linux_old1/net/sched
Cong Wang bf63ac73b3 net_sched: fix an oops in tcindex filter
Kelly reported the following crash:

        IP: [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
        PGD 3009067 PUD 300c067 PMD 11ff30067 PTE 800000011634b060
        Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
        CPU: 1 PID: 639 Comm: dhclient Not tainted 3.15.0-rc4+ #342
        Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
        task: ffff8801169ecd00 ti: ffff8800d21b8000 task.ti: ffff8800d21b8000
        RIP: 0010:[<ffffffff817a993d>]  [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
        RSP: 0018:ffff8800d21b9b90  EFLAGS: 00010283
        RAX: 00000000ffffffff RBX: ffff88011634b8e8 RCX: ffff8800cf7133d8
        RDX: ffff88011634b900 RSI: ffff8800cf7133e0 RDI: ffff8800d210f840
        RBP: ffff8800d21b9bb0 R08: ffffffff8287bf60 R09: 0000000000000001
        R10: ffff8800d2b22b24 R11: 0000000000000001 R12: ffff8800d210f840
        R13: ffff8800d21b9c50 R14: ffff8800cf7133e0 R15: ffff8800cad433d8
        FS:  00007f49723e1840(0000) GS:ffff88011a800000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: ffff88011634b8f0 CR3: 00000000ce469000 CR4: 00000000000006e0
        Stack:
         ffff8800d2170188 ffff8800d210f840 ffff8800d2171b90 0000000000000000
         ffff8800d21b9be8 ffffffff817c55bb ffff8800d21b9c50 ffff8800d2171b90
         ffff8800d210f840 ffff8800d21b0300 ffff8800d21b9c50 ffff8800d21b9c18
        Call Trace:
         [<ffffffff817c55bb>] tcindex_classify+0x88/0x9b
         [<ffffffff817a7f7d>] tc_classify_compat+0x3e/0x7b
         [<ffffffff817a7fdf>] tc_classify+0x25/0x9f
         [<ffffffff817b0e68>] htb_enqueue+0x55/0x27a
         [<ffffffff817b6c2e>] dsmark_enqueue+0x165/0x1a4
         [<ffffffff81775642>] __dev_queue_xmit+0x35e/0x536
         [<ffffffff8177582a>] dev_queue_xmit+0x10/0x12
         [<ffffffff818f8ecd>] packet_sendmsg+0xb26/0xb9a
         [<ffffffff810b1507>] ? __lock_acquire+0x3ae/0xdf3
         [<ffffffff8175cf08>] __sock_sendmsg_nosec+0x25/0x27
         [<ffffffff8175d916>] sock_aio_write+0xd0/0xe7
         [<ffffffff8117d6b8>] do_sync_write+0x59/0x78
         [<ffffffff8117d84d>] vfs_write+0xb5/0x10a
         [<ffffffff8117d96a>] SyS_write+0x49/0x7f
         [<ffffffff8198e212>] system_call_fastpath+0x16/0x1b

This is because we memcpy struct tcindex_filter_result which contains
struct tcf_exts, obviously struct list_head can not be simply copied.
This is a regression introduced by commit 33be627159
(net_sched: act: use standard struct list_head).

It's not very easy to fix it as the code is a mess:

       if (old_r)
               memcpy(&cr, r, sizeof(cr));
       else {
               memset(&cr, 0, sizeof(cr));
               tcf_exts_init(&cr.exts, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
       }
       ...
       tcf_exts_change(tp, &cr.exts, &e);
       ...
       memcpy(r, &cr, sizeof(cr));

the above code should equal to:

        tcindex_filter_result_init(&cr);
        if (old_r)
               cr.res = r->res;
        ...
        if (old_r)
               tcf_exts_change(tp, &r->exts, &e);
        else
               tcf_exts_change(tp, &cr.exts, &e);
        ...
        r->res = cr.res;

after this change, since there is no need to copy struct tcf_exts.

And it also fixes other places zero'ing struct's contains struct tcf_exts.

