Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2218343/?format=api
{ "id": 2218343, "url": "http://patchwork.ozlabs.org/api/patches/2218343/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260401041611.3302189-2-bestswngs@gmail.com/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260401041611.3302189-2-bestswngs@gmail.com>", "list_archive_url": null, "date": "2026-04-01T04:16:12", "name": "[net] ipvs: fix NULL deref in ip_vs_add_service error path", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "dec6c2ee41f05f3fa89a25505c1264f6a54bfe2c", "submitter": { "id": 92941, "url": "http://patchwork.ozlabs.org/api/people/92941/?format=api", "name": "Weiming Shi", "email": "bestswngs@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260401041611.3302189-2-bestswngs@gmail.com/mbox/", "series": [ { "id": 498272, "url": "http://patchwork.ozlabs.org/api/series/498272/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=498272", "date": "2026-04-01T04:16:12", "name": "[net] ipvs: fix NULL deref in ip_vs_add_service error path", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/498272/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2218343/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2218343/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-11529-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=hixdK2/n;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11529-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"hixdK2/n\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.210.173", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4flsDs2fmvz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 01 Apr 2026 15:18:53 +1100 (AEDT)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 258A9307D05B\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 1 Apr 2026 04:18:47 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 6A8C2314D37;\n\tWed, 1 Apr 2026 04:18:44 +0000 (UTC)", "from mail-pf1-f173.google.com (mail-pf1-f173.google.com\n [209.85.210.173])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id E3FBF235C01\n\tfor <netfilter-devel@vger.kernel.org>; Wed, 1 Apr 2026 04:18:41 +0000 (UTC)", "by mail-pf1-f173.google.com with SMTP id\n d2e1a72fcca58-82a7539851fso2917771b3a.1\n for <netfilter-devel@vger.kernel.org>;\n Tue, 31 Mar 2026 21:18:41 -0700 (PDT)", "from SLSGDTSWING002.tail0ac356.ts.net ([129.126.109.177])\n by smtp.gmail.com with ESMTPSA id\n d2e1a72fcca58-82caa8be173sm10963672b3a.55.2026.03.31.21.18.37\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 31 Mar 2026 21:18:40 -0700 (PDT)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775017124; cv=none;\n b=f0T7yLe/YBdV9cvoqACanME/dHAhyQjdlp1VJbSuMKziCz/hLegeeefwii60TN6mYBwqjLvV+dr4bSA8onxqfQOBqCieylgmkvOWRsxJ32yuy0y17hRp+o10SMB6g9CVxMV5RvY44loOiCQ6+2Yudgqd6icP2Ye+h2FQcmeHw0k=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775017124; c=relaxed/simple;\n\tbh=acXAuzX23qeLxDhUDfzHQME8Xoq1UVBejWspbllF3Oc=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=RPh0V1pC7lNpJKK6Ym8t8YlpijciAYagJ/EAs5tMnJahci1MpIYLTSzDPZc4ZfFiM0qk6jDDgoqXhs3eBolvWx8oCcC5ObmcaPCTOrYMOk2lOYHMGR9bZHChZgc3WbZJiKWrcQd814ECMDWBgzjTS3J0nXC9T20O5I2RnIIwVD0=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=hixdK2/n; arc=none smtp.client-ip=209.85.210.173", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775017121; x=1775621921;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=apmMiJDnFUeVM6e3K+nerLgWWso8fmcaDEUHElGftZI=;\n b=hixdK2/nobQUTw+Wr6OKplotNucQOYExJGWXtJUWW+KEfxTt6kkdBKVK7JeqEtSvQ3\n 3t/GfYu6lL6pKD9F9fClYD5HPnSFuH+YvsazPXhoOznkLWGBq+bweUWhTYoJQE9LbcVs\n /9YJ6+F0SQfTSnWBlBgPpir14+UcSYTBcq/m0pPYzIUXCFpLPtcBkuXVrDwMqVXCHyWd\n s6xPAYAIPwkECgRdo3f7IRWP4e/P01kpO2FO5quzHuaOZ80AojQfg6M9WK7KTM02BKo4\n nkUhse10MQKENxyr8JmwIU97p+FfN/bVgzyeTBcJ6PNJYHQQ2QsC6i7fqHdcfskmQyr8\n sjCA==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775017121; x=1775621921;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=apmMiJDnFUeVM6e3K+nerLgWWso8fmcaDEUHElGftZI=;\n b=CIExnuKJVllH0L7vnIhLMvt5pNGCrYx/f7KWv1OLpK0bBqd1JsCWRdK+zYd1sL9bCU\n vzsFH7BstjxDL4Muszq0j2/JWszO2pyDlUfTXsypAN1+XD6w/sGZH2Ww8PXv+gaN0z/e\n 