Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/807566/?format=api
{ "id": 807566, "url": "http://patchwork.ozlabs.org/api/patches/807566/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/1504086545-7777-6-git-send-email-nikolay@cumulusnetworks.com/", "project": { "id": 7, "url": "http://patchwork.ozlabs.org/api/projects/7/?format=api", "name": "Linux network development", "link_name": "netdev", "list_id": "netdev.vger.kernel.org", "list_email": "netdev@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<1504086545-7777-6-git-send-email-nikolay@cumulusnetworks.com>", "list_archive_url": null, "date": "2017-08-30T09:49:01", "name": "[net,5/9] sch_cbq: fix null pointer dereferences on init failure", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "da2180c57fed5f8441500deb781bc3ca5c3cf318", "submitter": { "id": 66448, "url": "http://patchwork.ozlabs.org/api/people/66448/?format=api", "name": "Nikolay Aleksandrov", "email": "nikolay@cumulusnetworks.com" }, "delegate": { "id": 34, "url": "http://patchwork.ozlabs.org/api/users/34/?format=api", "username": "davem", "first_name": "David", "last_name": "Miller", "email": "davem@davemloft.net" }, "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/1504086545-7777-6-git-send-email-nikolay@cumulusnetworks.com/mbox/", "series": [ { "id": 565, "url": "http://patchwork.ozlabs.org/api/series/565/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=565", "date": "2017-08-30T09:48:56", "name": "net/sched: init failure fixes", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/565/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/807566/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/807566/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<netdev-owner@vger.kernel.org>", "X-Original-To": "patchwork-incoming@ozlabs.org", "Delivered-To": "patchwork-incoming@ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)", "ozlabs.org; dkim=pass (1024-bit key;\n\tunprotected) header.d=cumulusnetworks.com\n\theader.i=@cumulusnetworks.com header.b=\"JJUOnvou\"; \n\tdkim-atps=neutral" ], "Received": [ "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xj1BG0Ggzz9sNn\n\tfor <patchwork-incoming@ozlabs.org>;\n\tWed, 30 Aug 2017 19:56:54 +1000 (AEST)", "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751330AbdH3J4v (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tWed, 30 Aug 2017 05:56:51 -0400", "from mail-wm0-f43.google.com ([74.125.82.43]:35083 \"EHLO\n\tmail-wm0-f43.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751298AbdH3J4u (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Wed, 30 Aug 2017 05:56:50 -0400", "by mail-wm0-f43.google.com with SMTP id a80so6630669wma.0\n\tfor <netdev@vger.kernel.org>; Wed, 30 Aug 2017 02:56:49 -0700 (PDT)", "from debil.mediahub-bg.com (46-10-142-144.ip.btc-net.bg.\n\t[46.10.142.144]) by smtp.gmail.com with ESMTPSA id\n\to206sm1113294wmo.10.2017.08.30.02.49.24\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);\n\tWed, 30 Aug 2017 02:49:25 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=cumulusnetworks.com; s=google;\n\th=from:to:cc:subject:date:message-id:in-reply-to:references;\n\tbh=sMdnIQLa+eAgbPFIZvW8tXptk1v9Y20dCprrgCc/DHo=;\n\tb=JJUOnvourWQ35vDqPf84PmQYG8W0n1dOXfkEMV2ihf92qc0S4Wvxo2Ni9nHIoD0BT6\n\ti5A4YeUr9SmrzEn/B7cRb5unUu28Mrx36SZR7DLlEovmhjUjbFFZu6U2Jj/BLRBW5+S9\n\tAKywysSH4o1RRvtedPMUORsHTCjKFh/fIeRBk=", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to\n\t:references;\n\tbh=sMdnIQLa+eAgbPFIZvW8tXptk1v9Y20dCprrgCc/DHo=;\n\tb=iMjN/8dFbN5XDNrdbHEmz3yKrnso3JqFhDXLxQ2h39/qhsM9ZGSkL+7kOD26kBQQYG\n\tkwiT1Dhejj9xTJzIn4374Yzu0MLLDY4/AOnhtTT4an0Q3cAx7T6SzoMweVdQHehfS0AW\n\tX6kTXGxT4MgywAxBBx6RLZgcMSqQpTecfL4Y4Jl32VxQTN1wdS9vqJ1qGikUHM1ORNCy\n\t8NZLvU9/Gq6tJK+MNGpOSuI715cZ9xR0ZV4G+rIYLqJD9R9/sFv1kGTnmI56OnQsFglH\n\tq4UcfWVKzES4pJPKcGCkxNPp+8uAbjCNYxWLMWHIxQGbaX9QFm34irzvHHNM/ahWCWfv\n\t9+3A==", "X-Gm-Message-State": "AHYfb5hMgFlRPBiGnqfeOl8xlFxkbOXQ9WvVWKhPUWd7xLpiZpmuPdNa\n\tf0SAFouIMDrQ3gVsjXc=", "X-Received": "by 