Received: by 2002:a5d:925a:0:0:0:0:0 with SMTP id e26csp1188196iol; Fri, 10 Jun 2022 02:07:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyOrWbikM1LkTSqK0Xw6N4brv9U+PfjwAoeE08zuR7Onely7u6psHs6AXcYcauv+hTuLwh4 X-Received: by 2002:a05:6402:2381:b0:42d:c8fe:d7fe with SMTP id j1-20020a056402238100b0042dc8fed7femr49124582eda.248.1654852019942; Fri, 10 Jun 2022 02:06:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654852019; cv=none; d=google.com; s=arc-20160816; b=mJM0GGK2Tvr+Dhk5VmKl0+FJv2gWpHOjDmdyVt0uOiLJ+sN/Fzd/fa7Qhy66n7fNsb dp+z5fd+2st+DUDsON6HG4a2sJOK61e6S7LyFtZBxw/AYSiSWktzrFmMXOw1P6DGennY k8a+mWFR5eBlUZ0Y5dntbCK6BrHVPg8BQtQ5wflC/VUpkY2SWvPmv3M46I0NWPpcdWhA /lSQuazoLT5gUmW5AjF0Wsky0S6A/cBPlmxqgjxuz2EpDR/LmPzyoQz1vUgj8EU7mPqc RyYiMkRmPcKLcyye1fWSD4A+W17Dsc+AiPdhsMdOj9DUf08EzGeJUu5O1VmPQ2BV/nPB qv6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Y9js5siYkXmTlCcqhnBttnSyxADQBz416pvWYIEpQLc=; b=v6eIuaA7+f8ayA5S9pm6WO4vPhPxxyEwTkCf9mR+dR+1k3tf/X8oJqU1T0ZJjFCVnz UZp1taszNZx9NPbTWIgJcq+eZoG6YgSgtyhrFw2GxQhF3/ZthaaRF9kDP3xzntSimtHs LtwtZgX1PMRSanBPEp26PM1goiYyjwV8lrdpXDxea4AZb6Deu04srM6CRx4fKdnKPRO8 wmfmZKVv4W5INu1dW9PE80oMySOl8k41mhgOQTAXHjX8W0FGXXsBUgy+tg6Yqw009x+l VS5vTT6Ln7hG4EowLEubZatkbSlc1S9GZQIbj0TWkjgXeifKS0kXY4DeDwkNp+0sqXej yeXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=MWoSw9aN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i21-20020a1709067a5500b006fec40443b6si7380509ejo.23.2022.06.10.02.06.34; Fri, 10 Jun 2022 02:06:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=MWoSw9aN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347270AbiFJIkZ (ORCPT + 99 others); Fri, 10 Jun 2022 04:40:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40716 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347922AbiFJIkV (ORCPT ); Fri, 10 Jun 2022 04:40:21 -0400 Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2055519038 for ; Fri, 10 Jun 2022 01:40:20 -0700 (PDT) Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-30fdbe7467cso230266127b3.1 for ; Fri, 10 Jun 2022 01:40:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Y9js5siYkXmTlCcqhnBttnSyxADQBz416pvWYIEpQLc=; b=MWoSw9aN1k9ACFkxYohmtn6bcP8F/dnn2OkswCnt3jJJOGEEy3u2qjj3YR+DG5NUZ2 SlVaNtds1yBoe2csJdMH1A2luuJOQ6bGushZRQuEpa357R5UwpahmQdjvhTIaVo0TICK HPE1VN2x0+HbMlDA5UrdYbiYS/IFDyncENyuZ+g/xziIpZE9HY3iTOkSpcbAi5hr6Yml ZqL/cTZtyR3uJnypqKvu6OY812v8ibuEWo7nO8joVBnoyzZutYTuD5jX6KPT2arjGDif aiLu5SFWq7WEpV2GHBUYEk03u1NMoHJgCh0SpA+taNN9pRCYcussMln4izassYh6nfG4 etVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Y9js5siYkXmTlCcqhnBttnSyxADQBz416pvWYIEpQLc=; b=yQWmPpP0UmOkLf8d8csD3Mqu67i8PnkbI2kaB+26Htx8CIEoUi/H8J9sokBWSDq4ck JZhCjm9eKYapMOZwFTQQlGgppN7ga8jl3dctXMKDJ0deF4EqVSgVCDLtG7ohbY+uRti0 UmbVctzO2Gy0j9AjoIFkj0lV9/sDJGaBw12WdrE4SXLHJWiDnut8xwVPtMt6UwP5M6PX OxhyTXEUmmNycZNaeQr6fJvPqlyf3osFIoYm0FFQrZD1INW07p22f2R+0HX5skMpXqfT rKOWJJpTsLjJGh0Z3ZoEzTUR9AAt0viRxN+OrJoW2RfYVv2IhrC7w4Peg7aBZetjYn11 w8Zw== X-Gm-Message-State: AOAM532A44CCHJVIpGtV3wWoqTeqq4z+b6HEY2ycg8a5x2puqxBSBk5B U3w1LQGanmf+wrZyrjV4OjgiopwDFfvTHNsdrEr2gA== X-Received: by 2002:a81:4909:0:b0:30c:34d5:9f2c with SMTP id