Commit a9b6772d authored Apr 22, 2024 by Zhengchao Shao

net/sched: flower: Fix unable to handle page fault bug in fl_init

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9IQLI


CVE: NA

--------------------------------

The tmplt_reoffload function pointer is of the const type, and the value
is assigned to the constant in fl_init. As a result, the following issue
occurs.
BUG: unable to handle page fault for address: ffffffff98715da0
PF: supervisor write access in kernel mode
PF: error_code(0x0003) - permissions violation
PGD ec0d067 P4D ec0d067 PUD ec0e063 PMD 800000000e0001e1
Oops: 0003 [#1] SMP PTI
CPU: 20 PID: 7533 Comm: tc Kdump: loaded Not tainted 5.10.0+ #40
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:fl_init+0xcf/0x100
RSP: 0018:ffffb6e7c0fe7978 EFLAGS: 00010202
RAX: 0000000000000049 RBX: ffff99c6b3580480 RCX: 0000000000000027
RDX: 0000000000000000 RSI: ffffffff98718740 RDI: ffff99c6a359f800
RBP: ffff99c6a359f800 R08: ffff99cfdce1fe50 R09: ffffb6e7c0fe77a0
R10: ffffb6e7c0fe7798 R11: ffffffff9967d5a8 R12: ffff99c6b3580480
R13: ffffb6e7c0fe7b80 R14: 0000000000000001 R15: ffffb6e7c0fe7ab0
FS:  00007fbaef7b1800(0000) GS:ffff99cfdce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff98715da0 CR3: 000000011299c000 CR4: 00000000000006e0
Call Trace:
tcf_proto_create.cold+0x66/0x9e
tc_new_tfilter+0x611/0xa70
rtnetlink_rcv_msg+0x406/0x560
netlink_rcv_skb+0x64/0x180
rtnetlink_rcv+0x19/0x30
netlink_unicast_kernel+0x7b/0x180
netlink_unicast+0x13d/0x230
netlink_sendmsg+0x432/0x610
__sock_sendmsg+0xc6/0xd0
____sys_sendmsg+0x1f5/0x380
___sys_sendmsg+0x82/0xe

Fixes: fbc634d3 ("net/sched: flower: Fix kabi change")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>

parent f8ab733c

net/sched/cls_api.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1397,7 +1397,7 @@ void tcf_block_put(struct tcf_block *block)

		EXPORT_SYMBOL(tcf_block_put);

		void (* const tmplt_reoffload)(struct tcf_chain *chain, bool add,
		void (tmplt_reoffload)(struct tcf_chain chain, bool add,
		flow_setup_cb_t cb, void cb_priv);
		EXPORT_SYMBOL(tmplt_reoffload);

net/sched/cls_flower.c

+1 −4

Original line number	Diff line number	Diff line
		@@ -356,8 +356,6 @@ static int fl_init(struct tcf_proto *tp)
		rcu_assign_pointer(tp->root, head);
		idr_init(&head->handle_idr);

		tmplt_reoffload = &fl_tmplt_reoffload;

		return rhashtable_init(&head->ht, &mask_ht_params);
		}

		@@ -596,8 +594,6 @@ static void fl_destroy(struct tcf_proto *tp, bool rtnl_held,

		__module_get(THIS_MODULE);
		tcf_queue_work(&head->rwork, fl_destroy_sleepable);

		tmplt_reoffload = NULL;
		}

		static void fl_put(struct tcf_proto tp, void arg)
		@@ -3250,6 +3246,7 @@ static struct tcf_proto_ops cls_fl_ops __read_mostly = {

		static int __init cls_fl_init(void)
		{
		tmplt_reoffload = &fl_tmplt_reoffload;
		return register_tcf_proto_ops(&cls_fl_ops);
		}