[{"id":3676041,"web_url":"http://patchwork.ozlabs.org/comment/3676041/","msgid":"<364a0f17-c733-4ef0-8d8f-1bd9e00dcae9@cambridgegreys.com>","list_archive_url":null,"date":"2026-04-10T20:37:03","subject":"Re: [PATCH] um: vector: fix NULL pointer derefs in queue-less\n transports","submitter":{"id":71996,"url":"http://patchwork.ozlabs.org/api/people/71996/","name":"Anton Ivanov","email":"anton.ivanov@cambridgegreys.com"},"content":"On 10/04/2026 21:30, Michael Bommarito wrote:\n> TAP transport sets neither VECTOR_RX nor VECTOR_TX, so\n> vector_net_open() never allocates rx_queue or tx_queue. HYBRID sets\n> VECTOR_RX but not VECTOR_TX, so tx_queue is NULL there too.\n>\n> vector_reset_stats(), vector_poll(), vector_get_ethtool_stats(), and\n> vector_get_ringparam() unconditionally deref these queue pointers,\n> causing a NULL pointer crash on SMP or with any lock debugging option.\n>\n> Guard all queue pointer accesses with NULL checks.\n>\n> Fixes: 49da7e64f33e (\"High Performance UML Vector Network Driver\")\n> Cc: stable@vger.kernel.org\n> Cc: Anton Ivanov \n> Assisted-by: Claude:claude-opus-4-6\n> Assisted-by: Codex:gpt-5-4\n> Signed-off-by: Michael Bommarito \n> ---\n> Found while enabling KCOV and lockdep on UML for a network-stack\n> test lab. Tested boot with SMP=y + PROVE_LOCKING + DEBUG_SPINLOCK +\n> DEBUG_LOCK_ALLOC + LOCKDEP + KCOV, all with vec0:transport=tap.\n>\n> Without the fix, the same config panics at addr 0x18 (SMP, no debug),\n> 0x1c (DEBUG_SPINLOCK), or 0x30 (lockdep) -- all offsets into a NULL\n> vector_queue pointer.\n>\n> arch/um/drivers/vector_kern.c | 48 +++++++++++++++++------------------\n> 1 file changed, 24 insertions(+), 24 deletions(-)\n>\n> diff --git a/arch/um/drivers/vector_kern.c b/arch/um/drivers/vector_kern.c\n> index 2cc90055499a5..6134c376e57be 100644\n> --- a/arch/um/drivers/vector_kern.c\n> +++ b/arch/um/drivers/vector_kern.c\n> @@ -105,25 +105,18 @@ static const struct {\n> \n> static void vector_reset_stats(struct vector_private *vp)\n> {\n> -\t/* We reuse the existing queue locks for stats */\n> -\n> -\t/* RX stats are modified with RX head_lock held\n> -\t * in vector_poll.\n> -\t */\n> -\n> -\tspin_lock(&vp->rx_queue->head_lock);\n> +\tif (vp->rx_queue)\n> +\t\tspin_lock(&vp->rx_queue->head_lock);\n> \tvp->estats.rx_queue_max = 0;\n> \tvp->estats.rx_queue_running_average = 0;\n> \tvp->estats.rx_encaps_errors = 0;\n> \tvp->estats.sg_ok = 0;\n> \tvp->estats.sg_linearized = 0;\n> -\tspin_unlock(&vp->rx_queue->head_lock);\n> -\n> -\t/* TX stats are modified with TX head_lock held\n> -\t * in vector_send.