w9-20020a814909000000b0030c34d59f2cmr47467546ywa.489.1654850418987; Fri, 10 Jun 2022 01:40:18 -0700 (PDT) MIME-Version: 1.0 References: <20220610021445.2441579-1-jianhao_xu@smail.nju.edu.cn> <3f460707-e267-e749-07fc-c44604cd5713@iogearbox.net> In-Reply-To: From: Eric Dumazet Date: Fri, 10 Jun 2022 01:40:06 -0700 Message-ID: Subject: Re: [PATCH] net: sched: fix potential null pointer deref To: Jianhao Xu Cc: Daniel Borkmann , jhs , "xiyou.wangcong" , jiri , davem , kuba , pabeni , netdev , linux-kernel Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 10, 2022 at 1:09 AM Jianhao Xu wr= ote: > > Hi, > > TBH, We do not have a reproducer. This is found by our static analysis to= ol. We can not see any clue of the context here of mq_queue_get() to ensure= it never returns NULL. > All netdev devices have their dev->_tx allocated in netif_alloc_netdev_queu= es() There is absolutely no way MQ qdisc could be attached to a device that has failed netif_alloc_netdev_queues() step. > I would appreciate it if you could tell me why when you found out it was = our false positive. It will be helpful for us to improve our tool. Please do not send patches before you can provide a detailed explanation of a real bug. If you need help, post instead a [RFC] with a message explaining how far you went into your analysis. A patch should be sent only once you are absolutely sure that there is a real bug to fix. Thank you. > > Thanks. > ------------------ Original ------------------ > From: "Daniel Borkmann"; > Date: Fri, Jun 10, 2022 09:14 AM > To: "Jianhao Xu"; "jhs"; = "xiyou.wangcong"; "jiri"; "dave= m"; "edumazet"; "kuba"; "pabeni"; > Cc: "netdev"; "linux-kernel"; > Subject: Re: [PATCH] net: sched: fix potential null pointer deref > > Hi Jianhao, > > On 6/10/22 4:14 AM, Jianhao Xu wrote: > > mq_queue_get() may return NULL, a check is needed to avoid using > > the NULL pointer. > > > > Signed-off-by: Jianhao Xu > > Do you have a reproducer where this is triggered? > > > --- > > net/sched/sch_mq.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c > > index 83d2e54bf303..9aca4ca82947 100644 > > --- a/net/sched/sch_mq.c > > +++ b/net/sched/sch_mq.c > > @@ -201,6 +201,8 @@ static int mq_graft(struct Qdisc *sch, unsigned lon= g cl, struct Qdisc *new, > > static struct Qdisc *mq_leaf(struct Qdisc *sch, unsigned long cl) > > { > > struct netdev_queue *dev_queue =3D mq_queue_get(sch, cl); > > + if (!dev_queue) > > +return NULL; > > > > return dev_queue->qdisc_sleeping; > > } > > @@ -218,6 +220,8 @@ static int mq_dump_class(struct Qdisc *sch, unsigne= d long cl, > > struct sk_buff *skb, struct tcmsg *tcm) > > { > > struct netdev_queue *dev_queue =3D mq_queue_get(sch, cl); > > + if (!dev_queue) > > +return -1; > > > > tcm->tcm_parent =3D TC_H_ROOT; > > tcm->tcm_handle |=3D TC_H_MIN(cl); > > @@ -229,6 +233,8 @@ static int mq_dump_class_stats(struct Qdisc *sch, u= nsigned long cl, > > struct gnet_dump *d) > > { > > struct netdev_queue *dev_queue =3D mq_queue_get(sch, cl); > > + if (!dev_queue) > > +return -1; > > > > sch =3D dev_queue->qdisc_sleeping; > > if (gnet_stats_copy_basic(d, sch->cpu_bstats, &sch->bstats, true) < 0 = || > > >