From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [net v2] sch_fq_codel: zero q->flows_cnt when fq_codel_init
 fails
Date: Thu, 12 Jul 2018 12:32:47 -0700 (PDT)
Message-ID: <20180712.123247.66068646310525490.davem@davemloft.net>
References: <20180710212227.17839-1-jacob.e.keller@intel.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, xiyou.wangcong@gmail.com,
        edumazet@google.com
To: jacob.e.keller@intel.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([23.128.96.9]:40988 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726500AbeGLTnr (ORCPT
        <rfc822;netdev@vger.kernel.org>); Thu, 12 Jul 2018 15:43:47 -0400
In-Reply-To: <20180710212227.17839-1-jacob.e.keller@intel.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Jacob Keller <jacob.e.keller@intel.com>
Date: Tue, 10 Jul 2018 14:22:27 -0700

> When fq_codel_init fails, qdisc_create_dflt will cleanup by using
> qdisc_destroy. This function calls the ->reset() op prior to calling the
> ->destroy() op.
> 
> Unfortunately, during the failure flow for sch_fq_codel, the ->flows
> parameter is not initialized, so the fq_codel_reset function will null
> pointer dereference.
 ...
> This is caused because flows_cnt is non-zero, but flows hasn't been
> initialized. fq_codel_init has left the private data in a partially
> initialized state.
> 
> To fix this, reset flows_cnt to 0 when we fail to initialize.
> Additionally, to make the state more consistent, also cleanup the flows
> pointer when the allocation of backlogs fails.
> 
> This fixes the NULL pointer dereference, since both the for-loop and
> memset in fq_codel_reset will be no-ops when flow_cnt is zero.
> 
> Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>

Applied and queued up for -stable, thanks!