diff options
| author | Davide Caratti <dcaratti@redhat.com> | 2019-03-20 10:00:01 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-03-21 16:26:41 -0400 |
| commit | f5c29d83866d75585f9c89754de0b86b45ceab89 (patch) | |
| tree | 4819f92f42dec82b2d5a7aca9d2f067236a2016d | |
| parent | 4e1810049c267c203c19130301203d0591174535 (diff) | |
net/sched: act_csum: validate the control action inside init()
the following script:
# tc qdisc add dev crash0 clsact
# tc filter add dev crash0 egress matchall action csum icmp pass index 90
# tc actions replace action csum icmp goto chain 42 index 90 \
> cookie c1a0c1a0
# tc actions show action csum
had the following output:
Error: Failed to init TC action chain.
We have an error talking to the kernel
total acts 1
action order 0: csum (icmp) action goto chain 42
index 90 ref 2 bind 1
cookie c1a0c1a0
Then, the first packet transmitted by crash0 made the kernel crash:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
#PF error: [normal kernel read fault]
PGD 8000000074692067 P4D 8000000074692067 PUD 2e210067 PMD 0
Oops: 0000 [#1] SMP PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.0.0-rc4.gotochain_crash+ #533
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:tcf_action_exec+0xb8/0x100
Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
RSP: 0018:ffff93153da03be0 EFLAGS: 00010246
RAX: 000000002000002a RBX: ffff9314ee40f700 RCX: 0000000000003a00
RDX: 0000000000000000 RSI: ffff931537c87828 RDI: ffff931537c87818
RBP: ffff93153da03c80 R08: 00000000527cffff R09: 0000000000000003
R10: 000000000000003f R11: 0000000000000028 R12: ffff9314edf68400
R13: ffff9314edf68408 R14: 0000000000000001 R15: ffff9314ed67b600
FS: 0000000000000000(0000) GS:ffff93153da00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000073e32003 CR4: 00000000001606f0
Call Trace:
<IRQ>
tcf_classify+0x58/0x120
__dev_queue_xmit+0x40a/0x890
? ip6_finish_output2+0x369/0x590
ip6_finish_output2+0x369/0x590
? ip6_output+0x68/0x110
ip6_output+0x68/0x110
? nf_hook.constprop.35+0x79/0xc0
mld_sendpack+0x16f/0x220
mld_ifc_timer_expire+0x195/0x2c0
? igmp6_timer_handler+0x70/0x70
call_timer_fn+0x2b/0x130
run_timer_softirq+0x3e8/0x440
? tick_sched_timer+0x37/0x70
__do_softirq+0xe3/0x2f5
irq_exit+0xf0/0x100
smp_apic_timer_interrupt+0x6c/0x130
apic_timer_interrupt+0xf/0x20
</IRQ>
RIP: 0010:native_safe_halt+0x2/0x10
Code: 66 ff ff ff 7f f3 c3 65 48 8b 04 25 00 5c 01 00 f0 80 48 02 20 48 8b 00 a8 08 74 8b eb c1 90 90 90 90 90 90 90 90 90 90 fb f4 <c3> 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 f4 c3 90 90 90 90 90 90
RSP: 0018:ffffffff9a803e98 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: ffffffff99e184f0 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000087 RDI: 0000000000000000
RBP: 0000000000000000 R08: 000eb5c4572376b3 R09: 0000000000000000
R10: ffffa53e806a3ca0 R11: 00000000000f4240 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
? __sched_text_end+0x1/0x1
default_idle+0x1c/0x140
do_idle+0x1c4/0x280
cpu_startup_entry+0x19/0x20
start_kernel+0x49e/0x4be
secondary_startup_64+0xa4/0xb0
Modules linked in: act_csum veth ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 crct10dif_pclmul crc32_pclmul snd_hda_codec_generic ghash_clmulni_intel snd_hda_intel mbcache snd_hda_codec jbd2 snd_hwdep snd_hda_core snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd cryptd snd_timer glue_helper snd joydev virtio_balloon pcspkr soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect virtio_net sysimgblt net_failover fb_sys_fops virtio_console virtio_blk ttm failover drm ata_piix crc32c_intel floppy virtio_pci serio_raw libata virtio_ring virtio dm_mirror dm_region_hash dm_log dm_mod
CR2: 0000000000000000
Validating the control action within tcf_csum_init() proved to fix the
above issue. A TDC selftest is added to verify the correct behavior.
