[PATCH 3.10 06/29] net_sched: invoke ->attach() after setting dev->qdisc

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Jamal Hadi Salim <jhs@mojatatu.com>,
	Cong Wang <xiyou.wangcong@gmail.com>,
	Eric Dumazet <edumazet@google.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.10 06/29] net_sched: invoke ->attach() after setting dev->qdisc
Date: Fri, 19 Jun 2015 13:36:26 -0700	[thread overview]
Message-ID: <20150619203557.601260895@linuxfoundation.org> (raw)
In-Reply-To: <20150619203557.356558223@linuxfoundation.org>

3.10-stable review patch.  If anyone has any objections, please let me know.

------------------

From: WANG Cong <xiyou.wangcong@gmail.com>

[ Upstream commit 86e363dc3b50bfd50a1f315934583fbda673ab8d ]

For mq qdisc, we add per tx queue qdisc to root qdisc
for display purpose, however, that happens too early,
before the new dev->qdisc is finally set, this causes
q->list points to an old root qdisc which is going to be
freed right before assigning with a new one.

Fix this by moving ->attach() after setting dev->qdisc.

For the record, this fixes the following crash:

 ------------[ cut here ]------------
 WARNING: CPU: 1 PID: 975 at lib/list_debug.c:59 __list_del_entry+0x5a/0x98()
 list_del corruption. prev->next should be ffff8800d1998ae8, but was 6b6b6b6b6b6b6b6b
 CPU: 1 PID: 975 Comm: tc Not tainted 4.1.0-rc4+ #1019
 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
  0000000000000009 ffff8800d73fb928 ffffffff81a44e7f 0000000047574756
  ffff8800d73fb978 ffff8800d73fb968 ffffffff810790da ffff8800cfc4cd20
  ffffffff814e725b ffff8800d1998ae8 ffffffff82381250 0000000000000000
 Call Trace:
  [<ffffffff81a44e7f>] dump_stack+0x4c/0x65
  [<ffffffff810790da>] warn_slowpath_common+0x9c/0xb6
  [<ffffffff814e725b>] ? __list_del_entry+0x5a/0x98
  [<ffffffff81079162>] warn_slowpath_fmt+0x46/0x48
  [<ffffffff81820eb0>] ? dev_graft_qdisc+0x5e/0x6a
  [<ffffffff814e725b>] __list_del_entry+0x5a/0x98
  [<ffffffff814e72a7>] list_del+0xe/0x2d
  [<ffffffff81822f05>] qdisc_list_del+0x1e/0x20
  [<ffffffff81820cd1>] qdisc_destroy+0x30/0xd6
  [<ffffffff81822676>] qdisc_graft+0x11d/0x243
  [<ffffffff818233c1>] tc_get_qdisc+0x1a6/0x1d4
  [<ffffffff810b5eaf>] ? mark_lock+0x2e/0x226
  [<ffffffff817ff8f5>] rtnetlink_rcv_msg+0x181/0x194
  [<ffffffff817ff72e>] ? rtnl_lock+0x17/0x19
  [<ffffffff817ff72e>] ? rtnl_lock+0x17/0x19
  [<ffffffff817ff774>] ? __rtnl_unlock+0x17/0x17
  [<ffffffff81855dc6>] netlink_rcv_skb+0x4d/0x93
  [<ffffffff817ff756>] rtnetlink_rcv+0x26/0x2d
  [<ffffffff818544b2>] netlink_unicast+0xcb/0x150
  [<ffffffff81161db9>] ? might_fault+0x59/0xa9
  [<ffffffff81854f78>] netlink_sendmsg+0x4fa/0x51c
  [<ffffffff817d6e09>] sock_sendmsg_nosec+0x12/0x1d
  [<ffffffff817d8967>] sock_sendmsg+0x29/0x2e
  [<ffffffff817d8cf3>] ___sys_sendmsg+0x1b4/0x23a
  [<ffffffff8100a1b8>] ? native_sched_clock+0x35/0x37
  [<ffffffff810a1d83>] ? sched_clock_local+0x12/0x72
  [<ffffffff810a1fd4>] ? sched_clock_cpu+0x9e/0xb7
  [<ffffffff810def2a>] ? current_kernel_time+0xe/0x32
  [<ffffffff810b4bc5>] ? lock_release_holdtime.part.29+0x71/0x7f
  [<ffffffff810ddebf>] ? read_seqcount_begin.constprop.27+0x5f/0x76
  [<ffffffff810b6292>] ? trace_hardirqs_on_caller+0x17d/0x199
  [<ffffffff811b14d5>] ? __fget_light+0x50/0x78
  [<ffffffff817d9808>] __sys_sendmsg+0x42/0x60
  [<ffffffff817d9838>] SyS_sendmsg+0x12/0x1c
  [<ffffffff81a50e97>] system_call_fastpath+0x12/0x6f
 ---[ end trace ef29d3fb28e97ae7 ]---