Fixes: commit 33be627159 (net_sched: act: use standard struct list_head)
Reported-by: Kelly Anderson <kelly@xilka.com>
Tested-by: Kelly Anderson <kelly@xilka.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-21 16:47:13 -04:00
..
Kconfig net: pkt_sched: PIE AQM scheme 2014-01-06 15:13:01 -05:00
Makefile net: pkt_sched: PIE AQM scheme 2014-01-06 15:13:01 -05:00
act_api.c net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-04-24 13:44:54 -04:00
act_csum.c net_sched: act: move tcf_hashinfo_init() into tcf_register_action() 2014-02-12 19:23:32 -05:00
act_gact.c net_sched: act: move tcf_hashinfo_init() into tcf_register_action() 2014-02-12 19:23:32 -05:00
act_ipt.c net_sched: act: move tcf_hashinfo_init() into tcf_register_action() 2014-02-12 19:23:32 -05:00
act_mirred.c net_sched: act: move tcf_hashinfo_init() into tcf_register_action() 2014-02-12 19:23:32 -05:00
act_nat.c net_sched: act: move tcf_hashinfo_init() into tcf_register_action() 2014-02-12 19:23:32 -05:00
act_pedit.c net_sched: act: move tcf_hashinfo_init() into tcf_register_action() 2014-02-12 19:23:32 -05:00
act_police.c net_sched: act: move tcf_hashinfo_init() into tcf_register_action() 2014-02-12 19:23:32 -05:00
act_simple.c net_sched: act: move tcf_hashinfo_init() into tcf_register_action() 2014-02-12 19:23:32 -05:00
act_skbedit.c net_sched: act: move tcf_hashinfo_init() into tcf_register_action() 2014-02-12 19:23:32 -05:00
cls_api.c net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-04-24 13:44:54 -04:00
cls_basic.c net_sched: avoid casting void pointer 2014-01-13 11:50:15 -08:00
cls_bpf.c net_sched: add struct net pointer to tcf_proto_ops->dump 2014-01-13 11:50:14 -08:00
cls_cgroup.c net_sched: add struct net pointer to tcf_proto_ops->dump 2014-01-13 11:50:14 -08:00
cls_flow.c net_sched: add struct net pointer to tcf_proto_ops->dump 2014-01-13 11:50:14 -08:00
cls_fw.c net: sched: use no more than one page in struct fw_head 2014-03-18 14:17:55 -04:00
cls_route.c net_sched: avoid casting void pointer 2014-01-13 11:50:15 -08:00
cls_rsvp.c
cls_rsvp.h net_sched: add struct net pointer to tcf_proto_ops->dump 2014-01-13 11:50:14 -08:00
cls_rsvp6.c
cls_tcindex.c net_sched: fix an oops in tcindex filter 2014-05-21 16:47:13 -04:00
cls_u32.c net_sched: avoid casting void pointer 2014-01-13 11:50:15 -08:00
em_canid.c net: em_canid: Ematch rule to match CAN frames according to their identifiers 2012-07-04 13:07:05 +02:00
em_cmp.c net_sched: cleanups 2011-01-19 23:31:12 -08:00
em_ipset.c em_ipset: use dev_net() accessor 2013-10-18 16:23:06 -04:00
em_meta.c net: Change skb_get_rxhash to skb_get_hash 2013-12-17 16:36:21 -05:00
em_nbyte.c net_sched: cleanups 2011-01-19 23:31:12 -08:00
em_text.c net_sched: cleanups 2011-01-19 23:31:12 -08:00
em_u32.c net_sched: cleanups 2011-01-19 23:31:12 -08:00
ematch.c net: Convert net_ratelimit uses to net_<level>_ratelimited 2012-05-15 13:45:03 -04:00
sch_api.c net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-04-24 13:44:54 -04:00
sch_atm.c net_sched: return nla_nest_end() instead of skb->len 2014-03-13 15:39:20 -04:00
sch_blackhole.c
sch_cbq.c net_sched: return nla_nest_end() instead of skb->len 2014-03-13 15:39:20 -04:00
sch_choke.c random32: add prandom_u32_max and convert open coded users 2014-01-21 23:17:20 -08:00
sch_codel.c fq_codel: should use qdisc backlog as threshold 2012-05-16 15:30:26 -04:00
sch_drr.c net_sched: add 64bit rate estimators 2013-06-11 02:51:03 -07:00
sch_dsmark.c sch_dsmark: use correct func name in print messages 2013-12-31 13:50:57 -05:00
sch_fifo.c pkt_sched: Stop using NLA_PUT*(). 2012-04-01 18:11:37 -04:00
sch_fq.c net_sched: return nla_nest_end() instead of skb->len 2014-03-13 15:39:20 -04:00
sch_fq_codel.c net_sched: return nla_nest_end() instead of skb->len 2014-03-13 15:39:20 -04:00
sch_generic.c net-sysfs: expose number of carrier on/off changes 2014-03-31 16:24:52 -04:00
sch_gred.c net_sched: replace pr_warning with pr_warn 2013-12-31 13:50:56 -05:00
sch_hfsc.c net_sched: return nla_nest_end() instead of skb->len 2014-03-13 15:39:20 -04:00
sch_hhf.c net: sched: lock imbalance in hhf qdisc 2014-05-04 19:41:45 -04:00
sch_htb.c net_sched: htb: do not acquire qdisc lock in dump operations 2014-03-06 17:24:54 -05:00
sch_ingress.c net_sched: return nla_nest_end() instead of skb->len 2014-03-13 15:39:20 -04:00
sch_mq.c pkt_sched: give visibility to mq slave qdiscs 2013-12-09 19:54:47 -05:00
sch_mqprio.c pkt_sched: give visibility to mq slave qdiscs 2013-12-09 19:54:47 -05:00
sch_multiq.c net/*: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
sch_netem.c sch_netem: replace magic numbers with enumerate in get_loss_clg 2014-02-17 16:55:54 -05:00
sch_pie.c net: sched: Cleanup PIE comments 2014-02-13 18:29:58 -05:00
sch_plug.c net_sched: sch_plug: plug_qdisc_ops is static 2012-02-13 16:04:40 -05:00
sch_prio.c pkt_sched: Stop using NLA_PUT*(). 2012-04-01 18:11:37 -04:00
sch_qfq.c pkt_sched: sch_qfq: remove a source of high packet delay/jitter 2013-07-18 13:02:00 -07:00
sch_red.c pkt_sched: Stop using NLA_PUT*(). 2012-04-01 18:11:37 -04:00
sch_sfb.c net: replace macros net_random and net_srandom with direct calls to prandom 2014-01-14 15:15:25 -08:00
sch_sfq.c net: replace macros net_random and net_srandom with direct calls to prandom 2014-01-14 15:15:25 -08:00
sch_tbf.c net_sched: return nla_nest_end() instead of skb->len 2014-03-13 15:39:20 -04:00
sch_teql.c sch_teql: Convert over to dev_neigh_lookup_skb(). 2012-07-05 01:09:06 -07:00