{"id":2222213,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2222213/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-um/patch/20260410203028.3717914-1-michael.bommarito@gmail.com/","project":{"id":60,"url":"http://patchwork.ozlabs.org/api/1.1/projects/60/?format=json","name":"User-mode Linux Development","link_name":"linux-um","list_id":"linux-um.lists.infradead.org","list_email":"linux-um@lists.infradead.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260410203028.3717914-1-michael.bommarito@gmail.com>","date":"2026-04-10T20:30:28","name":"um: vector: fix NULL pointer derefs in queue-less transports","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"dc1b4d165de99b62268e4bc4ea9a9c9240d8e47f","submitter":{"id":93078,"url":"http://patchwork.ozlabs.org/api/1.1/people/93078/?format=json","name":"Michael Bommarito","email":"michael.bommarito@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-um/patch/20260410203028.3717914-1-michael.bommarito@gmail.com/mbox/","series":[{"id":499504,"url":"http://patchwork.ozlabs.org/api/1.1/series/499504/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-um/list/?series=499504","date":"2026-04-10T20:30:28","name":"um: vector: fix NULL pointer derefs in queue-less transports","version":1,"mbox":"http://patchwork.ozlabs.org/series/499504/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222213/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2222213/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=OSogIb/0;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=XrM46eS2;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fspNS5T8pz1yGS\n\tfor ; Sat, 11 Apr 2026 06:30:56 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wBIV6-0000000ClwZ-3hwu;\n\tFri, 10 Apr 2026 20:30:48 +0000","from mail-qv1-xf2e.google.com ([2607:f8b0:4864:20::f2e])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wBIV4-0000000Clw3-1Iq5\n\tfor linux-um@lists.infradead.org;\n\tFri, 10 Apr 2026 20:30:47 +0000","by mail-qv1-xf2e.google.com with SMTP id\n 6a1803df08f44-8a1e1817db6so20422086d6.2\n for ;\n Fri, 10 Apr 2026 13:30:45 -0700 (PDT)","from workstation1 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])\n by smtp.gmail.com with ESMTPSA id\n 6a1803df08f44-8ac84c9c37csm30845756d6.36.2026.04.10.13.30.43\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 10 Apr 2026 13:30:43 -0700 (PDT)"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help\n\t:List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding:\n\tMIME-Version:Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-Type:\n\tContent-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:\n\tResent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;\n\tbh=Bg1THXuqlaX4hybh4CmPAceCR0tZGm2LDqqlEfk6Eg0=; b=OSogIb/0QNPjZWsMX0hfVqmQYF\n\txOXDDPf2aK62QH+pzsZlCyAXHSGI7HR8jzj4iwW/HKq52sCWeZKzJBuWy57gyDVpMWho8oPV9QJfI\n\tlWLRhiIpc65hnr20cETuuWjiAj5WumJ2B+s4m4Er4KxBubt3fXucl2QCrZuldAaXWMplsvWLgW5Oz\n\tpIB1MsjNDtLCpr2Pp3+X772lcJOg3aVW/gpN8fWd1LWpnXoS0xyo7nKd0NPa0YiKTWQULVIp9oVWj\n\ta+3wxBtI/CLpFr4qBHz1nU3lOQKUqEFaLWRdeDOR+3jMJMDeB/p3lI/TgxvUrp5mjr9ZljBEMHRLn\n\toITIo2ow==;","v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775853044; x=1776457844;\n darn=lists.infradead.