{"id":807539,"url":"http://patchwork.ozlabs.org/api/1.0/patches/807539/?format=json","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/1.0/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<1504086545-7777-5-git-send-email-nikolay@cumulusnetworks.com>","date":"2017-08-30T09:49:00","name":"[net,4/9] sch_hfsc: fix null pointer deref and double free on init failure","commit_ref":null,"pull_url":null,"state":"accepted","archived":true,"hash":"e08590cf2bf525628493e501387cdd8939043cba","submitter":{"id":66448,"url":"http://patchwork.ozlabs.org/api/1.0/people/66448/?format=json","name":"Nikolay Aleksandrov","email":"nikolay@cumulusnetworks.com"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/1.0/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/1504086545-7777-5-git-send-email-nikolay@cumulusnetworks.com/mbox/","series":[{"id":565,"url":"http://patchwork.ozlabs.org/api/1.0/series/565/?format=json","date":"2017-08-30T09:48:56","name":"net/sched: init failure fixes","version":1,"mbox":"http://patchwork.ozlabs.org/series/565/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/807539/checks/","tags":{},"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","ozlabs.org; dkim=pass (1024-bit key;\n\tunprotected) header.d=cumulusnetworks.com\n\theader.i=@cumulusnetworks.com header.b=\"MY73OjFl\"; \n\tdkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xj11l10k2z9sNn\n\tfor <patchwork-incoming@ozlabs.org>;\n\tWed, 30 Aug 2017 19:49:31 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751926AbdH3Jt2 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tWed, 30 Aug 2017 05:49:28 -0400","from mail-wm0-f49.google.com ([74.125.82.49]:35869 \"EHLO\n\tmail-wm0-f49.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751298AbdH3Jt0 (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Wed, 30 Aug 2017 05:49:26 -0400","by mail-wm0-f49.google.com with SMTP id u126so6400169wmg.1\n\tfor <netdev@vger.kernel.org>; Wed, 30 Aug 2017 02:49:25 -0700 (PDT)","from debil.mediahub-bg.com (46-10-142-144.ip.btc-net.bg.\n\t[46.10.142.144]) by smtp.gmail.com with ESMTPSA id\n\to206sm1113294wmo.10.2017.08.30.02.49.23\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);\n\tWed, 30 Aug 2017 02:49:23 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=cumulusnetworks.com; s=google;\n\th=from:to:cc:subject:date:message-id:in-reply-to:references;\n\tbh=2JcZMHm/3MeXezq0LVPiWQ47Wn65fVDL2Uub7fvbnts=;\n\tb=MY73OjFlQqVJVUJIK8f3gKkcteJBh5V5+LVqDSgZtr1gfCL4Ngy4MWgNPdqvJ8yhPL\n\tW8S7/cpd1RItDUtAahCUT77Gt9hbYqHQAsSRDqAb7+5dU6EEjxogqyQGrLGlUmgn65WK\n\txEeQwkSnYYAG0x2jePnZBFwepoia3pN7UZU3A=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to\n\t:references;\n\tbh=2JcZMHm/3MeXezq0LVPiWQ47Wn65fVDL2Uub7fvbnts=;\n\tb=tZ5m+y+TkyyyXTceZew3SQcDqFV4SJa/b3WeFrWfru0RyVIdu2EjTOotIn+rtWUJjO\n\tCjgcikBnbAr50L986NkvorzkFWG/AoVxNpi1DdrYoJEsFHdXfYyCedRXw8etzB0vruJz\n\tB4owi54I23faMflsnvHNjZJU6uEis6RI35Tr20pNopxldXaZyR9tbGBih9qLRBFekFE7\n\tAtLKlesJzAQSbI7Y/Op2L/HWwwR2C6bdWIFy/TnwYuF7piA20QuEcRgZzw5L2TCXCGW4\n\t+aAmztf6e6tsv4SdgyZJ6lUjuoTb97Q7rhJWmIFuj7oOA/QFXRMIKZ/pMQzfyFCyfYwj\n\tCZYQ==","X-Gm-Message-State":"AHYfb5gpp13jZhxQ8zvyxC5GZBbmae4yY+OsAkg35UnD6fzv6djKhCc9\n\tFJb4wIGLPMqkboaFCH4=","X-Received":"by 10.28.88.199 with SMTP id m190mr816351wmb.183.1504086564407; \n\tWed, 30 Aug 2017 02:49:24 -0700 (PDT)","From":"Nikolay Aleksandrov <nikolay@cumulusnetworks.com>","To":"netdev@vger.kernel.org","Cc":"edumazet@google.com, jhs@mojatatu.com, xiyou.wangcong@gmail.com,\n\tjiri@resnulli.us, roopa@cumulusnetworks.com,\n\tNikolay Aleksandrov <nikolay@cumulusnetworks.com>","Subject":"[PATCH net 4/9] sch_hfsc: fix null pointer deref and double free on\n\tinit failure","Date":"Wed, 30 Aug 2017 12:49:00 +0300","Message-Id":"<1504086545-7777-5-git-send-email-nikolay@cumulusnetworks.com>","X-Mailer":"git-send-email 2.1.4","In-Reply-To":"<1504086545-7777-1-git-send-email-nikolay@cumulusnetworks.com>","References":"<1504086545-7777-1-git-send-email-nikolay@cumulusnetworks.com>","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"Depending on where ->init fails we can get a null pointer deref due to\nuninitialized hires timer (watchdog) or a double free of the qdisc hash\nbecause it is already freed by ->destroy().\n\nFixes: 8d5537387505 (\"net/sched/hfsc: allocate tcf block for hfsc root class\")\nFixes: 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\")\nSigned-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>\n---\n net/sched/sch_hfsc.c | 10 +++-------\n 1 file changed, 3 insertions(+), 7 deletions(-)","diff":"diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c\nindex fd15200f8627..11ab8dace901 100644\n--- a/net/sched/sch_hfsc.c\n+++ b/net/sched/sch_hfsc.c\n@@ -1418,6 +1418,8 @@ hfsc_init_qdisc(struct Qdisc *sch, struct nlattr *opt)\n \tstruct tc_hfsc_qopt *qopt;\n \tint err;\n \n+\tqdisc_watchdog_init(&q->watchdog, sch);\n+\n \tif (opt == NULL || nla_len(opt) < sizeof(*qopt))\n \t\treturn -EINVAL;\n \tqopt = nla_data(opt);\n@@ -1430,7 +1432,7 @@ hfsc_init_qdisc(struct Qdisc *sch, struct nlattr *opt)\n \n \terr = tcf_block_get(&q->root.block, &q->root.filter_list);\n \tif (err)\n-\t\tgoto err_tcf;\n+\t\treturn err;\n \n \tq->root.cl_common.classid = sch->handle;\n \tq->root.refcnt  = 1;\n@@ -1448,13 +1450,7 @@ hfsc_init_qdisc(struct Qdisc *sch, struct nlattr *opt)\n \tqdisc_class_hash_insert(&q->clhash, &q->root.cl_common);\n \tqdisc_class_hash_grow(sch, &q->clhash);\n \n-\tqdisc_watchdog_init(&q->watchdog, sch);\n-\n \treturn 0;\n-\n-err_tcf:\n-\tqdisc_class_hash_destroy(&q->clhash);\n-\treturn err;\n }\n \n static int\n","prefixes":["net","4/9"]}