diff options
| author | Gao Feng <gfree.wind@vip.163.com> | 2017-06-28 12:53:54 +0800 |
|---|---|---|
| committer | Sasha Levin <alexander.levin@verizon.com> | 2017-07-31 13:37:54 -0400 |
| commit | 95c75e16160da42e41177f354289b58e93bb8584 (patch) | |
| tree | a8f31d375b69c293b3529d328ff38d5978e3fdf6 /net | |
| parent | a70c6f2d8a91d8c58a58d0fe3736101a2eef91ec (diff) | |
net: sched: Fix one possible panic when no destroy callback
[ Upstream commit c1a4872ebfb83b1af7144f7b29ac8c4b344a12a8 ]
When qdisc fail to init, qdisc_create would invoke the destroy callback
to cleanup. But there is no check if the callback exists really. So it
would cause the panic if there is no real destroy callback like the qdisc
codel, fq, and so on.
Take codel as an example following:
When a malicious user constructs one invalid netlink msg, it would cause
codel_init->codel_change->nla_parse_nested failed.
Then kernel would invoke the destroy callback directly but qdisc codel
doesn't define one. It causes one panic as a result.
Now add one the check for destroy to avoid the possible panic.
Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/sched/sch_api.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 83b5bbc0224c..25353056439d 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -1005,7 +1005,8 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue, return sch; } /* ops->init() failed, we call ->destroy() like qdisc_create_dflt() */ - ops->destroy(sch); + if (ops->destroy) + ops->destroy(sch); err_out3: dev_put(dev); kfree((char *) sch - sch->padded); |