From 93d06487fcbc4f9380c3a46ee140f1c2873b47d7 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 10 Apr 2021 16:33:04 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	net-sched-sch_teql-fix-null-pointer-dereference.patch
---
 ...ch_teql-fix-null-pointer-dereference.patch | 92 +++++++++++++++++++
 queue-4.4/series                              |  1 +
 2 files changed, 93 insertions(+)
 create mode 100644 queue-4.4/net-sched-sch_teql-fix-null-pointer-dereference.patch

diff --git a/queue-4.4/net-sched-sch_teql-fix-null-pointer-dereference.patch b/queue-4.4/net-sched-sch_teql-fix-null-pointer-dereference.patch
new file mode 100644
index 00000000000..7050c2fc6dd
--- /dev/null
+++ b/queue-4.4/net-sched-sch_teql-fix-null-pointer-dereference.patch
@@ -0,0 +1,92 @@
+From 1ffbc7ea91606e4abd10eb60de5367f1c86daf5e Mon Sep 17 00:00:00 2001
+From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Date: Thu, 8 Apr 2021 18:14:31 +0300
+Subject: net: sched: sch_teql: fix null-pointer dereference
+
+From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+
+commit 1ffbc7ea91606e4abd10eb60de5367f1c86daf5e upstream.
+
+Reproduce:
+
+  modprobe sch_teql
+  tc qdisc add dev teql0 root teql0
+
+This leads to (for instance in Centos 7 VM) OOPS:
+
+[  532.366633] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8
+[  532.366733] IP: [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
+[  532.366825] PGD 80000001376d5067 PUD 137e37067 PMD 0
+[  532.366906] Oops: 0000 [#1] SMP
+[  532.366987] Modules linked in: sch_teql ...
+[  532.367945] CPU: 1 PID: 3026 Comm: tc Kdump: loaded Tainted: G               ------------ T 3.10.0-1062.7.1.el7.x86_64 #1
+[  532.368041] Hardware name: Virtuozzo KVM, BIOS 1.11.0-2.vz7.2 04/01/2014
+[  532.368125] task: ffff8b7d37d31070 ti: ffff8b7c9fdbc000 task.ti: ffff8b7c9fdbc000
+[  532.368224] RIP: 0010:[<ffffffffc06124a8>]  [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
+[  532.368320] RSP: 0018:ffff8b7c9fdbf8e0  EFLAGS: 00010286
+[  532.368394] RAX: ffffffffc0612490 RBX: ffff8b7cb1565e00 RCX: ffff8b7d35ba2000
+[  532.368476] RDX: ffff8b7d35ba2000 RSI: 0000000000000000 RDI: ffff8b7cb1565e00
+[  532.368557] RBP: ffff8b7c9fdbf8f8 R08: ffff8b7d3fd1f140 R09: ffff8b7d3b001600
+[  532.368638] R10: ffff8b7d3b001600 R11: ffffffff84c7d65b R12: 00000000ffffffd8
+[  532.368719] R13: 0000000000008000 R14: ffff8b7d35ba2000 R15: ffff8b7c9fdbf9a8
+[  532.368800] FS:  00007f6a4e872740(0000) GS:ffff8b7d3fd00000(0000) knlGS:0000000000000000
+[  532.368885] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  532.368961] CR2: 00000000000000a8 CR3: 00000001396ee000 CR4: 00000000000206e0
+[  532.369046] Call Trace:
+[  532.369159]  [<ffffffff84c8192e>] qdisc_create+0x36e/0x450
+[  532.369268]  [<ffffffff846a9b49>] ? ns_capable+0x29/0x50
+[  532.369366]  [<ffffffff849afde2>] ? nla_parse+0x32/0x120
+[  532.369442]  [<ffffffff84c81b4c>] tc_modify_qdisc+0x13c/0x610
+[  532.371508]  [<ffffffff84c693e7>] rtnetlink_rcv_msg+0xa7/0x260
+[  532.372668]  [<ffffffff84907b65>] ? sock_has_perm+0x75/0x90
+[  532.373790]  [<ffffffff84c69340>] ? rtnl_newlink+0x890/0x890
+[  532.374914]  [<ffffffff84c8da7b>] netlink_rcv_skb+0xab/0xc0
+[  532.376055]  [<ffffffff84c63708>] rtnetlink_rcv+0x28/0x30
+[  532.377204]  [<ffffffff84c8d400>] netlink_unicast+0x170/0x210
+[  532.378333]  [<ffffffff84c8d7a8>] netlink_sendmsg+0x308/0x420
+[  532.379465]  [<ffffffff84c2f3a6>] sock_sendmsg+0xb6/0xf0
+[  532.380710]  [<ffffffffc034a56e>] ? __xfs_filemap_fault+0x8e/0x1d0 [xfs]
+[  532.381868]  [<ffffffffc034a75c>] ? xfs_filemap_fault+0x2c/0x30 [xfs]
+[  532.383037]  [<ffffffff847ec23a>] ? __do_fault.isra.61+0x8a/0x100
+[  532.384144]  [<ffffffff84c30269>] ___sys_sendmsg+0x3e9/0x400
+[  532.385268]  [<ffffffff847f3fad>] ? handle_mm_fault+0x39d/0x9b0
+[  532.386387]  [<ffffffff84d88678>] ? __do_page_fault+0x238/0x500
+[  532.387472]  [<ffffffff84c31921>] __sys_sendmsg+0x51/0x90
+[  532.388560]  [<ffffffff84c31972>] SyS_sendmsg+0x12/0x20
+[  532.389636]  [<ffffffff84d8dede>] system_call_fastpath+0x25/0x2a
+[  532.390704]  [<ffffffff84d8de21>] ? system_call_after_swapgs+0xae/0x146
+[  532.391753] Code: 00 00 00 00 00 00 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 55 41 54 53 48 8b b7 48 01 00 00 48 89 fb <48> 8b 8e a8 00 00 00 48 85 c9 74 43 48 89 ca eb 0f 0f 1f 80 00
+[  532.394036] RIP  [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
+[  532.395127]  RSP <ffff8b7c9fdbf8e0>
+[  532.396179] CR2: 00000000000000a8
+
+Null pointer dereference happens on master->slaves dereference in
+teql_destroy() as master is null-pointer.
+
+When qdisc_create() calls teql_qdisc_init() it imediately fails after
+check "if (m->dev == dev)" because both devices are teql0, and it does
+not set qdisc_priv(sch)->m leaving it zero on error path, then
+qdisc_create() imediately calls teql_destroy() which does not expect
+zero master pointer and we get OOPS.
+
+Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
+Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_teql.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -138,6 +138,9 @@ teql_destroy(struct Qdisc *sch)
+ 	struct teql_sched_data *dat = qdisc_priv(sch);
+ 	struct teql_master *master = dat->m;
+ 
++	if (!master)
++		return;
++
+ 	prev = master->slaves;
+ 	if (prev) {
+ 		do {
diff --git a/queue-4.4/series b/queue-4.4/series
index 5b6de8903c6..426c9c1732a 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -10,3 +10,4 @@ ia64-fix-user_stack_pointer-for-ptrace.patch
 fs-direct-io-fix-missing-sdio-boundary.patch
 parisc-parisc-agp-requires-sba-iommu-driver.patch
 batman-adv-initialize-struct-batadv_tvlv_tt_vlan_data-reserved-field.patch
+net-sched-sch_teql-fix-null-pointer-dereference.patch
-- 
2.47.3