On Thu, Apr 5, 2018 at 7:19 PM, Davide Caratti <dcara...@redhat.com> wrote: > when tcf_bpf_init_from_ops() fails (e.g. because of program having invalid > number of instructions), tcf_bpf_cfg_cleanup() calls bpf_prog_put(NULL) or > bpf_prog_destroy(NULL). Unless CONFIG_BPF_SYSCALL is unset, this causes > the following error: > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 > PGD 800000007345a067 P4D 800000007345a067 PUD 340e1067 PMD 0 > Oops: 0000 [#1] SMP PTI > Modules linked in: act_bpf(E) ip6table_filter ip6_tables iptable_filter > binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul > ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec > snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd > glue_helper cryptd joydev snd_timer snd virtio_balloon pcspkr soundcore > i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c > ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt > fb_sys_fops ttm virtio_blk drm virtio_net virtio_console i2c_core > crc32c_intel serio_raw virtio_pci ata_piix libata virtio_ring floppy virtio > dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_bpf] > CPU: 3 PID: 5654 Comm: tc Tainted: G E 4.16.0.bpf_test+ #408 > Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 > RIP: 0010:__bpf_prog_put+0xc/0xc0 > RSP: 0018:ffff9594003ef728 EFLAGS: 00010202 > RAX: 0000000000000000 RBX: ffff9594003ef758 RCX: 0000000000000024 > RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 > RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044 > R10: 0000000000000220 R11: ffff8a7ab9f17131 R12: 0000000000000000 > R13: ffff8a7ab7c3c8e0 R14: 0000000000000001 R15: ffff8a7ab88f1054 > FS: 00007fcb2f17c740(0000) GS:ffff8a7abfd80000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000020 CR3: 000000007c888006 CR4: 00000000001606e0 > Call Trace: > tcf_bpf_cfg_cleanup+0x2f/0x40 [act_bpf] > tcf_bpf_cleanup+0x4c/0x70 [act_bpf] > __tcf_idr_release+0x79/0x140 > tcf_bpf_init+0x125/0x330 [act_bpf] > tcf_action_init_1+0x2cc/0x430 > ? get_page_from_freelist+0x3f0/0x11b0 > tcf_action_init+0xd3/0x1b0 > tc_ctl_action+0x18b/0x240 > rtnetlink_rcv_msg+0x29c/0x310 > ? _cond_resched+0x15/0x30 > ? __kmalloc_node_track_caller+0x1b9/0x270 > ? rtnl_calcit.isra.29+0x100/0x100 > netlink_rcv_skb+0xd2/0x110 > netlink_unicast+0x17c/0x230 > netlink_sendmsg+0x2cd/0x3c0 > sock_sendmsg+0x30/0x40 > ___sys_sendmsg+0x27a/0x290 > ? mem_cgroup_commit_charge+0x80/0x130 > ? page_add_new_anon_rmap+0x73/0xc0 > ? do_anonymous_page+0x2a2/0x560 > ? __handle_mm_fault+0xc75/0xe20 > __sys_sendmsg+0x58/0xa0 > do_syscall_64+0x6e/0x1a0 > entry_SYSCALL_64_after_hwframe+0x3d/0xa2 > RIP: 0033:0x7fcb2e58eba0 > RSP: 002b:00007ffc93c496c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e > RAX: ffffffffffffffda RBX: 00007ffc93c497f0 RCX: 00007fcb2e58eba0 > RDX: 0000000000000000 RSI: 00007ffc93c49740 RDI: 0000000000000003 > RBP: 000000005ac6a646 R08: 0000000000000002 R09: 0000000000000000 > R10: 00007ffc93c49120 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007ffc93c49804 R14: 0000000000000001 R15: 000000000066afa0 > Code: 5f 00 48 8b 43 20 48 c7 c7 70 2f 7c b8 c7 40 10 00 00 00 00 5b e9 a5 > 8b 61 00 0f 1f 44 00 00 0f 1f 44 00 00 41 54 55 48 89 fd 53 <48> 8b 47 20 f0 > ff 08 74 05 5b 5d 41 5c c3 41 89 f4 0f 1f 44 00 > RIP: __bpf_prog_put+0xc/0xc0 RSP: ffff9594003ef728 > CR2: 0000000000000020 > > Fix it in tcf_bpf_cfg_cleanup(), ensuring that bpf_prog_{put,destroy}(f) > is called only when f is not NULL. > > Fixes: bbc09e7842a5 ("net/sched: fix idr leak on the error path of > tcf_bpf_init()") > Reported-by: Lucas Bates <luc...@mojatatu.com> > Signed-off-by: Davide Caratti <dcara...@redhat.com>
That does the trick, thanks Davide. Tested-by: Lucas Bates <luc...@mojatatu.com>