Bug#1013299: linux-image-4.19.0-20-amd64: NULL pointer deref in qdisc_put() due to missing backport

To: Thorsten Glaser <tg@mirbsd.de>
Cc: 1013299@bugs.debian.org
Subject: Bug#1013299: linux-image-4.19.0-20-amd64: NULL pointer deref in qdisc_put() due to missing backport
From: Diederik de Haas <didi.debian@cknow.org>
Date: Wed, 22 Jun 2022 11:47:56 +0200
Message-id: <[🔎] 5577640.DvuYhMxLoT@bagend>
Reply-to: Diederik de Haas <didi.debian@cknow.org>, 1013299@bugs.debian.org
In-reply-to: <[🔎] 2120338.irdbgypaU6@bagend>
References: <[🔎] 165579185481.3924.9352452362137030934.reportbug@tglase-edge.lan.tarent.de> <[🔎] 2120338.irdbgypaU6@bagend> <[🔎] 165579185481.3924.9352452362137030934.reportbug@tglase-edge.lan.tarent.de>

On Tuesday, 21 June 2022 16:11:42 CEST Diederik de Haas wrote:
> > So yes, this needs to also be fixed upstream (hence me including that tag
> > when reporbugging), but perhaps Debian can quickfix.
> 
> What I have observed so far is that a commit needs to be accepted upstream
> (but doesn't have to have gone through the whole 'chain of command') before
> a temporary patch is accepted to quickly fix it in Debian.

I made an initial attempt at a patch, see attachment.
https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html#s4.2.2
describes a way to test whether this patch fixes the issue.
(Just in case. I'm reasonably sure you already know this)

>From 38cc721ef0c6745d808718d212968a173b6732b5 Mon Sep 17 00:00:00 2001
From: Diederik de Haas <didi.debian@cknow.org>
Date: Wed, 22 Jun 2022 11:44:05 +0200
Subject: [PATCH] [linux-4.19.y] net_sched: let qdisc_put() accept NULL pointer

In commit 92833e8b5db6c209e9311ac8c6a44d3bf1856659 titled
"net: sched: rename qdisc_destroy() to qdisc_put()" part of the
functionality of qdisc_destroy() was moved into a (for linux-4.19.y)
new function qdisk_put(), and the previous calls to qdisc_destroy()
were changed to qdisk_put().
This made it similar to f.e. 5.10.y and current master.

There was one part of qdisc_destroy() not moved over to qdisc_put() and
that was the check for a NULL value, causing oopses.
(See upstream commit: 6efb971ba8edfbd80b666f29de12882852f095ae)
This patch fixes that.

Fixes: 92833e8b5db6c209e9311ac8c6a44d3bf1856659
Reported-by: Thorsten Glaser <tg@mirbsd.de>
Link: https://bugs.debian.org/1013299
---
 net/sched/sch_generic.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 7c1b1eff84f4..cad2586c3473 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -970,8 +970,6 @@ static void qdisc_destroy(struct Qdisc *qdisc)
 	const struct Qdisc_ops *ops;
 	struct sk_buff *skb, *tmp;

-	if (!qdisc)
-		return;
 	ops = qdisc->ops;

 #ifdef CONFIG_NET_SCHED
@@ -1003,6 +1001,9 @@ static void qdisc_destroy(struct Qdisc *qdisc)

 void qdisc_put(struct Qdisc *qdisc)
 {
+	if (!qdisc)
+		return;
+
 	if (qdisc->flags & TCQ_F_BUILTIN ||
 	    !refcount_dec_and_test(&qdisc->refcnt))
 		return;
-- 
2.36.1

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Bug#1013299: linux-image-4.19.0-20-amd64: NULL pointer deref in qdisc_put() due to missing backport
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- Bug#1013299: linux-image-4.19.0-20-amd64: NULL pointer deref in qdisc_put() due to missing backport
  - From: Thorsten Glaser <tg@mirbsd.de>
- Bug#1013299: linux-image-4.19.0-20-amd64: NULL pointer deref in qdisc_put() due to missing backport
  - From: Diederik de Haas <didi.debian@cknow.org>

Prev by Date: linux-signed-arm64_5.10.120+1~bpo10+1_source.changes is NEW
Next by Date: Processing of linux-signed-i386_5.10.120+1~bpo10+1_source.changes
Previous by thread: Bug#1013299: linux-image-4.19.0-20-amd64: NULL pointer deref in qdisc_put() due to missing backport
Next by thread: Bug#1013299: linux-image-4.19.0-20-amd64: NULL pointer deref in qdisc_put() due to missing backport
Index(es):
- Date
- Thread