\n> -\t */\n> +\tif (vp->rx_queue)\n> +\t\tspin_unlock(&vp->rx_queue->head_lock);\n> \n> -\tspin_lock(&vp->tx_queue->head_lock);\n> +\tif (vp->tx_queue)\n> +\t\tspin_lock(&vp->tx_queue->head_lock);\n> \tvp->estats.tx_timeout_count = 0;\n> \tvp->estats.tx_restart_queue = 0;\n> \tvp->estats.tx_kicks = 0;\n> @@ -131,7 +124,8 @@ static void vector_reset_stats(struct vector_private *vp)\n> \tvp->estats.tx_flow_control_xoff = 0;\n> \tvp->estats.tx_queue_max = 0;\n> \tvp->estats.tx_queue_running_average = 0;\n> -\tspin_unlock(&vp->tx_queue->head_lock);\n> +\tif (vp->tx_queue)\n> +\t\tspin_unlock(&vp->tx_queue->head_lock);\n> }\n> \n> static int get_mtu(struct arglist *def)\n> @@ -1163,7 +1157,8 @@ static int vector_poll(struct napi_struct *napi, int budget)\n> \n> \tif ((vp->options & VECTOR_TX) != 0)\n> \t\ttx_enqueued = (vector_send(vp->tx_queue) > 0);\n> -\tspin_lock(&vp->rx_queue->head_lock);\n> +\tif (vp->rx_queue)\n> +\t\tspin_lock(&vp->rx_queue->head_lock);\n> \tif ((vp->options & VECTOR_RX) > 0)\n> \t\terr = vector_mmsg_rx(vp, budget);\n> \telse {\n> @@ -1171,7 +1166,8 @@ static int vector_poll(struct napi_struct *napi, int budget)\n> \t\tif (err > 0)\n> \t\t\terr = 1;\n> \t}\n> -\tspin_unlock(&vp->rx_queue->head_lock);\n> +\tif (vp->rx_queue)\n> +\t\tspin_unlock(&vp->rx_queue->head_lock);\n> \tif (err > 0)\n> \t\twork_done += err;\n> \n> @@ -1421,10 +1417,10 @@ static void vector_get_ringparam(struct net_device *netdev,\n> {\n> \tstruct vector_private *vp = netdev_priv(netdev);\n> \n> -\tring->rx_max_pending = vp->rx_queue->max_depth;\n> -\tring->tx_max_pending = vp->tx_queue->max_depth;\n> -\tring->rx_pending = vp->rx_queue->max_depth;\n> -\tring->tx_pending = vp->tx_queue->max_depth;\n> +\tring->rx_max_pending = vp->rx_queue ? vp->rx_queue->max_depth : 0;\n> +\tring->tx_max_pending = vp->tx_queue ? vp->tx_queue->max_depth : 0;\n> +\tring->rx_pending = ring->rx_max_pending;\n> +\tring->tx_pending = ring->tx_max_pending;\n> }\n> \n> static void vector_get_strings(struct net_device *dev, u32 stringset, u8 *buf)\n> @@ -1466,11 +1462,15 @@ static void vector_get_ethtool_stats(struct net_device *dev,\n> \t * to date.\n> \t */\n> \n> -\tspin_lock(&vp->tx_queue->head_lock);\n> -\tspin_lock(&vp->rx_queue->head_lock);\n> +\tif (vp->tx_queue)\n> +\t\tspin_lock(&vp->tx_queue->head_lock);\n> +\tif (vp->rx_queue)\n> +\t\tspin_lock(&vp->rx_queue->head_lock);\n> \tmemcpy(tmp_stats, &vp->estats, sizeof(struct vector_estats));\n> -\tspin_unlock(&vp->rx_queue->head_lock);\n> -\tspin_unlock(&vp->tx_queue->head_lock);\n> +\tif (vp->rx_queue)\n> +\t\tspin_unlock(&vp->rx_queue->head_lock);\n> +\tif (vp->tx_queue)\n> +\t\tspin_unlock(&vp->tx_queue->head_lock);\n> }\n> \n> static int vector_get_coalesce(struct net_device *netdev,\n\nAcked-By: Anton Ivanov ","headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=vBBAHKKW;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fspWl6PrZz1yGb\n\tfor ; Sat, 11 Apr 2026 06:37:23 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wBIbR-0000000Cm9A-3kI1;\n\tFri, 10 Apr 2026 20:37:21 +0000","from ns1.kot-begemot.co.uk ([217.160.28.25]\n helo=www.kot-begemot.co.uk)\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wBIbO-0000000Cm8p-2sly\n\tfor linux-um@lists.infradead.org;\n\tFri, 10 Apr 2026 20:37:20 +0000","from [192.168.17.6] (helo=jain.kot-begemot.co.uk)\n\tby www.kot-begemot.co.uk with esmtps (TLS1.3) tls\n TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n\t(Exim 4.94.2)\n\t(envelope-from )\n\tid 1wBIbC-00EzFn-Bq; Fri, 10 Apr 2026 20:37:06 +0000","from madding.kot-begemot.co.uk ([192.168.3.98])\n\tby jain.kot-begemot.co.uk with esmtps (TLS1.3) tls\n TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n\t(Exim 4.98.2)\n\t(envelope-from )\n\tid 1wBHUe-0000000EGm3-3AmX;\n\tFri, 10 Apr 2026 21:37:05 +0100"],"DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help\n\t:List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding:\n\tContent-Type:In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date:\n\tMessage-ID:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:\n\tResent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;\n\tbh=Ni2X+zRZY5FUog1RXnNGZZG7nRAwLpLm4d56uNXlyqg=; b=vBBAHKKWmYXug7OKO47mBU+3MQ\n\tE5b1QicUz1kezghCMXtLDYTFvopISbNH82wC/bBn6V5KopwkqVCrqP/u3txdRFh90kv6T5Yc55Mvt\n\tCuDN8tmVWebmDa1hEv1XMNN/VNKT1zlWgD2f6boZvNpUvXhVDON1Ah+nUNCx4E2LHk6XYWYizB3UO\n\tG5QZ8aHaWs+E0+uxpnhiX4916iyH/H4d1W/BF5uOsPtfjxkW+synXbWyWi1iFBLIn4J6bAxvojJQW\n\t2IOWPNdWSo70bhFIMAtqrU9ZnORP1WWRFZ3BUH6ZkMGVKrCkueiEWpxdqFLsX1IgDs3RQ05c5gp/u\n\tu9/tJWuQ==;","Message-ID":"<364a0f17-c733-4ef0-8d8f-1bd9e00dcae9@cambridgegreys.com>","Date":"Fri, 10 Apr 2026 21:37:03 +0100","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH] um: vector: fix NULL pointer derefs in queue-less\n transports","To":"Michael Bommarito , richard@nod.at,\n johannes@sipsolutions.net","Cc":"linux-um@lists.infradead.org, linux-kernel@vger.kernel.org,\n stable@vger.kernel.org","References":"<20260410203028.3717914-1-michael.bommarito@gmail.com>","Content-Language":"en-US","From":"Anton Ivanov ","Organization":"Cambridge Greys","In-Reply-To":"<20260410203028.3717914-1-michael.bommarito@gmail.com>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Spam-Score":["-1.0","-1.0","-1.9 (-)"],"X-Clacks-Overhead":"GNU Terry Pratchett","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260410_133718_754834_18E2E24C ","X-CRM114-Status":"GOOD ( 19.56 )","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: On 10/04/2026 21:30,\n Michael Bommarito wrote: > TAP transport\n sets neither VECTOR_RX nor VECTOR_TX,\n so > vector_net_open() never allocates\n rx_queue or tx_queue. HYBRID sets > VECTOR_RX but not VECTOR_ [...]\n Content analysis details: (-1.9 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The\n query to Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [217.160.28.25 listed in\n sa-trusted.bondedsender.org]\n 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [217.160.28.25 listed in sa-accredit.habeas.com]\n 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [217.160.28.25 listed in\n bl.score.senderscore.com]\n -0.0 SPF_PASS SPF: sender matches SPF record\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]","X-BeenThere":"linux-um@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Sender":"\"linux-um\" ","Errors-To":"linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"}}]