Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/926545/?format=api
{ "id": 926545, "url": "http://patchwork.ozlabs.org/api/patches/926545/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20180608000636.4338-1-jacob.e.keller@intel.com/", "project": { "id": 46, "url": "http://patchwork.ozlabs.org/api/projects/46/?format=api", "name": "Intel Wired Ethernet development", "link_name": "intel-wired-lan", "list_id": "intel-wired-lan.osuosl.org", "list_email": "intel-wired-lan@osuosl.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20180608000636.4338-1-jacob.e.keller@intel.com>", "list_archive_url": null, "date": "2018-06-08T00:06:36", "name": "fq_codel: fix NULL pointer deref in fq_codel_reset", "commit_ref": null, "pull_url": null, "state": "changes-requested", "archived": false, "hash": "ea905da3dc29781dd0ce9b12ed273095251d0215", "submitter": { "id": 9784, "url": "http://patchwork.ozlabs.org/api/people/9784/?format=api", "name": "Jacob Keller", "email": "jacob.e.keller@intel.com" }, "delegate": { "id": 68, "url": "http://patchwork.ozlabs.org/api/users/68/?format=api", "username": "jtkirshe", "first_name": "Jeff", "last_name": "Kirsher", "email": "jeffrey.t.kirsher@intel.com" }, "mbox": "http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20180608000636.4338-1-jacob.e.keller@intel.com/mbox/", "series": [ { "id": 49106, "url": "http://patchwork.ozlabs.org/api/series/49106/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=49106", "date": "2018-06-08T00:06:36", "name": "fq_codel: fix NULL pointer deref in fq_codel_reset", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/49106/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/926545/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/926545/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<intel-wired-lan-bounces@osuosl.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Delivered-To": [ "patchwork-incoming@bilbo.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Authentication-Results": [ "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=osuosl.org\n\t(client-ip=140.211.166.138; helo=whitealder.osuosl.org;\n\tenvelope-from=intel-wired-lan-bounces@osuosl.org;\n\treceiver=<UNKNOWN>)", "ozlabs.org;\n\tdmarc=fail (p=none dis=none) header.from=intel.com" ], "Received": [ "from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 4122lV1PFQz9s1R\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri, 8 Jun 2018 10:07:00 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby whitealder.osuosl.org (Postfix) with ESMTP id BD3D788EC6;\n\tFri, 8 Jun 2018 00:06:58 +0000 (UTC)", "from whitealder.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id 0XIK75rFUYb0; Fri, 8 Jun 2018 00:06:56 +0000 (UTC)", "from ash.osuosl.org (ash.osuosl.org [140.211.166.34])\n\tby whitealder.osuosl.org (Postfix) with ESMTP id B4AE388D8F;\n\tFri, 8 Jun 2018 00:06:56 +0000 (UTC)", "from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n\tby ash.osuosl.org (Postfix) with ESMTP id 774FC1C0C64\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tFri, 8 Jun 2018 00:06:52 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n\tby hemlock.osuosl.org (Postfix) with ESMTP id 827B888ED6\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tFri, 8 Jun 2018 00:06:47 +0000 (UTC)", "from hemlock.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id cF6b4NKRsmeA for <intel-wired-lan@lists.osuosl.org>;\n\tFri, 8 Jun 2018 00:06:45 +0000 (UTC)", "from mga03.intel.com (mga03.intel.com [134.134.136.65])\n\tby hemlock.osuosl.org (Postfix) with ESMTPS id 6BC6388E9F\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tFri, 8 Jun 2018 00:06:45 +0000 (UTC)", "from orsmga003.jf.intel.com ([10.7.209.27])\n\tby orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n\t07 Jun 2018 17:06:44 -0700", "from jekeller-desk.amr.corp.intel.com ([134.134.177.161])\n\tby orsmga003.jf.intel.com with ESMTP; 07 Jun 2018 17:06:44 -0700" ], "X-Virus-Scanned": [ "amavisd-new at osuosl.org", "amavisd-new at osuosl.org" ], "X-Greylist": "domain auto-whitelisted by SQLgrey-1.7.6", "X-Amp-Result": "SKIPPED(no attachment in message)", "X-Amp-File-Uploaded": "False", "X-ExtLoop1": "1", "X-IronPort-AV": "E=Sophos;i=\"5.49,488,1520924400\"; d=\"scan'208\";a=\"57476516\"", "From": "Jacob Keller <jacob.e.keller@intel.com>", "To": "Intel Wired LAN <intel-wired-lan@lists.osuosl.org>", "Date": "Thu, 7 Jun 2018 17:06:36 -0700", "Message-Id": "<20180608000636.4338-1-jacob.e.keller@intel.com>", "X-Mailer": "git-send-email 2.18.0.rc1.134.g5f29118f3507", "Subject": "[Intel-wired-lan] [PATCH] fq_codel: fix NULL pointer deref in\n\tfq_codel_reset", "X-BeenThere": "intel-wired-lan@osuosl.org", "X-Mailman-Version": "2.1.24", "Precedence": "list", "List-Id": "Intel Wired Ethernet Linux Kernel Driver Development\n\t<intel-wired-lan.osuosl.org>", "List-Unsubscribe": "<https://lists.osuosl.org/mailman/options/intel-wired-lan>, \n\t<mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>", "List-Archive": "<http://lists.osuosl.org/pipermail/intel-wired-lan/>", "List-Post": "<mailto:intel-wired-lan@osuosl.org>", "List-Help": "<mailto:intel-wired-lan-request@osuosl.org?subject=help>", "List-Subscribe": "<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>, \n\t<mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>", "Cc": "Eric Dumazet <edumazet@google.com>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "intel-wired-lan-bounces@osuosl.org", "Sender": "\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>" }, "content": "The function qdisc_create_dftl attempts to create a default qdisc. If\nthis fails, it calls qdisc_destroy when cleaning up. The qdisc_destroy\nfunction calls the ->reset op on the qdisc.\n\nIn the case of sch_fq_codel.c, this function will panic when the qdisc\nwasn't properly initialized:\n\n kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008\n kernel: IP: fq_codel_reset+0x58/0xd0 [sch_fq_codel]\n kernel: PGD 0 P4D 0\n kernel: Oops: 0000 [#1] SMP PTI\n kernel: Modules linked in: i40iw i40e(OE) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc devlink ebtable_filter ebtables ip6table_filter ip6_tables rpcrdma ib_isert iscsi_target_mod sunrpc ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm intel_rapl sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_cstate iTCO_wdt iTCO_vendor_support intel_uncore ib_core intel_rapl_perf mei_me mei joydev i2c_i801 lpc_ich ioatdma shpchp wmi sch_fq_codel xfs libcrc32c mgag200 ixgbe drm_kms_helper isci ttm firewire_ohci\n kernel: mdio drm igb libsas crc32c_intel firewire_core ptp pps_core scsi_transport_sas crc_itu_t dca i2c_algo_bit ipmi_si ipmi_devintf ipmi_msghandler [last unloaded: i40e]\n kernel: CPU: 10 PID: 4219 Comm: ip Tainted: G OE 4.16.13custom-fq-codel-test+ #3\n kernel: Hardware name: Intel Corporation S2600CO/S2600CO, BIOS SE5C600.86B.02.05.0004.051120151007 05/11/2015\n kernel: RIP: 0010:fq_codel_reset+0x58/0xd0 [sch_fq_codel]\n kernel: RSP: 0018:ffffbfbf4c1fb620 EFLAGS: 00010246\n kernel: RAX: 0000000000000400 RBX: 0000000000000000 RCX: 00000000000005b9\n kernel: RDX: 0000000000000000 RSI: ffff9d03264a60c0 RDI: ffff9cfd17b31c00\n kernel: RBP: 0000000000000001 R08: 00000000000260c0 R09: ffffffffb679c3e9\n kernel: R10: fffff1dab06a0e80 R11: ffff9cfd163af800 R12: ffff9cfd17b31c00\n kernel: R13: 0000000000000001 R14: ffff9cfd153de600 R15: 0000000000000001\n kernel: FS: 00007fdec2f92800(0000) GS:ffff9d0326480000(0000) knlGS:0000000000000000\n kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000008 CR3: 0000000c1956a006 CR4: 00000000000606e0\n kernel: Call Trace:\n kernel: qdisc_destroy+0x56/0x140\n kernel: qdisc_create_dflt+0x8b/0xb0\n kernel: mq_init+0xc1/0xf0\n kernel: qdisc_create_dflt+0x5a/0xb0\n kernel: dev_activate+0x205/0x230\n kernel: __dev_open+0xf5/0x160\n kernel: __dev_change_flags+0x1a3/0x210\n kernel: dev_change_flags+0x21/0x60\n kernel: do_setlink+0x660/0xdf0\n kernel: ? down_trylock+0x25/0x30\n kernel: ? xfs_buf_trylock+0x1a/0xd0 [xfs]\n kernel: ? rtnl_newlink+0x816/0x990\n kernel: ? _xfs_buf_find+0x327/0x580 [xfs]\n kernel: ? _cond_resched+0x15/0x30\n kernel: ? kmem_cache_alloc+0x20/0x1b0\n kernel: ? rtnetlink_rcv_msg+0x200/0x2f0\n kernel: ? rtnl_calcit.isra.30+0x100/0x100\n kernel: ? netlink_rcv_skb+0x4c/0x120\n kernel: ? netlink_unicast+0x19e/0x260\n kernel: ? netlink_sendmsg+0x1ff/0x3c0\n kernel: ? sock_sendmsg+0x36/0x40\n kernel: ? ___sys_sendmsg+0x295/0x2f0\n kernel: ? ebitmap_cmp+0x6d/0x90\n kernel: ? dev_get_by_name_rcu+0x73/0x90\n kernel: ? skb_dequeue+0x52/0x60\n kernel: ? __inode_wait_for_writeback+0x7f/0xf0\n kernel: ? bit_waitqueue+0x30/0x30\n kernel: ? fsnotify_grab_connector+0x3c/0x60\n kernel: ? __sys_sendmsg+0x51/0x90\n kernel: ? do_syscall_64+0x74/0x180\n kernel: ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2\n kernel: Code: 00 00 48 89 87 00 02 00 00 8b 87 a0 01 00 00 85 c0 0f 84 84 00 00 00 31 ed 48 63 dd 83 c5 01 48 c1 e3 06 49 03 9c 24 90 01 00 00 <48> 8b 73 08 48 8b 3b e8 6c 9a 4f f6 48 8d 43 10 48 c7 03 00 00\n kernel: RIP: fq_codel_reset+0x58/0xd0 [sch_fq_codel] RSP: ffffbfbf4c1fb620\n kernel: CR2: 0000000000000008\n kernel: ---[ end trace e81a62bede66274e ]---\n\nThis occurs because if fq_codel_init fails, it has left the private data\nin an incomplete state. For example, if tcf_block_get fails, (as in the\nabove panic), then q->flows and q->backlogs will be NULL. Thus they will\ncause NULL pointer access when attempting to reset them in\nfq_codel_reset.\n\nWe could mitigate some of these issues by changing fq_codel_init to more\nexplicitly cleanup after itself when failing. For example, we could\nensure that q->flowcnt was set to 0 so that the loop over each flow in\nfq_codel_reset would not trigger. However, this would not prevent a NULL\npointer dereference when attempting to memset the q->backlogs.\n\nInstead, just add a NULL check prior to attempting to reset these\nfields.\n\nSigned-off-by: Jacob Keller <jacob.e.keller@intel.com>\nCc: Eric Dumazet <edumazet@google.com>\n---\n net/sched/sch_fq_codel.c | 15 +++++++++------\n 1 file changed, 9 insertions(+), 6 deletions(-)", "diff": "diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c\nindex 22fa13cf5d8b..1658c314ee40 100644\n--- a/net/sched/sch_fq_codel.c\n+++ b/net/sched/sch_fq_codel.c\n@@ -352,14 +352,17 @@ static void fq_codel_reset(struct Qdisc *sch)\n \n \tINIT_LIST_HEAD(&q->new_flows);\n \tINIT_LIST_HEAD(&q->old_flows);\n-\tfor (i = 0; i < q->flows_cnt; i++) {\n-\t\tstruct fq_codel_flow *flow = q->flows + i;\n+\tif (q->flows) {\n+\t\tfor (i = 0; i < q->flows_cnt; i++) {\n+\t\t\tstruct fq_codel_flow *flow = q->flows + i;\n \n-\t\tfq_codel_flow_purge(flow);\n-\t\tINIT_LIST_HEAD(&flow->flowchain);\n-\t\tcodel_vars_init(&flow->cvars);\n+\t\t\tfq_codel_flow_purge(flow);\n+\t\t\tINIT_LIST_HEAD(&flow->flowchain);\n+\t\t\tcodel_vars_init(&flow->cvars);\n+\t\t}\n \t}\n-\tmemset(q->backlogs, 0, q->flows_cnt * sizeof(u32));\n+\tif (q->backlogs)\n+\t\tmemset(q->backlogs, 0, q->flows_cnt * sizeof(u32));\n \tsch->q.qlen = 0;\n \tsch->qstats.backlog = 0;\n \tq->memory_usage = 0;\n", "prefixes": [] }