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=Bg1THXuqlaX4hybh4CmPAceCR0tZGm2LDqqlEfk6Eg0=;\n b=XrM46eS2oBpDOK4XTkKf5tC3Z8ruXVbze3eJ4W7eQB7ujg5mrRzkyzZVMldbE30Ofa\n xs5O/2I1un9eNQ20blQ1sFPZHvotuYNNO6i3LWM2HWwE1ImFL0QbVVObbwSZDD/QEyqo\n CRGf8EAVX1SGQjlpBXZsfdtXPoA+fvyLB2jVJ+Ab6ochsdDaeFcjjt7o4Wo41DFxuvWV\n l6aYagWvOGJYzO7hbaEJ1oY+TsAk1Js2Lo0n/nUrsP7b83NY1sCoYJDEgl1UTfLiE3Rz\n EWP+COuqQ1ZDtX9ETJ02DhqJan1rwF/kxnoz72Ycg+XwtYin4h+58aeVhbPRXHf914qw\n zEIg=="],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775853044; x=1776457844;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=Bg1THXuqlaX4hybh4CmPAceCR0tZGm2LDqqlEfk6Eg0=;\n b=HtMPMR77Ij6tQQfE117oKK9am9Jqf+PmDS7AFjZ8C3BZveBwcJUDSh0A6IZCFG+r8Z\n vW9bKxTM2f31sAtUL0J+OLNi4P5havJHI5Uf8Ykmsje6Jcbwv5R7XUyawtQzO4cghPNt\n ++Vjzpm84FhdXEiqExSHc7tQIaAF8zPUsLQLoiYclLkInY1Q2e9uMWztxYW8SfC673aS\n yJGxzzGmBZYqfr1Ax0DNCOW/Qy7ReEsBqUvIG1bjcH9XDlFRD3Dy6TCWMt8AfyDkUSF5\n W03FHAu7siZ2bV0ME2H56vh4eO0c8YlgXpYTn1pSf3w8K7xTa1o/QxJwUpJ8b2tbQPyC\n Xmcw==","X-Gm-Message-State":"AOJu0YwT+61kM7dBJw4PbgCBNOGiXv+BQuhCp+5HO53Vbc4g8+zCix6r\n\tJI37VtY84SM+kx1W7RQ1Lmbr5rCMgRNJII6AC+bWyyBL4vojawfnYTam","X-Gm-Gg":"AeBDieupVQDbScETaeEfxsJHKLvm42tYHXmYvPEnOA2S9O+STuQODZgg9H22SIG7K0L\n\txaQhzIMlRXryU5qEtzjCSX7noeqCkwiBsaGwt53yV6RFy2RbNz4pjI1xAnhMyEG5cRrQ3zow5M7\n\te5cSPl8k5/rc5Znt1Ub3Lx5U/kuGLmGncVezUvI/d/Sf6+z9v2YsIFv/YGWHNh1e8ZPCE5K9JvD\n\txH6r3xAGO7lhjoYoHFUj+YHrpOhw3eCBlpUPnXAOekeZ7fVZ/mua2rxQFq2TlVET/T+FcPi6FMg\n\tlgN32VoFTHJGPyBK1je+8KORO2gmwQj3mowL4bDPDbxFfugufXqiQkb7JwY3JIMS0jFN98Fl670\n\tRxUsmUTPsS3Q/Ink3AcwyeZKPJxj80pIhiXMQhRsDhlDOQPRQhYGcgI//novP/MyD83jQYrFbdH\n\t2wo+TSNG5Phv6OWXFHN49oiyZVOSKwpnmUiTuIBTuEPzpNMx94XrMck2ulqxcJ+/fin2FqeL0Ye\n\tkLRjvm3xWe0pYrVfz3a9Qrvs+s8oOs8RWqPgw==","X-Received":"by 2002:a05:6214:4706:b0:8a0:a3fb:862c with SMTP id\n 6a1803df08f44-8ac86162c8amr60783576d6.8.1775853044441;\n Fri, 10 Apr 2026 13:30:44 -0700 (PDT)","From":"Michael Bommarito ","To":"richard@nod.at,\n\tanton.ivanov@cambridgegreys.com,\n\tjohannes@sipsolutions.net","Cc":"linux-um@lists.infradead.org,\n\tlinux-kernel@vger.kernel.org,\n\tstable@vger.kernel.org,\n\tMichael Bommarito ","Subject":"[PATCH] um: vector: fix NULL pointer derefs in queue-less transports","Date":"Fri, 10 Apr 2026 16:30:28 -0400","Message-ID":"<20260410203028.3717914-1-michael.bommarito@gmail.com>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260410_133046_361556_7695711E ","X-CRM114-Status":"GOOD ( 14.20 )","X-Spam-Score":"-2.1 (--)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: TAP transport sets neither VECTOR_RX nor VECTOR_TX,\n so vector_net_open()\n never allocates rx_queue or tx_queue. HYBRID sets VECTOR_RX but not\n VECTOR_TX,\n so tx_queue is NULL there too. vector_reset_stats(), vector_poll(),\n vector_get_ethtool_stats(),\n and vector_get_ringparam() unconditionally deref these queue pointers,\n causing\n a NULL pointer crash on SMP or with any lock debugging o [...]\n Content analysis details: (-2.1 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no\n trust\n [2607:f8b0:4864:20:0:0:0:f2e listed in]\n [list.dnswl.org]\n -0.0 SPF_PASS SPF: sender matches SPF record\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail\n provider\n [michael.bommarito(at)gmail.com]","X-BeenThere":"linux-um@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Sender":"\"linux-um\" ","Errors-To":"linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"TAP transport sets neither VECTOR_RX nor VECTOR_TX, so\nvector_net_open() never allocates rx_queue or tx_queue. HYBRID sets\nVECTOR_RX but not VECTOR_TX, so tx_queue is NULL there too.\n\nvector_reset_stats(), vector_poll(), vector_get_ethtool_stats(), and\nvector_get_ringparam() unconditionally deref these queue pointers,\ncausing a NULL pointer crash on SMP or with any lock debugging option.\n\nGuard all queue pointer accesses with NULL checks.\n\nFixes: 49da7e64f33e (\"High Performance UML Vector Network Driver\")\nCc: stable@vger.kernel.org\nCc: Anton Ivanov \nAssisted-by: Claude:claude-opus-4-6\nAssisted-by: Codex:gpt-5-4\nSigned-off-by: Michael Bommarito \n---\nFound while enabling KCOV and lockdep on UML for a network-stack\ntest lab. Tested boot with SMP=y + PROVE_LOCKING + DEBUG_SPINLOCK +\nDEBUG_LOCK_ALLOC + LOCKDEP + KCOV, all with vec0:transport=tap.\n\nWithout the fix, the same config panics at addr 0x18 (SMP, no debug),\n0x1c (DEBUG_SPINLOCK), or 0x30 (lockdep) -- all offsets into a NULL\nvector_queue pointer.\n\n arch/um/drivers/vector_kern.c | 48 +++++++++++++++++------------------\n 1 file changed, 24 insertions(+), 24 deletions(-)","diff":"diff --git a/arch/um/drivers/vector_kern.c b/arch/um/drivers/vector_kern.c\nindex 2cc90055499a5..6134c376e57be 100644\n--- a/arch/um/drivers/vector_kern.c\n+++ b/arch/um/drivers/vector_kern.c\n@@ -105,25 +105,18 @@ static const struct {\n \n static void vector_reset_stats(struct vector_private *vp)\n {\n-\t/* We reuse the existing queue locks for stats */\n-\n-\t/* RX stats are modified with RX head_lock held\n-\t * in vector_poll.\n-\t */\n-\n-\tspin_lock(&vp->rx_queue->head_lock);\n+\tif (vp->rx_queue)\n+\t\tspin_lock(&vp->rx_queue->head_lock);\n \tvp->estats.rx_queue_max = 0;\n \tvp->estats.rx_queue_running_average = 0;\n \tvp->estats.rx_encaps_errors = 0;\n \tvp->estats.sg_ok = 0;\n \tvp->estats.sg_linearized = 0;\n-\tspin_unlock(&vp->rx_queue->head_lock);\n-\n-\t/* TX stats are modified with TX head_lock held\n-\t * in vector_send.