Re: [net-next 1/7] net/sched: Check for null dev_queue on create flow

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Davide Caratti <dcaratti@redhat.com>
To: Jeff Kirsher <jeffrey.t.kirsher@intel.com>, davem@davemloft.net
Cc: Jesus Sanchez-Palencia <jesus.sanchez-palencia@intel.com>,
	netdev@vger.kernel.org, nhorman@redhat.com, sassmann@redhat.com,
	jogreene@redhat.com, Ivan Vecera <ivecera@redhat.com>
Subject: Re: [net-next 1/7] net/sched: Check for null dev_queue on create flow
Date: Fri, 27 Oct 2017 12:23:08 +0200	[thread overview]
Message-ID: <1509099788.2880.52.camel@redhat.com> (raw)
In-Reply-To: <20171026171714.45087-2-jeffrey.t.kirsher@intel.com>

On Thu, 2017-10-26 at 10:17 -0700, Jeff Kirsher wrote:
> From: Jesus Sanchez-Palencia <jesus.sanchez-palencia@intel.com>
> 
> In qdisc_alloc() the dev_queue pointer was used without any checks
> being performed. If qdisc_create() gets a null dev_queue pointer, it
> just passes it along to qdisc_alloc(), leading to a crash. That
> happens if a root qdisc implements select_queue() and returns a null
> dev_queue pointer for an "invalid handle", for example, or if the
> dev_queue associated with the parent qdisc is null.
> 
> This patch is in preparation for the next in this series, where
> select_queue() is being added to mqprio and as it may return a null
> dev_queue.
> 
> Signed-off-by: Jesus Sanchez-Palencia <jesus.sanchez-palencia@intel.com>
> Tested-by: Henrik Austad <henrik@austad.us>
> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
> ---
>  net/sched/sch_generic.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)

hello,

I didn't notice this when I posted https://www.spinics.net/lists/netdev/ms
g462986.html , about one hour later, targeting Dave's net tree. I saw
similar issues, but in my setup dev_queue was a valid pointer, and dev was
NULL. This made qdisc_alloc() dereference NULL, when accessing dev->
members in the function body before returning the newly allocated qdisc.

So, in my understanding both tests are necessary, but a (very trivial)
conflict will be generated when these two commits will be eventually
merged together.

I like this suggestion from Ivan:

-- >8 --
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index bf8c81e07c70..6bd1ae993326 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -603,8 +603,14 @@ struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
        struct Qdisc *sch;
        unsigned int size = QDISC_ALIGN(sizeof(*sch)) + ops->priv_size;
        int err = -ENOBUFS;
-       struct net_device *dev = dev_queue->dev;
+       struct net_device *dev;
+
+       if (!dev_queue || !dev_queue->dev) {
+               err = !dev_queue ? -EINVAL : -ENOENT;
+               goto errout;
+       }

+       dev = dev_queue->dev;
        p = kzalloc_node(size, GFP_KERNEL,
                         netdev_queue_numa_node_read(dev_queue));

-- 8< --

and I volunteer for sending a v2 of 'net/sched: fix NULL pointer
dereference in qdisc_alloc()' including this, targeting 'net' tree, with
an appropriate tag. WDYT?

regards,
-- 
davide

next prev parent reply	other threads:[~2017-10-27 10:23 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-26 17:17 [net-next 0/7][pull request] 1GbE Intel Wired LAN Driver Updates 2017-10-26 Jeff Kirsher
2017-10-26 17:17 ` [net-next 1/7] net/sched: Check for null dev_queue on create flow Jeff Kirsher
2017-10-27 10:23   ` Davide Caratti [this message]
2017-10-27 15:28     ` Jesus Sanchez-Palencia
2017-10-26 17:17 ` [net-next 2/7] net/sched: Change behavior of mq select_queue() Jeff Kirsher
2017-10-26 17:17 ` [net-next 3/7] net/sched: Add select_queue() class_ops for mqprio Jeff Kirsher
2017-10-26 17:17 ` [net-next 4/7] net/sched: Introduce Credit Based Shaper (CBS) qdisc Jeff Kirsher
2017-10-26 17:17 ` [net-next 5/7] net/sched: Add support for HW offloading for CBS Jeff Kirsher
2017-10-26 17:17 ` [net-next 6/7] net/sched/sch_cbs: Fix compilation on 32bit architectures Jeff Kirsher
2017-10-26 17:17 ` [net-next 7/7] igb: Add support for CBS offload Jeff Kirsher
2017-10-27 15:15 ` [net-next 0/7][pull request] 1GbE Intel Wired LAN Driver Updates 2017-10-26 David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bf8c81e07c7 dfblob:6bd1ae99332 )
 OR (
bs:"Re: [net-next 1/7] net/sched: Check for null dev_queue on create flow" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1509099788.2880.52.camel@redhat.com \
    --to=dcaratti@redhat.com \
    --cc=davem@davemloft.net \
    --cc=ivecera@redhat.com \
    --cc=jeffrey.t.kirsher@intel.com \
    --cc=jesus.sanchez-palencia@intel.com \
    --cc=jogreene@redhat.com \
    --cc=netdev@vger.kernel.org \
    --cc=nhorman@redhat.com \
    --cc=sassmann@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.