cls_fw.c net: sched: propagate extack to cls->destroy callbacks 2018-01-24 16:01:09 -05:00
cls_matchall.c cls_matchall: propagate extack to delete callback 2018-01-24 16:01:10 -05:00
cls_route.c net: sched: propagate extack to cls->destroy callbacks 2018-01-24 16:01:09 -05:00
cls_rsvp.c
cls_rsvp.h net: sched: propagate extack to cls->destroy callbacks 2018-01-24 16:01:09 -05:00
cls_rsvp6.c
cls_tcindex.c net: sched: propagate extack to cls->destroy callbacks 2018-01-24 16:01:09 -05:00
cls_u32.c net: sched: fix tc_u_common lookup 2018-02-13 12:29:02 -05:00
em_canid.c
em_cmp.c
em_ipset.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
em_meta.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
em_nbyte.c net: sched: em_nbyte: don't add the data offset twice 2018-01-24 14:52:40 -05:00
em_text.c
em_u32.c
ematch.c net: sched: ematch: obtain net pointer from blocks 2017-10-16 21:00:40 +01:00
Kconfig net/sched: kconfig: Remove blank help texts 2018-01-31 10:26:30 -05:00
Makefile Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
sch_api.c net: sched: introduce ingress/egress block index attributes for qdisc 2018-01-17 14:53:57 -05:00
sch_atm.c net: sch: api: add extack support in qdisc_create_dflt 2017-12-21 12:32:51 -05:00
sch_blackhole.c net_sched: drop packets after root qdisc lock is released 2016-06-25 12:19:35 -04:00
sch_cbq.c net: sch: sch_cbq: add extack support 2017-12-21 12:32:51 -05:00
sch_cbs.c net: sch: sch_cbs: add extack support 2017-12-21 12:32:51 -05:00
sch_choke.c net: sched: sch: add extack for change qdisc ops 2017-12-21 12:32:50 -05:00
sch_codel.c net: sched: sch: add extack for change qdisc ops 2017-12-21 12:32:50 -05:00
sch_drr.c net: sch: sch_drr: add extack support 2017-12-21 12:32:51 -05:00
sch_dsmark.c net: sch: api: add extack support in qdisc_create_dflt 2017-12-21 12:32:51 -05:00
sch_fifo.c net: sch: api: add extack support in qdisc_create_dflt 2017-12-21 12:32:51 -05:00
sch_fq_codel.c net: sch: api: add extack support in tcf_block_get 2017-12-21 12:32:51 -05:00
sch_fq.c net: sched: sch: add extack for change qdisc ops 2017-12-21 12:32:50 -05:00
sch_generic.c net: sched: fix uses after free 2018-03-17 17:03:45 -04:00
sch_gred.c net: sched: sch: add extack for change qdisc ops 2017-12-21 12:32:50 -05:00
sch_hfsc.c net: sch: api: add extack support in qdisc_create_dflt 2017-12-21 12:32:51 -05:00
sch_hhf.c net: sched: sch: add extack for change qdisc ops 2017-12-21 12:32:50 -05:00
sch_htb.c net: sch: api: add extack support in qdisc_create_dflt 2017-12-21 12:32:51 -05:00
sch_ingress.c net: sched: allow ingress and clsact qdiscs to share filter blocks 2018-01-17 14:53:57 -05:00
sch_mq.c net: sch: api: add extack support in qdisc_create_dflt 2017-12-21 12:32:51 -05:00
sch_mqprio.c net: sch: api: add extack support in qdisc_create_dflt 2017-12-21 12:32:51 -05:00
sch_multiq.c net: sch: api: add extack support in qdisc_create_dflt 2017-12-21 12:32:51 -05:00
sch_netem.c sch_netem: fix skb leak in netem_enqueue() 2018-03-07 11:18:14 -05:00
sch_pie.c net: sched: sch: add extack for change qdisc ops 2017-12-21 12:32:50 -05:00
sch_plug.c net: sched: sch: add extack for change qdisc ops 2017-12-21 12:32:50 -05:00
sch_prio.c net/sched/sch_prio.c: work around gcc-4.4.4 union initializer issues 2018-01-18 21:11:31 -05:00
sch_qfq.c net: sch: api: add extack support in qdisc_create_dflt 2017-12-21 12:32:51 -05:00
sch_red.c net: sched: red: don't reset the backlog on every stat dump 2018-01-17 14:29:32 -05:00
sch_sfb.c net: sch: api: add extack support in qdisc_create_dflt 2017-12-21 12:32:51 -05:00
sch_sfq.c net: sch: api: add extack support in tcf_block_get 2017-12-21 12:32:51 -05:00
sch_tbf.c net: sched: tbf: handle GSO_BY_FRAGS case in enqueue 2018-03-04 17:49:17 -05:00
sch_teql.c net: sched: sch: add extack for init callback 2017-12-21 12:32:50 -05:00