Fixes: db50514f9a9c ("net: sched: add termination action to allow goto chain")
Fixes: 97763dc0f401 ("net_sched: reject unknown tcfa_action values")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/sched/act_csum.c | 20 | ||||
| -rw-r--r-- | tools/testing/selftests/tc-testing/tc-tests/actions/csum.json | 25 |
2 files changed, 42 insertions, 3 deletions
diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c index 9ba0f61a1e82..0c77e7bdf6d5 100644 --- a/net/sched/act_csum.c +++ b/net/sched/act_csum.c | |||
| @@ -33,6 +33,7 @@ | |||
| 33 | #include <net/sctp/checksum.h> | 33 | #include <net/sctp/checksum.h> |
| 34 | 34 | ||
| 35 | #include <net/act_api.h> | 35 | #include <net/act_api.h> |
| 36 | #include <net/pkt_cls.h> | ||
| 36 | 37 | ||
| 37 | #include <linux/tc_act/tc_csum.h> | 38 | #include <linux/tc_act/tc_csum.h> |
| 38 | #include <net/tc_act/tc_csum.h> | 39 | #include <net/tc_act/tc_csum.h> |
| @@ -52,6 +53,7 @@ static int tcf_csum_init(struct net *net, struct nlattr *nla, | |||
| 52 | struct tc_action_net *tn = net_generic(net, csum_net_id); | 53 | struct tc_action_net *tn = net_generic(net, csum_net_id); |
| 53 | struct tcf_csum_params *params_new; | 54 | struct tcf_csum_params *params_new; |
| 54 | struct nlattr *tb[TCA_CSUM_MAX + 1]; | 55 | struct nlattr *tb[TCA_CSUM_MAX + 1]; |
| 56 | struct tcf_chain *goto_ch = NULL; | ||
| 55 | struct tc_csum *parm; | 57 | struct tc_csum *parm; |
| 56 | struct tcf_csum *p; | 58 | struct tcf_csum *p; |
| 57 | int ret = 0, err; | 59 | int ret = 0, err; |
| @@ -87,21 +89,27 @@ static int tcf_csum_init(struct net *net, struct nlattr *nla, | |||
| 87 | return err; | 89 | return err; |
| 88 | } | 90 | } |
| 89 | 91 | ||
| 92 | err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack); | ||
| 93 | if (err < 0) | ||
| 94 | goto release_idr; | ||
| 95 | |||
| 90 | p = to_tcf_csum(*a); | 96 | p = to_tcf_csum(*a); |
| 91 | 97 | ||
| 92 | params_new = kzalloc(sizeof(*params_new), GFP_KERNEL); | 98 | params_new = kzalloc(sizeof(*params_new), GFP_KERNEL); |
| 93 | if (unlikely(!params_new)) { | 99 | if (unlikely(!params_new)) { |
| 94 | tcf_idr_release(*a, bind); | 100 | err = -ENOMEM; |
| 95 | return -ENOMEM; | 101 | goto put_chain; |
| 96 | } | 102 | } |
| 97 | params_new->update_flags = parm->update_flags; | 103 | params_new->update_flags = parm->update_flags; |
| 98 | 104 | ||
| 99 | spin_lock_bh(&p->tcf_lock); | 105 | spin_lock_bh(&p->tcf_lock); |
| 100 | p->tcf_action = parm->action; | 106 | goto_ch = tcf_action_set_ctrlact(*a, parm->action, goto_ch); |
| 101 | rcu_swap_protected(p->params, params_new, | 107 | rcu_swap_protected(p->params, params_new, |
| 102 | lockdep_is_held(&p->tcf_lock)); | 108 | lockdep_is_held(&p->tcf_lock)); |
| 103 | spin_unlock_bh(&p->tcf_lock); | 109 | spin_unlock_bh(&p->tcf_lock); |
| 104 | 110 | ||
| 111 | if (goto_ch) | ||
| 112 | tcf_chain_put_by_act(goto_ch); | ||
| 105 | if (params_new) | 113 | if (params_new) |
| 106 | kfree_rcu(params_new, rcu); | 114 | kfree_rcu(params_new, rcu); |
| 107 | 115 | ||
| @@ -109,6 +117,12 @@ static int tcf_csum_init(struct net *net, struct nlattr *nla, | |||
| 109 | tcf_idr_insert(tn, *a); | 117 | tcf_idr_insert(tn, *a); |
| 110 | 118 | ||
| 111 | return ret; | 119 | return ret; |
| 120 | put_chain: | ||
| 121 | if (goto_ch) | ||
| 122 | tcf_chain_put_by_act(goto_ch); | ||
| 123 | release_idr: | ||
| 124 | tcf_idr_release(*a, bind); | ||
| 125 | return err; | ||
| 112 | } | 126 | } |
| 113 | 127 | ||
| 114 | /** | 128 | /** |
diff --git a/tools/testing/selftests/tc-testing/tc-tests/actions/csum.json b/tools/testing/selftests/tc-testing/tc-tests/actions/csum.json index a022792d392a..ddabb2fbb7c7 100644 --- a/tools/testing/selftests/tc-testing/tc-tests/actions/csum.json +++ b/tools/testing/selftests/tc-testing/tc-tests/actions/csum.json | |||
| @@ -500,5 +500,30 @@ | |||
| 500 | "matchPattern": "^[ \t]+index [0-9]+ ref", | 500 | "matchPattern": "^[ \t]+index [0-9]+ ref", |
| 501 | "matchCount": "0", | 501 | "matchCount": "0", |
| 502 | "teardown": [] | 502 | "teardown": [] |
| 503 | }, | ||
| 504 | { | ||
| 505 | "id": "d128", | ||
| 506 | "name": "Replace csum action with invalid goto chain control", | ||
| 507 | "category": [ | ||
| 508 | "actions", | ||
| 509 | "csum" | ||
| 510 | ], | ||
| 511 | "setup": [ | ||
| 512 | [ | ||
| 513 | "$TC actions flush action csum", | ||
| 514 | 0, | ||
| 515 | 1, | ||
| 516 | 255 | ||
| 517 | ], | ||
| 518 | "$TC actions add action csum iph index 90" | ||
| 519 | ], | ||
| 520 | "cmdUnderTest": "$TC actions replace action csum iph goto chain 42 index 90 cookie c1a0c1a0", | ||
| 521 | "expExitCode": "255", | ||
| 522 | "verifyCmd": "$TC actions get action csum index 90", | ||
| 523 | "matchPattern": "action order [0-9]*: csum \\(iph\\) action pass.*index 90 ref", | ||
| 524 | "matchCount": "1", | ||
| 525 | "teardown": [ | ||
| 526 | "$TC actions flush action csum" | ||
| 527 | ] | ||
| 503 | } | 528 | } |
| 504 | ] | 529 | ] |