9vdzm8BwxD7ZHYJs+2PaK9IipO/s/mgGEUfAfxqKjkHjrCpdURslvRvsFpHfMplo031M\n MnFrBa816S9dXOIa/eTN5+PnHfL2lvhTmICoapgVtWEv+SWJbKvrHN1Dz5XcusBS1YCh\n ky9ion8Gts89UPIlwnnD7X2SwDT5ewQyhC6jw9WUoEDiXA9RAfZvHp5drCuaT4ORgu3D\n vHVQ==", "X-Forwarded-Encrypted": "i=1;\n AJvYcCWjvrXW7cnM+F7qHiieNbbATBomgZAL2Ey4xkzVhIddg0ODAPNE4EcHbVF0xfe5/+BcJaRp1uz+CAaWkylTVWc=@vger.kernel.org", "X-Gm-Message-State": "AOJu0Yx36STd/aoEEqKmEz6tcf93cBu7AoFkw4aW5zwdopGrlJmmS0Gd\n\tYrIXAYbE75s1I973iRyDizTTbO32hzLEnd9BH1n7RDdTjSPZh5u//OC9", "X-Gm-Gg": "ATEYQzx1gjNnq82D3SXej/3AuVDEJDqxgekF2+vx5+FSiHgQPx8Em8tLb5c/uEtGsw6\n\t6mZOPcyknKk9Puk5GZLSGFkWj/9JO2FDZr4fEUrJRn4QR/Rmn7q8sXxnmoCGDJaYnUUNHxgI5+o\n\tSXukMU0Af7KWnTsj45JpO34zUj55ZODyicAbpotPR7rR/MPhxm6K6rJMilKQlgqiqfGruWVV/PP\n\t5+uHoNT3Bn9pSPIT5mNuPZI1J71Fp4IHsD9Kap4YF/mbhJ9wDgDb5w/GZiK01uMSvOcOW77v99k\n\thlAA5vlGsDH1/K+qWtSigPYZQBS9w/i21TcIf4y7lqyVHuoDJt9Vh62fdY3LV+ZXOqYNU92P+n0\n\tJgMsHbUuQ4LkGlSwbLCFHto6OYu7NdhSZQO09Leo8+NB9iHOAZGjanlZpdT4VNCDcsPMd8h/Z/N\n\tb3YdQ6OZqTmVC2X8an5GqCHpINLkJKSL/H0mvwDbG5M92S2nwZPYEAwcdFYKrWn2tMqYQfJRtVP\n\tCd8VlY2xFHM", "X-Received": "by 2002:a05:6a00:3697:b0:82c:215d:5e9d with SMTP id\n d2e1a72fcca58-82ce8b09852mr2056850b3a.32.1775017121195;\n Tue, 31 Mar 2026 21:18:41 -0700 (PDT)", "From": "Weiming Shi <bestswngs@gmail.com>", "To": "Simon Horman <horms@verge.net.au>,\n\tJulian Anastasov <ja@ssi.bg>,\n\tPablo Neira Ayuso <pablo@netfilter.org>,\n\tFlorian Westphal <fw@strlen.de>,\n\t\"David S . Miller\" <davem@davemloft.net>,\n\tEric Dumazet <edumazet@google.com>,\n\tJakub Kicinski <kuba@kernel.org>,\n\tPaolo Abeni <pabeni@redhat.com>", "Cc": "Phil Sutter <phil@nwl.cc>,\n\tnetdev@vger.kernel.org,\n\tlvs-devel@vger.kernel.org,\n\tnetfilter-devel@vger.kernel.org,\n\tcoreteam@netfilter.org,\n\tXiang Mei <xmei5@asu.edu>,\n\tWeiming Shi <bestswngs@gmail.com>", "Subject": "[PATCH net] ipvs: fix NULL deref in ip_vs_add_service error path", "Date": "Wed, 1 Apr 2026 12:16:12 +0800", "Message-ID": "<20260401041611.3302189-2-bestswngs@gmail.com>", "X-Mailer": "git-send-email 2.43.0", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local\nvariable sched is set to NULL. If ip_vs_start_estimator() subsequently\nfails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)\nwith sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL\ncheck (because svc->scheduler was set by the successful bind) but then\ndereferences the NULL sched parameter at sched->done_service, causing a\nkernel panic at offset 0x30 from NULL.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)\n Call Trace:\n <TASK>\n ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)\n do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)\n nf_setsockopt (net/netfilter/nf_sockopt.c:102)\n ip_setsockopt (net/ipv4/ip_sockglue.c:1427)\n raw_setsockopt (net/ipv4/raw.c:850)\n do_sock_setsockopt (net/socket.c:2322)\n __sys_setsockopt (net/socket.c:2339)\n __x64_sys_setsockopt (net/socket.c:2350)\n do_syscall_64 (arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n </TASK>\n\nFix by recovering the scheduler pointer from svc->scheduler before\ncleanup when the local sched variable has been cleared. This also\nprevents a latent module refcount leak: without the recovery,\nip_vs_scheduler_put(sched) receives NULL and skips the module_put(),\nso the scheduler module could never be unloaded if the kernel survived\npast the dereference.\n\nFixes: 05f00505a89a (\"ipvs: fix crash if scheduler is changed\")\nReported-by: Xiang Mei <xmei5@asu.edu>\nSigned-off-by: Weiming Shi <bestswngs@gmail.com>\n---\n net/netfilter/ipvs/ip_vs_ctl.c | 2 ++\n 1 file changed, 2 insertions(+)", "diff": "diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c\nindex 35642de2a0fee..e0c978def9749 100644\n--- a/net/netfilter/ipvs/ip_vs_ctl.c\n+++ b/net/netfilter/ipvs/ip_vs_ctl.c\n@@ -1497,6 +1497,8 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,\n \tif (ret_hooks >= 0)\n \t\tip_vs_unregister_hooks(ipvs, u->af);\n \tif (svc != NULL) {\n+\t\tif (!sched)\n+\t\t\tsched = rcu_dereference_protected(svc->scheduler, 1);\n \t\tip_vs_unbind_scheduler(svc, sched);\n \t\tip_vs_service_free(svc);\n \t}\n", "prefixes": [ "net" ] }