From: Petr Machata <petrm@nvidia.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>, <netdev@vger.kernel.org>,
<jiri@resnulli.us>, <davem@davemloft.net>, <edumazet@google.com>,
<kuba@kernel.org>, <petrm@mellanox.com>, <security@kernel.org>,
<g1042620637@gmail.com>
Subject: Re: [PATCH net v4 1/1] net: sched: fix ets qdisc OOB Indexing
Date: Mon, 13 Jan 2025 11:21:29 +0100 [thread overview]
Message-ID: <87zfjvqa6w.fsf@nvidia.com> (raw)
In-Reply-To: <Z4RWFNIvS31kVhvA@pop-os.localdomain>
Cong Wang <xiyou.wangcong@gmail.com> writes:
> On Sat, Jan 11, 2025 at 09:57:39AM -0500, Jamal Hadi Salim wrote:
>> diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
>> index f80bc05d4c5a..516038a44163 100644
>> --- a/net/sched/sch_ets.c
>> +++ b/net/sched/sch_ets.c
>> @@ -91,6 +91,8 @@ ets_class_from_arg(struct Qdisc *sch, unsigned long arg)
>> {
>> struct ets_sched *q = qdisc_priv(sch);
>>
>> + if (arg == 0 || arg > q->nbands)
>> + return NULL;
>> return &q->classes[arg - 1];
>> }
>
> I must miss something here. Some callers of this function don't handle
> NULL at all, so are you sure it is safe to return NULL for all the
> callers here??
>
> For one quick example:
>
> 322 static int ets_class_dump_stats(struct Qdisc *sch, unsigned long arg,
> 323 struct gnet_dump *d)
> 324 {
> 325 struct ets_class *cl = ets_class_from_arg(sch, arg);
> 326 struct Qdisc *cl_q = cl->qdisc;
>
> 'cl' is not checked against NULL before dereferencing it.
>
> There are other cases too, please ensure _all_ of them handle NULL
> correctly.
Yeah, I looked through ets_class_from_arg() callers last week and I
think that besides the one call that needs patching, which already
handles NULL, in all other cases the arg passed to ets_class_from_arg()
comes from class_find, and therefore shouldn't cause the NULL return.
next prev parent reply other threads:[~2025-01-13 10:29 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-11 14:57 [PATCH net v4 1/1] net: sched: fix ets qdisc OOB Indexing Jamal Hadi Salim
2025-01-11 21:01 ` Jakub Kicinski
2025-01-11 21:17 ` Jamal Hadi Salim
2025-01-11 21:26 ` Jakub Kicinski
2025-01-12 23:53 ` Cong Wang
2025-01-13 10:21 ` Petr Machata [this message]
2025-01-13 11:47 ` Jamal Hadi Salim
2025-01-16 4:36 ` Cong Wang
2025-01-16 8:30 ` Paolo Abeni
2025-01-16 13:35 ` Jamal Hadi Salim
2025-01-22 18:40 ` Jamal Hadi Salim
2025-01-23 3:36 ` Jakub Kicinski
2025-01-23 3:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zfjvqa6w.fsf@nvidia.com \
--to=petrm@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=g1042620637@gmail.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=petrm@mellanox.com \
--cc=security@kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.