Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/807538/?format=api
{ "id": 807538, "url": "http://patchwork.ozlabs.org/api/patches/807538/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/1504086545-7777-3-git-send-email-nikolay@cumulusnetworks.com/", "project": { "id": 7, "url": "http://patchwork.ozlabs.org/api/projects/7/?format=api", "name": "Linux network development", "link_name": "netdev", "list_id": "netdev.vger.kernel.org", "list_email": "netdev@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<1504086545-7777-3-git-send-email-nikolay@cumulusnetworks.com>", "list_archive_url": null, "date": "2017-08-30T09:48:58", "name": "[net,2/9] sch_multiq: fix double free on init failure", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "1b776c8d739df432db4b957862ac2c2d86241cd9", "submitter": { "id": 66448, "url": "http://patchwork.ozlabs.org/api/people/66448/?format=api", "name": "Nikolay Aleksandrov", "email": "nikolay@cumulusnetworks.com" }, "delegate": { "id": 34, "url": "http://patchwork.ozlabs.org/api/users/34/?format=api", "username": "davem", "first_name": "David", "last_name": "Miller", "email": "davem@davemloft.net" }, "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/1504086545-7777-3-git-send-email-nikolay@cumulusnetworks.com/mbox/", "series": [ { "id": 565, "url": "http://patchwork.ozlabs.org/api/series/565/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=565", "date": "2017-08-30T09:48:56", "name": "net/sched: init failure fixes", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/565/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/807538/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/807538/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<netdev-owner@vger.kernel.org>", "X-Original-To": "patchwork-incoming@ozlabs.org", "Delivered-To": "patchwork-incoming@ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)", "ozlabs.org; dkim=pass (1024-bit key;\n\tunprotected) header.d=cumulusnetworks.com\n\theader.i=@cumulusnetworks.com header.b=\"BEiJ8HIj\"; \n\tdkim-atps=neutral" ], "Received": [ "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xj11j0xmvz9sNn\n\tfor <patchwork-incoming@ozlabs.org>;\n\tWed, 30 Aug 2017 19:49:29 +1000 (AEST)", "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751920AbdH3JtZ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tWed, 30 Aug 2017 05:49:25 -0400", "from mail-wm0-f47.google.com ([74.125.82.47]:37733 \"EHLO\n\tmail-wm0-f47.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751298AbdH3JtX (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Wed, 30 Aug 2017 05:49:23 -0400", "by mail-wm0-f47.google.com with SMTP id u26so7039791wma.0\n\tfor <netdev@vger.kernel.org>; Wed, 30 Aug 2017 02:49:22 -0700 (PDT)", "from debil.mediahub-bg.com (46-10-142-144.ip.btc-net.bg.