10.28.159.145 with SMTP id i139mr849858wme.16.1504086566083; \n\tWed, 30 Aug 2017 02:49:26 -0700 (PDT)", "From": "Nikolay Aleksandrov <nikolay@cumulusnetworks.com>", "To": "netdev@vger.kernel.org", "Cc": "edumazet@google.com, jhs@mojatatu.com, xiyou.wangcong@gmail.com,\n\tjiri@resnulli.us, roopa@cumulusnetworks.com,\n\tNikolay Aleksandrov <nikolay@cumulusnetworks.com>", "Subject": "[PATCH net 5/9] sch_cbq: fix null pointer dereferences on init\n\tfailure", "Date": "Wed, 30 Aug 2017 12:49:01 +0300", "Message-Id": "<1504086545-7777-6-git-send-email-nikolay@cumulusnetworks.com>", "X-Mailer": "git-send-email 2.1.4", "In-Reply-To": "<1504086545-7777-1-git-send-email-nikolay@cumulusnetworks.com>", "References": "<1504086545-7777-1-git-send-email-nikolay@cumulusnetworks.com>", "Sender": "netdev-owner@vger.kernel.org", "Precedence": "bulk", "List-ID": "<netdev.vger.kernel.org>", "X-Mailing-List": "netdev@vger.kernel.org" }, "content": "CBQ can fail on ->init by wrong nl attributes or simply for missing any,\nf.e. if it's set as a default qdisc then TCA_OPTIONS (opt) will be NULL\nwhen it is activated. The first thing init does is parse opt but it will\ndereference a null pointer if used as a default qdisc, also since init\nfailure at default qdisc invokes ->reset() which cancels all timers then\nwe'll also dereference two more null pointers (timer->base) as they were\nnever initialized.\n\nTo reproduce:\n$ sysctl net.core.default_qdisc=cbq\n$ ip l set ethX up\n\nCrash log of the first null ptr deref:\n[44727.907454] BUG: unable to handle kernel NULL pointer dereference at (null)\n[44727.907600] IP: cbq_init+0x27/0x205\n[44727.907676] PGD 59ff4067\n[44727.907677] P4D 59ff4067\n[44727.907742] PUD 59c70067\n[44727.907807] PMD 0\n[44727.907873]\n[44727.907982] Oops: 0000 [#1] SMP\n[44727.908054] Modules linked in:\n[44727.908126] CPU: 1 PID: 21312 Comm: ip Not tainted 4.13.0-rc6+ #60\n[44727.908235] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014\n[44727.908477] task: ffff88005ad42700 task.stack: ffff880037214000\n[44727.908672] RIP: 0010:cbq_init+0x27/0x205\n[44727.908838] RSP: 0018:ffff8800372175f0 EFLAGS: 00010286\n[44727.909018] RAX: ffffffff816c3852 RBX: ffff880058c53800 RCX: 0000000000000000\n[44727.909222] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff8800372175f8\n[44727.909427] RBP: ffff880037217650 R08: ffffffff81b0f380 R09: 0000000000000000\n[44727.909631] R10: ffff880037217660 R11: 0000000000000020 R12: ffffffff822a44c0\n[44727.909835] R13: ffff880058b92000 R14: 00000000ffffffff R15: 0000000000000001\n[44727.910040] FS: 00007ff8bc583740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000\n[44727.910339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[44727.910525] CR2: 0000000000000000 CR3: 00000000371e5000 CR4: 00000000000406e0\n[44727.910731] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[44727.910936] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[44727.911141] Call Trace:\n[44727.911291] ? lockdep_init_map+0xb6/0x1ba\n[44727.911461] ? qdisc_alloc+0x14e/0x187\n[44727.911626] qdisc_create_dflt+0x7a/0x94\n[44727.911794] ? dev_activate+0x129/0x129\n[44727.911959] attach_one_default_qdisc+0x36/0x63\n[44727.912132] netdev_for_each_tx_queue+0x3d/0x48\n[44727.912305] dev_activate+0x4b/0x129\n[44727.912468] __dev_open+0xe7/0x104\n[44727.912631] __dev_change_flags+0xc6/0x15c\n[44727.912799] dev_change_flags+0x25/0x59\n[44727.912966] do_setlink+0x30c/0xb3f\n[44727.913129] ? check_chain_key+0xb0/0xfd\n[44727.913294] ? check_chain_key+0xb0/0xfd\n[44727.913463] rtnl_newlink+0x3a4/0x729\n[44727.913626] ? rtnl_newlink+0x117/0x729\n[44727.913801] ? ns_capable_common+0xd/0xb1\n[44727.913968] ? ns_capable+0x13/0x15\n[44727.914131] rtnetlink_rcv_msg+0x188/0x197\n[44727.914300] ? rcu_read_unlock+0x3e/0x5f\n[44727.914465] ? rtnl_newlink+0x729/0x729\n[44727.914630] netlink_rcv_skb+0x6c/0xce\n[44727.914796] rtnetlink_rcv+0x23/0x2a\n[44727.914956] netlink_unicast+0x103/0x181\n[44727.915122] netlink_sendmsg+0x326/0x337\n[44727.915291] sock_sendmsg_nosec+0x14/0x3f\n[44727.915459] sock_sendmsg+0x29/0x2e\n[44727.915619] ___sys_sendmsg+0x209/0x28b\n[44727.915784] ? do_raw_spin_unlock+0xcd/0xf8\n[44727.915954] ? _raw_spin_unlock+0x27/0x31\n[44727.916121] ? __handle_mm_fault+0x651/0xdb1\n[44727.916290] ? check_chain_key+0xb0/0xfd\n[44727.916461] __sys_sendmsg+0x45/0x63\n[44727.916626] ? __sys_sendmsg+0x45/0x63\n[44727.916792] SyS_sendmsg+0x19/0x1b\n[44727.916950] entry_SYSCALL_64_fastpath+0x23/0xc2\n[44727.917125] RIP: 0033:0x7ff8bbc96690\n[44727.917286] RSP: 002b:00007ffc360991e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n[44727.917579] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007ff8bbc96690\n[44727.917783] RDX: 0000000000000000 RSI: 00007ffc36099230 RDI: 0000000000000003\n[44727.917987] RBP: ffff880037217f98 R08: 0000000000000001 R09: 0000000000000003\n[44727.918190] R10: 00007ffc36098fb0 R11: 0000000000000246 R12: 0000000000000006\n[44727.918393] R13: 000000000066f1a0 R14: 00007ffc360a12e0 R15: 0000000000000000\n[44727.918597] ? trace_hardirqs_off_caller+0xa7/0xcf\n[44727.918774] Code: 41 5f 5d c3 66 66 66 66 90 55 48 8d 56 04 45 31 c9\n49 c7 c0 80 f3 b0 81 48 89 e5 41 55 41 54 53 48 89 fb 48 8d 7d a8 48 83\nec 48 <0f> b7 0e be 07 00 00 00 83 e9 04 e8 e6 f7 d8 ff 85 c0 0f 88 bb\n[44727.919332] RIP: cbq_init+0x27/0x205 RSP: ffff8800372175f0\n[44727.919516] CR2: 0000000000000000\n\nFixes: 0fbbeb1ba43b (\"[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()\")\nSigned-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>\n---\n net/sched/sch_cbq.c | 10 +++++++---\n 1 file changed, 7 insertions(+), 3 deletions(-)", "diff": "diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c\nindex 780db43300b1..156c8a33c677 100644\n--- a/net/sched/sch_cbq.c\n+++ b/net/sched/sch_cbq.c\n@@ -1139,6 +1139,13 @@ static int cbq_init(struct Qdisc *sch, struct nlattr *opt)\n \tstruct tc_ratespec *r;\n \tint err;\n \n+\tqdisc_watchdog_init(&q->watchdog, sch);\n+\thrtimer_init(&q->delay_timer, CLOCK_MONOTONIC, HRTIMER_MODE_ABS_PINNED);\n+\tq->delay_timer.function = cbq_undelay;\n+\n+\tif (!opt)\n+\t\treturn -EINVAL;\n+\n \terr = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy, NULL);\n \tif (err < 0)\n \t\treturn err;\n@@ -1177,9 +1184,6 @@ static int cbq_init(struct Qdisc *sch, struct nlattr *opt)\n \tq->link.avpkt = q->link.allot/2;\n \tq->link.minidle = -0x7FFFFFFF;\n \n-\tqdisc_watchdog_init(&q->watchdog, sch);\n-\thrtimer_init(&q->delay_timer, CLOCK_MONOTONIC, HRTIMER_MODE_ABS_PINNED);\n-\tq->delay_timer.function = cbq_undelay;\n \tq->toplevel = TC_CBQ_MAXLEVEL;\n \tq->now = psched_get_time();\n \n", "prefixes": [ "net", "5/9" ] }