From: Cong Wang <xiyou.wangcong@gmail.com>
To: Vlad Buslov <vladbu@mellanox.com>
Cc: Linux Kernel Network Developers <netdev@vger.kernel.org>,
David Miller <davem@davemloft.net>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Jiri Pirko <jiri@resnulli.us>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Yevgeny Kliteynik <kliteyn@mellanox.com>
Subject: Re: [PATCH net-next v6 11/11] net: sched: change action API to use array of pointers to actions
Date: Wed, 8 Aug 2018 11:29:40 -0700 [thread overview]
Message-ID: <CAM_iQpW9_hh8XJOJsMESbOKdGU_qAZ-tQw9n_HrdXTFLTDUCDg@mail.gmail.com> (raw)
In-Reply-To: <vbfr2j92ii3.fsf@reg-r-vrt-018-180.mtr.labs.mlnx>
On Wed, Aug 8, 2018 at 4:41 AM Vlad Buslov <vladbu@mellanox.com> wrote:
>
>
> On Tue 07 Aug 2018 at 23:26, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> > On Thu, Jul 5, 2018 at 7:24 AM Vlad Buslov <vladbu@mellanox.com> wrote:
> >> attr_size = tcf_action_full_attrs_size(attr_size);
> >>
> >> if (event == RTM_GETACTION)
> >> - ret = tcf_get_notify(net, portid, n, &actions, event, extack);
> >> + ret = tcf_get_notify(net, portid, n, actions, event, extack);
> >> else { /* delete */
> >> - ret = tcf_del_notify(net, n, &actions, portid, attr_size, extack);
> >> + ret = tcf_del_notify(net, n, actions, &acts_deleted, portid,
> >> + attr_size, extack);
> >> if (ret)
> >> goto err;
> >> return ret;
> >> }
> >> err:
> >> - tcf_action_put_lst(&actions);
> >> + tcf_action_put_many(&actions[acts_deleted]);
> >> return ret;
> >
> > How does this even work?
> >
> > You save an index in 'acts_deleted', but you pass &actions[acts_deleted]
> > to tcf_action_put_many(), which seems you want to start from
> > where it fails, but inside tcf_action_put_many() it starts from 0
> > to TCA_ACT_MAX_PRIO, out-of-bound access at least?
>
> Actions array is declared to be TCA_ACT_MAX_PRIO+1 in size, and
Declaration doesn't matter at all, functions see it as a pure pointer
once you pass it as an argument.
> initialized to NULL pointers. In loop inside tcf_action_put_many() there
> are two checks: One is that index is less than TCA_ACT_MAX_PRIO and
> another one that pointer is not NULL. In this case I rely on extra NULL
> pointer at the end of actions array to prevent out-of-bound access.
True, but you pass &actions[acts_deleted] as the start of the array,
so inside it would be:
&actions[acts_deleted][0]...&actions[acts_deleted][MAX_PRIO]
So, the overall of the result is:
actions[acts_deleted]...actions[acts_deleted + MAX_PRIO]
You have out-of-bound access when acts_deleted > 1.
And if acts_deleted == MAX_PRIO-1, then you don't have any
NULL pointer to rely on.
next prev parent reply other threads:[~2018-08-08 20:47 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-05 14:24 [PATCH net-next v6 00/11] Modify action API for implementing lockless actions Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 01/11] net: sched: use rcu for action cookie update Vlad Buslov
2018-07-13 3:52 ` Cong Wang
2018-07-13 13:30 ` Vlad Buslov
2018-07-13 21:51 ` Cong Wang
2018-07-13 22:11 ` David Miller
2018-07-14 0:14 ` Cong Wang
2018-07-16 8:31 ` Vlad Buslov
2018-07-17 20:46 ` Cong Wang
2018-07-05 14:24 ` [PATCH net-next v6 02/11] net: sched: change type of reference and bind counters Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 03/11] net: sched: implement unlocked action init API Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 04/11] net: sched: always take reference to action Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 05/11] net: sched: implement action API that deletes action by index Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 06/11] net: sched: add 'delete' function to action ops Vlad Buslov
2018-08-09 19:38 ` Cong Wang
2018-08-10 9:41 ` Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 07/11] net: sched: implement reference counted action release Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 08/11] net: sched: don't release reference on action overwrite Vlad Buslov
2018-08-13 23:00 ` Cong Wang
2018-08-14 17:23 ` Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 09/11] net: sched: use reference counting action init Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 10/11] net: sched: atomically check-allocate action Vlad Buslov
2018-08-08 1:20 ` Cong Wang
2018-08-08 12:06 ` Vlad Buslov
2018-08-09 23:43 ` Cong Wang
2018-08-10 10:29 ` Vlad Buslov
2018-08-10 21:45 ` Cong Wang
2018-08-13 7:55 ` Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 11/11] net: sched: change action API to use array of pointers to actions Vlad Buslov
2018-08-07 23:26 ` Cong Wang
2018-08-08 11:41 ` Vlad Buslov
2018-08-08 18:29 ` Cong Wang [this message]
2018-08-09 7:03 ` Vlad Buslov
2018-07-07 11:41 ` [PATCH net-next v6 00/11] Modify action API for implementing lockless actions David Miller
2018-07-08 3:43 ` David Miller
2018-07-13 3:54 ` Cong Wang
2018-07-13 13:40 ` Vlad Buslov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAM_iQpW9_hh8XJOJsMESbOKdGU_qAZ-tQw9n_HrdXTFLTDUCDg@mail.gmail.com \
--to=xiyou.wangcong@gmail.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kliteyn@mellanox.com \
--cc=netdev@vger.kernel.org \
--cc=vladbu@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).