\n\t[46.10.142.144]) by smtp.gmail.com with ESMTPSA id\n\to206sm1113294wmo.10.2017.08.30.02.49.19\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);\n\tWed, 30 Aug 2017 02:49:19 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=cumulusnetworks.com; s=google;\n\th=from:to:cc:subject:date:message-id:in-reply-to:references;\n\tbh=vZfecpkuVKUQNFBtw68Q3Q2c6qMyRft+aJs8yc9HpLM=;\n\tb=BEiJ8HIj/97UPdTWVk1CnXFH2Ps9l1i3qhLeLgBr/HnkFiJYPfF6DR9SpP1BfPG18J\n\tXxcATyf5q7iV0lIOtvG2uG/BlmbK7wJwrKvZSgnnE2TwwT14PZWwWfr30EfvXHnNVtzF\n\t168YGwUCQyHD6KRn9drj2cSyZTkvU5iu0eNxc=", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to\n\t:references;\n\tbh=vZfecpkuVKUQNFBtw68Q3Q2c6qMyRft+aJs8yc9HpLM=;\n\tb=P5JtHNsmBF+JKH17iSHbpH08b+3IlmvKJj16groAF7ScJ8aTEJ1fKgHMwZ2vksTkql\n\t9Owcbe9tNswUwdu7jOkOqjBxgNlu+XhouRMcsAhML1P8j68A/d5z/rTGeXwMEqhbuS92\n\ttYOqk4IOcC9DnzZPU75UETgYOLNy09xJZlHK6hRt76d3FFjZwHv/AEJvLMf/3Ly/pohB\n\tw5MkuJ4q8KOhHfvSrw7R2qBhiYrUArvLxgikUYQzVnBR2FB8pWrreuMnOvu3Pr2hMDVd\n\t+Zf2cC9gKSMFRg8U0vRtiRTHFTSNDBBcsANlUeBk9T91vWskYScW8h0X0GmWImXkBZ+h\n\tgnTQ==", "X-Gm-Message-State": "AHYfb5iYCcjtIb0ZUaPk67aCaMdoLXrutVtvxaBOxHpv5ohKg4IGbuS/\n\tKhD/mJkEhTsuw4ZfPlI=", "X-Received": "by 10.28.229.206 with SMTP id c197mr853740wmh.193.1504086560923; \n\tWed, 30 Aug 2017 02:49:20 -0700 (PDT)", "From": "Nikolay Aleksandrov <nikolay@cumulusnetworks.com>", "To": "netdev@vger.kernel.org", "Cc": "edumazet@google.com, jhs@mojatatu.com, xiyou.wangcong@gmail.com,\n\tjiri@resnulli.us, roopa@cumulusnetworks.com,\n\tNikolay Aleksandrov <nikolay@cumulusnetworks.com>", "Subject": "[PATCH net 2/9] sch_multiq: fix double free on init failure", "Date": "Wed, 30 Aug 2017 12:48:58 +0300", "Message-Id": "<1504086545-7777-3-git-send-email-nikolay@cumulusnetworks.com>", "X-Mailer": "git-send-email 2.1.4", "In-Reply-To": "<1504086545-7777-1-git-send-email-nikolay@cumulusnetworks.com>", "References": "<1504086545-7777-1-git-send-email-nikolay@cumulusnetworks.com>", "Sender": "netdev-owner@vger.kernel.org", "Precedence": "bulk", "List-ID": "<netdev.vger.kernel.org>", "X-Mailing-List": "netdev@vger.kernel.org" }, "content": "The below commit added a call to ->destroy() on init failure, but multiq\nstill frees ->queues on error in init, but ->queues is also freed by\n->destroy() thus we get double free and corrupted memory.\n\nVery easy to reproduce (eth0 not multiqueue):\n$ tc qdisc add dev eth0 root multiq\nRTNETLINK answers: Operation not supported\n$ ip l add dumdum type dummy\n(crash)\n\nTrace log:\n[ 3929.467747] general protection fault: 0000 [#1] SMP\n[ 3929.468083] Modules linked in:\n[ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56\n[ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014\n[ 3929.469124] task: ffff88003716a700 task.stack: ffff88005872c000\n[ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be\n[ 3929.469746] RSP: 0018:ffff88005872f6a0 EFLAGS: 00010246\n[ 3929.470042] RAX: 00000000000002de RBX: 0000000058a59000 RCX: 00000000000002df\n[ 3929.470406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff821f7020\n[ 3929.470770] RBP: ffff88005872f6e8 R08: 000000000001f010 R09: 0000000000000000\n[ 3929.471133] R10: ffff88005872f730 R11: 0000000000008cdd R12: ff006d75646d7564\n[ 3929.471496] R13: 00000000014000c0 R14: ffff88005b403c00 R15: ffff88005b403c00\n[ 3929.471869] FS: 00007f0b70480740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000\n[ 3929.472286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3929.472677] CR2: 00007ffcee4f3000 CR3: 0000000059d45000 CR4: 00000000000406e0\n[ 