* [PATCH net v2] net/sched: dualpi2: initialize timer earlier in dualpi2_init()
@ 2026-05-08 17:05 Davide Caratti
2026-05-11 10:49 ` Eric Dumazet
2026-05-12 1:19 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Davide Caratti @ 2026-05-08 17:05 UTC (permalink / raw)
To: Jamal Hadi Salim, Jiri Pirko, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman
Cc: netdev
'pi2_timer' needs to be initialized in all error paths of dualpi2_init():
otherwise, a failure in qdisc_create_dflt() causes the following crash in
dualpi2_destroy():
# tc qdisc add dev crash0 handle 1: root dualpi2
BUG: kernel NULL pointer dereference, address: 0000000000000010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 4 UID: 0 PID: 471 Comm: tc Tainted: G E 7.1.0-rc1-virtme #2 PREEMPT(full)
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
RIP: 0010:hrtimer_active+0x39/0x60
Code: f9 eb 23 0f b6 41 38 3c 01 0f 87 87 64 c0 ff 83 e0 01 75 33 48 39 4a 50 74 28 44 3b 42 10 75 06 48 3b 51 30 74 21 48 8b 51 30 <44> 8b 42 10 41 f6 c0 01 74 cf f3 90 44 8b 42 10 41 f6 c0 01 74 c3
RSP: 0018:ffffd0db80b93620 EFLAGS: 00010282
RAX: ffffffffc0400320 RBX: ffff8cf24a4c86b8 RCX: ffff8cf24a4c86b8
RDX: 0000000000000000 RSI: ffff8cf2429c2ab0 RDI: ffff8cf24a4c86b8
RBP: 00000000fffffff4 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000001 R11: ffff8cf24a39c500 R12: ffff8cf24822c000
R13: ffffd0db80b936c0 R14: ffffffffc02cf360 R15: 00000000ffffffff
FS: 00007fbc01706580(0000) GS:ffff8cf2dc759000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000008e02003 CR4: 0000000000172ef0
Call Trace:
<TASK>
hrtimer_cancel+0x15/0x40
dualpi2_destroy+0x20/0x40 [sch_dualpi2]
qdisc_create+0x230/0x570
tc_modify_qdisc+0x716/0xc10
rtnetlink_rcv_msg+0x188/0x780
netlink_rcv_skb+0xcd/0x150
netlink_unicast+0x1ba/0x290
netlink_sendmsg+0x242/0x4d0
____sys_sendmsg+0x39e/0x3e0
___sys_sendmsg+0xe1/0x130
__sys_sendmsg+0xad/0x110
do_syscall_64+0x14f/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc0188b08e
Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
RSP: 002b:00007fff593260e0 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbc0188b08e
RDX: 0000000000000000 RSI: 00007fff59326190 RDI: 0000000000000003
RBP: 00007fff593260f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 000055f06124f260
R13: 0000000069fca043 R14: 000055f061255640 R15: 000055f06124d3f8
</TASK>
Modules linked in: sch_dualpi2(E)
CR2: 0000000000000010
[1] https://lore.kernel.org/netdev/2e78e01c504c633ebdff18d041833cf2e079a3a4.1607020450.git.dcaratti@redhat.com/
[2] https://lore.kernel.org/netdev/20200725201707.16909-1-xiyou.wangcong@gmail.com/
v2:
- rebased on top of latest net.git
Fixes: 320d031ad6e4 ("sched: Struct definition and parsing of dualpi2 qdisc")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
net/sched/sch_dualpi2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/sched/sch_dualpi2.c b/net/sched/sch_dualpi2.c
index 241e6a46bd00..a22489c14458 100644
--- a/net/sched/sch_dualpi2.c
+++ b/net/sched/sch_dualpi2.c
@@ -938,6 +938,8 @@ static int dualpi2_init(struct Qdisc *sch, struct nlattr *opt,
int err;
sch->flags |= TCQ_F_DEQUEUE_DROPS;
+ hrtimer_setup(&q->pi2_timer, dualpi2_timer, CLOCK_MONOTONIC,
+ HRTIMER_MODE_ABS_PINNED_SOFT);
q->l_queue = qdisc_create_dflt(sch->dev_queue, &pfifo_qdisc_ops,
TC_H_MAKE(sch->handle, 1), extack);
@@ -950,8 +952,6 @@ static int dualpi2_init(struct Qdisc *sch, struct nlattr *opt,
q->sch = sch;
dualpi2_reset_default(sch);
- hrtimer_setup(&q->pi2_timer, dualpi2_timer, CLOCK_MONOTONIC,
- HRTIMER_MODE_ABS_PINNED_SOFT);
if (opt && nla_len(opt)) {
err = dualpi2_change(sch, opt, extack);
--
2.52.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net v2] net/sched: dualpi2: initialize timer earlier in dualpi2_init()
2026-05-08 17:05 [PATCH net v2] net/sched: dualpi2: initialize timer earlier in dualpi2_init() Davide Caratti
@ 2026-05-11 10:49 ` Eric Dumazet
2026-05-12 1:19 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Eric Dumazet @ 2026-05-11 10:49 UTC (permalink / raw)
To: Davide Caratti