For long term, we probably need to clean up the qdisc_graft() code
in case it hides other bugs like this.

Fixes: 95dc19299f74 ("pkt_sched: give visibility to mq slave qdiscs")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/sch_api.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -752,10 +752,8 @@ static int qdisc_graft(struct net_device
 		if (dev->flags & IFF_UP)
 			dev_deactivate(dev);
 
-		if (new && new->ops->attach) {
-			new->ops->attach(new);
-			num_q = 0;
-		}
+		if (new && new->ops->attach)
+			goto skip;
 
 		for (i = 0; i < num_q; i++) {
 			struct netdev_queue *dev_queue = dev_ingress_queue(dev);
@@ -771,12 +769,16 @@ static int qdisc_graft(struct net_device
 				qdisc_destroy(old);
 		}
 
+skip:
 		if (!ingress) {
 			notify_and_destroy(net, skb, n, classid,
 					   dev->qdisc, new);
 			if (new && !new->ops->attach)
 				atomic_inc(&new->refcnt);
 			dev->qdisc = new ? : &noop_qdisc;
+
+			if (new && new->ops->attach)
+				new->ops->attach(new);
 		} else {
 			notify_and_destroy(net, skb, n, classid, old, new);
 		}


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
Please read the FAQ at  http://www.tux.org/lkml/

next prev parent reply	other threads:[~2015-06-19 20:36 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-06-19 20:36 [PATCH 3.10 00/29] 3.10.81-stable review Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 01/29] net: phy: Allow EEE for all RGMII variants Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 02/29] ipv4: Avoid crashing in ip_error Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 03/29] bridge: fix parsing of MLDv2 reports Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 04/29] net: dp83640: fix broken calibration routine Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 05/29] unix/caif: sk_socket can disappear when state is unlocked Greg Kroah-Hartman
2015-06-19 20:36 ` Greg Kroah-Hartman [this message]
2015-06-19 20:36 ` [PATCH 3.10 07/29] udp: fix behavior of wrong checksums Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 08/29] xen: netback: read hotplug script once at start of day Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 09/29] iio: adis16400: Report pressure channel scale Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 10/29] iio: adis16400: Use != channel indices for the two voltage channels Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 11/29] iio: adis16400: Compute the scan mask from channel indices Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 12/29] ALSA: hda/realtek - Add a fixup for another Acer Aspire 9420 Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 13/29] ALSA: usb-audio: Add mic volume fix quirk for Logitech Quickcam Fusion Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 14/29] ALSA: usb-audio: add MAYA44 USB+ mixer control names Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 16/29] block: fix ext_dev_lock lockdep report Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 17/29] USB: cp210x: add ID for HubZ dual ZigBee and Z-Wave dongle Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 18/29] USB: serial: ftdi_sio: Add support for a Motion Tracker Development Board Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 19/29] ring-buffer-benchmark: Fix the wrong sched_priority of producer Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 20/29] MIPS: Fix enabling of DEBUG_STACKOVERFLOW Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 21/29] ozwpan: Use proper check to prevent heap overflow Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 22/29] ozwpan: divide-by-zero leading to panic Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 23/29] ozwpan: unchecked signed subtraction leads to DoS Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 24/29] pata_octeon_cf: fix broken build Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 26/29] mm/memory_hotplug.c: set zone->wait_table to null after freeing it Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 27/29] cfg80211: wext: clear sinfo struct before calling driver Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 28/29] btrfs: incorrect handling for fiemap_fill_next_extent return Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 29/29] btrfs: cleanup orphans while looking up default subvolume Greg Kroah-Hartman
2015-06-20  1:13 ` [PATCH 3.10 00/29] 3.10.81-stable review Shuah Khan
2015-06-20  1:25 ` Guenter Roeck
2015-06-20  7:50 ` Sudip Mukherjee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150619203557.601260895@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=jhs@mojatatu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).