3929.473209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 3929.474109] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 3929.474873] Call Trace:\n[ 3929.475337] ? kstrdup_const+0x23/0x25\n[ 3929.475863] kstrdup+0x2e/0x4b\n[ 3929.476338] kstrdup_const+0x23/0x25\n[ 3929.478084] __kernfs_new_node+0x28/0xbc\n[ 3929.478478] kernfs_new_node+0x35/0x55\n[ 3929.478929] kernfs_create_link+0x23/0x76\n[ 3929.479478] sysfs_do_create_link_sd.isra.2+0x85/0xd7\n[ 3929.480096] sysfs_create_link+0x33/0x35\n[ 3929.480649] device_add+0x200/0x589\n[ 3929.481184] netdev_register_kobject+0x7c/0x12f\n[ 3929.481711] register_netdevice+0x373/0x471\n[ 3929.482174] rtnl_newlink+0x614/0x729\n[ 3929.482610] ? rtnl_newlink+0x17f/0x729\n[ 3929.483080] rtnetlink_rcv_msg+0x188/0x197\n[ 3929.483533] ? rcu_read_unlock+0x3e/0x5f\n[ 3929.483984] ? rtnl_newlink+0x729/0x729\n[ 3929.484420] netlink_rcv_skb+0x6c/0xce\n[ 3929.484858] rtnetlink_rcv+0x23/0x2a\n[ 3929.485291] netlink_unicast+0x103/0x181\n[ 3929.485735] netlink_sendmsg+0x326/0x337\n[ 3929.486181] sock_sendmsg_nosec+0x14/0x3f\n[ 3929.486614] sock_sendmsg+0x29/0x2e\n[ 3929.486973] ___sys_sendmsg+0x209/0x28b\n[ 3929.487340] ? do_raw_spin_unlock+0xcd/0xf8\n[ 3929.487719] ? _raw_spin_unlock+0x27/0x31\n[ 3929.488092] ? __handle_mm_fault+0x651/0xdb1\n[ 3929.488471] ? check_chain_key+0xb0/0xfd\n[ 3929.488847] __sys_sendmsg+0x45/0x63\n[ 3929.489206] ? __sys_sendmsg+0x45/0x63\n[ 3929.489576] SyS_sendmsg+0x19/0x1b\n[ 3929.489901] entry_SYSCALL_64_fastpath+0x23/0xc2\n[ 3929.490172] RIP: 0033:0x7f0b6fb93690\n[ 3929.490423] RSP: 002b:00007ffcee4ed588 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n[ 3929.490881] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f0b6fb93690\n[ 3929.491198] RDX: 0000000000000000 RSI: 00007ffcee4ed5d0 RDI: 0000000000000003\n[ 3929.491521] RBP: ffff88005872ff98 R08: 0000000000000001 R09: 0000000000000000\n[ 3929.491801] R10: 00007ffcee4ed350 R11: 0000000000000246 R12: 0000000000000002\n[ 3929.492075] R13: 000000000066f1a0 R14: 00007ffcee4f5680 R15: 0000000000000000\n[ 3929.492352] ? trace_hardirqs_off_caller+0xa7/0xcf\n[ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44\n89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d\n8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01\n[ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP: ffff88005872f6a0\n\nFixes: 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\")\nFixes: f07d1501292b (\"multiq: Further multiqueue cleanup\")\nSigned-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>\n---\n net/sched/sch_multiq.c | 7 +------\n 1 file changed, 1 insertion(+), 6 deletions(-)", "diff": "diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c\nindex f143b7bbaa0d..9c454f5d6c38 100644\n--- a/net/sched/sch_multiq.c\n+++ b/net/sched/sch_multiq.c\n@@ -257,12 +257,7 @@ static int multiq_init(struct Qdisc *sch, struct nlattr *opt)\n \tfor (i = 0; i < q->max_bands; i++)\n \t\tq->queues[i] = &noop_qdisc;\n \n-\terr = multiq_tune(sch, opt);\n-\n-\tif (err)\n-\t\tkfree(q->queues);\n-\n-\treturn err;\n+\treturn multiq_tune(sch, opt);\n }\n \n static int multiq_dump(struct Qdisc *sch, struct sk_buff *skb)\n", "prefixes": [ "net", "2/9" ] }