\n-\t */\n+\tif (vp->rx_queue)\n+\t\tspin_unlock(&vp->rx_queue->head_lock);\n \n-\tspin_lock(&vp->tx_queue->head_lock);\n+\tif (vp->tx_queue)\n+\t\tspin_lock(&vp->tx_queue->head_lock);\n \tvp->estats.tx_timeout_count = 0;\n \tvp->estats.tx_restart_queue = 0;\n \tvp->estats.tx_kicks = 0;\n@@ -131,7 +124,8 @@ static void vector_reset_stats(struct vector_private *vp)\n \tvp->estats.tx_flow_control_xoff = 0;\n \tvp->estats.tx_queue_max = 0;\n \tvp->estats.tx_queue_running_average = 0;\n-\tspin_unlock(&vp->tx_queue->head_lock);\n+\tif (vp->tx_queue)\n+\t\tspin_unlock(&vp->tx_queue->head_lock);\n }\n \n static int get_mtu(struct arglist *def)\n@@ -1163,7 +1157,8 @@ static int vector_poll(struct napi_struct *napi, int budget)\n \n \tif ((vp->options & VECTOR_TX) != 0)\n \t\ttx_enqueued = (vector_send(vp->tx_queue) > 0);\n-\tspin_lock(&vp->rx_queue->head_lock);\n+\tif (vp->rx_queue)\n+\t\tspin_lock(&vp->rx_queue->head_lock);\n \tif ((vp->options & VECTOR_RX) > 0)\n \t\terr = vector_mmsg_rx(vp, budget);\n \telse {\n@@ -1171,7 +1166,8 @@ static int vector_poll(struct napi_struct *napi, int budget)\n \t\tif (err > 0)\n \t\t\terr = 1;\n \t}\n-\tspin_unlock(&vp->rx_queue->head_lock);\n+\tif (vp->rx_queue)\n+\t\tspin_unlock(&vp->rx_queue->head_lock);\n \tif (err > 0)\n \t\twork_done += err;\n \n@@ -1421,10 +1417,10 @@ static void vector_get_ringparam(struct net_device *netdev,\n {\n \tstruct vector_private *vp = netdev_priv(netdev);\n \n-\tring->rx_max_pending = vp->rx_queue->max_depth;\n-\tring->tx_max_pending = vp->tx_queue->max_depth;\n-\tring->rx_pending = vp->rx_queue->max_depth;\n-\tring->tx_pending = vp->tx_queue->max_depth;\n+\tring->rx_max_pending = vp->rx_queue ? vp->rx_queue->max_depth : 0;\n+\tring->tx_max_pending = vp->tx_queue ? vp->tx_queue->max_depth : 0;\n+\tring->rx_pending = ring->rx_max_pending;\n+\tring->tx_pending = ring->tx_max_pending;\n }\n \n static void vector_get_strings(struct net_device *dev, u32 stringset, u8 *buf)\n@@ -1466,11 +1462,15 @@ static void vector_get_ethtool_stats(struct net_device *dev,\n \t * to date.\n \t */\n \n-\tspin_lock(&vp->tx_queue->head_lock);\n-\tspin_lock(&vp->rx_queue->head_lock);\n+\tif (vp->tx_queue)\n+\t\tspin_lock(&vp->tx_queue->head_lock);\n+\tif (vp->rx_queue)\n+\t\tspin_lock(&vp->rx_queue->head_lock);\n \tmemcpy(tmp_stats, &vp->estats, sizeof(struct vector_estats));\n-\tspin_unlock(&vp->rx_queue->head_lock);\n-\tspin_unlock(&vp->tx_queue->head_lock);\n+\tif (vp->rx_queue)\n+\t\tspin_unlock(&vp->rx_queue->head_lock);\n+\tif (vp->tx_queue)\n+\t\tspin_unlock(&vp->tx_queue->head_lock);\n }\n \n static int vector_get_coalesce(struct net_device *netdev,\n","prefixes":[]}