From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 20 Sep 2019 12:16:30 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.194~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d6620b7d073a9450d3aa862f99170802ed91a4f0;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	net_sched-let-qdisc_put-accept-null-pointer.patch
---

diff --git a/queue-4.9/net_sched-let-qdisc_put-accept-null-pointer.patch b/queue-4.9/net_sched-let-qdisc_put-accept-null-pointer.patch
new file mode 100644
index 00000000000..e9b226f8472
--- /dev/null
+++ b/queue-4.9/net_sched-let-qdisc_put-accept-null-pointer.patch
@@ -0,0 +1,47 @@
+From foo@baz Thu 19 Sep 2019 03:07:06 PM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 12 Sep 2019 10:22:30 -0700
+Subject: net_sched: let qdisc_put() accept NULL pointer
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 6efb971ba8edfbd80b666f29de12882852f095ae ]
+
+When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL
+pointer which leads to a crash in sfb_destroy(). Similar for
+sch_dsmark.
+
+Instead of fixing each separately, Linus suggested to just accept
+NULL pointer in qdisc_put(), which would make callers easier.
+
+(For sch_dsmark, the bug probably exists long before commit
+6529eaba33f0.)
+
+Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
+Reported-by: syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_generic.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -699,7 +699,11 @@ static void qdisc_rcu_free(struct rcu_he
+ 
+ void qdisc_destroy(struct Qdisc *qdisc)
+ {
+-	const struct Qdisc_ops  *ops = qdisc->ops;
++	const struct Qdisc_ops *ops;
++
++	if (!qdisc)
++		return;
++	ops = qdisc->ops;
+ 
+ 	if (qdisc->flags & TCQ_F_BUILTIN ||
+ 	    !atomic_dec_and_test(&qdisc->refcnt))
diff --git a/queue-4.9/series b/queue-4.9/series
index 4afa43edb79..abc85cc5046 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -72,3 +72,4 @@ iommu-amd-fix-race-in-increase_address_space.patch
 floppy-fix-usercopy-direction.patch
 media-technisat-usb2-break-out-of-loop-at-end-of-buffer.patch
 arc-export-abort-for-modules.patch
+net_sched-let-qdisc_put-accept-null-pointer.patch