From: gfree.w...@vip.163.com
Date: Wed, 28 Jun 2017 12:53:54 +0800
> From: Gao Feng <gfree.w...@vip.163.com>
>
> When qdisc fail to init, qdisc_create would invoke the destroy callback
> to cleanup. But there is no check if the callback exists really. So it
> would cause the panic if there is no real destroy callback like the qdisc
> codel, fq, and so on.
>
> Take codel as an example following:
> When a malicious user constructs one invalid netlink msg, it would cause
> codel_init->codel_change->nla_parse_nested failed.
> Then kernel would invoke the destroy callback directly but qdisc codel
> doesn't define one. It causes one panic as a result.
>
> Now add one the check for destroy to avoid the possible panic.
>
> Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
> Signed-off-by: Gao Feng <gfree.w...@vip.163.com>
Applied and queued up for -stable.