Cc: Jamal Hadi Salim, Jiri Pirko, David S. Miller, Jakub Kicinski,
Paolo Abeni, Simon Horman, netdev
On Fri, May 8, 2026 at 10:05 AM Davide Caratti <dcaratti@redhat.com> wrote:
>
> 'pi2_timer' needs to be initialized in all error paths of dualpi2_init():
> otherwise, a failure in qdisc_create_dflt() causes the following crash in
> dualpi2_destroy():
>
> # tc qdisc add dev crash0 handle 1: root dualpi2
> BUG: kernel NULL pointer dereference, address: 0000000000000010
>
> [1] https://lore.kernel.org/netdev/2e78e01c504c633ebdff18d041833cf2e079a3a4.1607020450.git.dcaratti@redhat.com/
> [2] https://lore.kernel.org/netdev/20200725201707.16909-1-xiyou.wangcong@gmail.com/
>
> v2:
> - rebased on top of latest net.git
>
> Fixes: 320d031ad6e4 ("sched: Struct definition and parsing of dualpi2 qdisc")
> Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net v2] net/sched: dualpi2: initialize timer earlier in dualpi2_init()
2026-05-08 17:05 [PATCH net v2] net/sched: dualpi2: initialize timer earlier in dualpi2_init() Davide Caratti
2026-05-11 10:49 ` Eric Dumazet
@ 2026-05-12 1:19 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-05-12 1:19 UTC (permalink / raw)
To: Davide Caratti; +Cc: jhs, jiri, davem, edumazet, kuba, pabeni, horms, netdev
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Fri, 8 May 2026 19:05:10 +0200 you wrote:
> 'pi2_timer' needs to be initialized in all error paths of dualpi2_init():
> otherwise, a failure in qdisc_create_dflt() causes the following crash in
> dualpi2_destroy():
>
> # tc qdisc add dev crash0 handle 1: root dualpi2
> BUG: kernel NULL pointer dereference, address: 0000000000000010
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: Oops: 0000 [#1] SMP PTI
> CPU: 4 UID: 0 PID: 471 Comm: tc Tainted: G E 7.1.0-rc1-virtme #2 PREEMPT(full)
> Tainted: [E]=UNSIGNED_MODULE
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> RIP: 0010:hrtimer_active+0x39/0x60
> Code: f9 eb 23 0f b6 41 38 3c 01 0f 87 87 64 c0 ff 83 e0 01 75 33 48 39 4a 50 74 28 44 3b 42 10 75 06 48 3b 51 30 74 21 48 8b 51 30 <44> 8b 42 10 41 f6 c0 01 74 cf f3 90 44 8b 42 10 41 f6 c0 01 74 c3
> RSP: 0018:ffffd0db80b93620 EFLAGS: 00010282
> RAX: ffffffffc0400320 RBX: ffff8cf24a4c86b8 RCX: ffff8cf24a4c86b8
> RDX: 0000000000000000 RSI: ffff8cf2429c2ab0 RDI: ffff8cf24a4c86b8
> RBP: 00000000fffffff4 R08: 0000000000000003 R09: 0000000000000000
> R10: 0000000000000001 R11: ffff8cf24a39c500 R12: ffff8cf24822c000
> R13: ffffd0db80b936c0 R14: ffffffffc02cf360 R15: 00000000ffffffff
> FS: 00007fbc01706580(0000) GS:ffff8cf2dc759000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000010 CR3: 0000000008e02003 CR4: 0000000000172ef0
> Call Trace:
> <TASK>
> hrtimer_cancel+0x15/0x40
> dualpi2_destroy+0x20/0x40 [sch_dualpi2]
> qdisc_create+0x230/0x570
> tc_modify_qdisc+0x716/0xc10
> rtnetlink_rcv_msg+0x188/0x780
> netlink_rcv_skb+0xcd/0x150
> netlink_unicast+0x1ba/0x290
> netlink_sendmsg+0x242/0x4d0
> ____sys_sendmsg+0x39e/0x3e0
> ___sys_sendmsg+0xe1/0x130
> __sys_sendmsg+0xad/0x110
> do_syscall_64+0x14f/0xf80
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fbc0188b08e
> Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
> RSP: 002b:00007fff593260e0 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbc0188b08e
> RDX: 0000000000000000 RSI: 00007fff59326190 RDI: 0000000000000003
> RBP: 00007fff593260f0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000202 R12: 000055f06124f260
> R13: 0000000069fca043 R14: 000055f061255640 R15: 000055f06124d3f8
> </TASK>
> Modules linked in: sch_dualpi2(E)
> CR2: 0000000000000010
>
> [...]
Here is the summary with links:
- [net,v2] net/sched: dualpi2: initialize timer earlier in dualpi2_init()
https://git.kernel.org/netdev/net/c/f8e64e956a63
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-12 1:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 17:05 [PATCH net v2] net/sched: dualpi2: initialize timer earlier in dualpi2_init() Davide Caratti
2026-05-11 10:49 ` Eric Dumazet
2026-05-12 1:19 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox