Commit c485792e authored by Gao Feng's avatar Gao Feng Committed by Greg Kroah-Hartman

net: sched: Fix one possible panic when no destroy callback

commit c1a4872e upstream.

When qdisc fail to init, qdisc_create would invoke the destroy callback
to cleanup. But there is no check if the callback exists really. So it
would cause the panic if there is no real destroy callback like the qdisc
codel, fq, and so on.

Take codel as an example following:
When a malicious user constructs one invalid netlink msg, it would cause
codel_init->codel_change->nla_parse_nested failed.
Then kernel would invoke the destroy callback directly but qdisc codel
doesn't define one. It causes one panic as a result.

Now add one the check for destroy to avoid the possible panic.

Fixes: 87b60cfa ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: default avatarGao Feng <gfree.wind@vip.163.com>
Acked-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 0be4c96e
...@@ -1005,7 +1005,8 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue, ...@@ -1005,7 +1005,8 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue,
return sch; return sch;
} }
/* ops->init() failed, we call ->destroy() like qdisc_create_dflt() */ /* ops->init() failed, we call ->destroy() like qdisc_create_dflt() */
ops->destroy(sch); if (ops->destroy)
ops->destroy(sch);
err_out3: err_out3:
dev_put(dev); dev_put(dev);
kfree((char *) sch - sch->padded); kfree((char *) sch - sch->padded);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment