diff mbox

Re: probably bug in drr scheduler, 2.6.29-rc5

Message ID	20090227101634.GD4156@ff.dom.local
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:in-reply-to:user-agent; b=ON6yPdjQx8zceIHCWB26Yu3wl00BTXGu5KRk0CQGjgZTTl16XpGLtEDWNDgUQODWUC RZ9nfYSzpIV6fkgkIepaKLbMiASkAPkCdt1kSpsbv3o7SD5kGhDLvDfMZf+rkO8w6yYA EjCGNZ/0Z9qepNx8FelanJ3HiHGea4iQJEFPE= Date: Fri, 27 Feb 2009 10:16:34 +0000 From: Jarek Poplawski <jarkao2@gmail.com> To: David Miller <davem@davemloft.net> Cc: Denys Fedoryschenko <denys@visp.net.lb>, netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net> Subject: [PATCH] Re: probably bug in drr scheduler, 2.6.29-rc5 Message-ID: <20090227101634.GD4156@ff.dom.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200902261745.28952.denys@visp.net.lb> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk

Commit Message

Jarek Poplawski Feb. 27, 2009, 10:16 a.m. UTC

On 26-02-2009 16:45, Denys Fedoryschenko wrote:
> Hi, triggered a bug in DRR seems
...
> [65298.391392] BUG: unable to handle kernel NULL pointer dereference at (null)
> [65298.391397] IP: [<ffffffffa0021700>] drr_change_class+0x39/0x2de [sch_drr]
...

Thanks for the report,
Jarek P.
----------->
pkt_sched: sch_drr: Fix oops in drr_change_class.

drr_change_class lacks a check for NULL of tca[TCA_OPTIONS], so oops
is possible.

Reported-by: Denys Fedoryschenko <denys@visp.net.lb>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
---

 net/sched/sch_drr.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

David Miller Feb. 27, 2009, 10:46 a.m. UTC | #1

From: Jarek Poplawski <jarkao2@gmail.com>
Date: Fri, 27 Feb 2009 10:16:34 +0000

> pkt_sched: sch_drr: Fix oops in drr_change_class.
> 
> drr_change_class lacks a check for NULL of tca[TCA_OPTIONS], so oops
> is possible.
> 
> Reported-by: Denys Fedoryschenko <denys@visp.net.lb>
> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>

Applied and queued up for -stable, thanks Jarek!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Jarek Poplawski Feb. 27, 2009, 11:01 a.m. UTC | #2

On Fri, Feb 27, 2009 at 02:46:13AM -0800, David Miller wrote:
> From: Jarek Poplawski <jarkao2@gmail.com>
> Date: Fri, 27 Feb 2009 10:16:34 +0000
> 
> > pkt_sched: sch_drr: Fix oops in drr_change_class.
> > 
> > drr_change_class lacks a check for NULL of tca[TCA_OPTIONS], so oops
> > is possible.
> > 
> > Reported-by: Denys Fedoryschenko <denys@visp.net.lb>
> > Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
> 
> Applied and queued up for -stable, thanks Jarek!

Hmm... if 2.6.29-rcX means -stable...

Thanks,
Jarek P. 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Miller Feb. 27, 2009, 11:16 a.m. UTC | #3

From: Jarek Poplawski <jarkao2@gmail.com>
Date: Fri, 27 Feb 2009 11:01:37 +0000

> On Fri, Feb 27, 2009 at 02:46:13AM -0800, David Miller wrote:
> > From: Jarek Poplawski <jarkao2@gmail.com>
> > Date: Fri, 27 Feb 2009 10:16:34 +0000
> > 
> > > pkt_sched: sch_drr: Fix oops in drr_change_class.
> > > 
> > > drr_change_class lacks a check for NULL of tca[TCA_OPTIONS], so oops
> > > is possible.
> > > 
> > > Reported-by: Denys Fedoryschenko <denys@visp.net.lb>
> > > Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
> > 
> > Applied and queued up for -stable, thanks Jarek!
> 
> Hmm... if 2.6.29-rcX means -stable...

This bug doesn't exist in earlier releases like 2.6.28 and 2.6.27?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Jarek Poplawski Feb. 27, 2009, 11:25 a.m. UTC | #4

On Fri, Feb 27, 2009 at 03:16:20AM -0800, David Miller wrote:
...
> This bug doesn't exist in earlier releases like 2.6.28 and 2.6.27?

Yes, sch_drr is 2.6.29 born.

Jarek P.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Miller Feb. 27, 2009, 1:18 p.m. UTC | #5

From: Jarek Poplawski <jarkao2@gmail.com>
Date: Fri, 27 Feb 2009 11:25:00 +0000

> On Fri, Feb 27, 2009 at 03:16:20AM -0800, David Miller wrote:
> ...
> > This bug doesn't exist in earlier releases like 2.6.28 and 2.6.27?
> 
> Yes, sch_drr is 2.6.29 born.

Perfect, nothing to queue up for -stable then :-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff mbox

Patch

diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c
index f6b4fa9..e36e94a 100644
--- a/net/sched/sch_drr.c
+++ b/net/sched/sch_drr.c
@@ -66,11 +66,15 @@  static int drr_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
 {
 	struct drr_sched *q = qdisc_priv(sch);
 	struct drr_class *cl = (struct drr_class *)*arg;
+	struct nlattr *opt = tca[TCA_OPTIONS];
 	struct nlattr *tb[TCA_DRR_MAX + 1];
 	u32 quantum;
 	int err;
 
-	err = nla_parse_nested(tb, TCA_DRR_MAX, tca[TCA_OPTIONS], drr_policy);
+	if (!opt)
+		return -EINVAL;
+
+	err = nla_parse_nested(tb, TCA_DRR_MAX, opt, drr_policy);
 	if (err < 0)
 		return err;