** Description changed: + [Impact] + + It is possible to trigger a NULL pointer dereference in tcindex_delete() + with a simple reproducer script, this is because in tcindex_set_parms() + when old_r doesn't exist we set the new exts to cr.exts that can be + uninitialized, triggering the NULL pointer dereference. + + In addition to that we may also hit a race condition in + tcindex_destroy() (as pointed out in the original bug report and also + here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542#10), that + is also fixed upstream, but it requires 4b79817f7add "net_sched: switch + to rcu_work". + + However adding these changes introduces three memory leak problems in + cls_tcindex (that can be easily verified using the same test case). + These leaks are also fixed upstream by 711ff09f3330 "net_sched: fix a + memory leak in cls_tcindex" and 000d2aeda70c "net_sched: fix two more + memory leaks in cls_tcindex", so we need to backport also these two + additional fixes. + + After all these fixes are applied the test case doesn't seem to trigger + any bug. + + [Test Case] + + #!/bin/sh -ex + + modprobe ifb + + while true; do + tc qdisc add dev ifb0 root handle 2:0 prio bands 5 + tc qdisc add dev ifb0 parent 2:5 sfq + tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on + tc qdisc del dev ifb0 root || true + done + + [Fix] + + * Fixes required to solve this problem: + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2df8bee5654bb2b7312662ca6810d4dc16b0b67f + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8015d93ebd27484418d4952284fd02172fa4b0b2 + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=033b228e7f26b29ae37f8bfa1bc6b209a5365e9f + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1db817e75f5b9387b8db11e37d5f0624eb9223e0 + + [Regression Potential] + + * All upstream fixes, tested on the affected platform, backport changes + are minimal. + + [Original bug report] + I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1825942 Title: kernel crash : net_sched race condition in tcindex_destroy() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
