From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <edumazet@google.com>
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com
 [IPv6:2607:f8b0:4864:20::b30])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id 83FCC3B2A4
 for <cake@lists.bufferbloat.net>; Tue, 18 Oct 2022 00:02:38 -0400 (EDT)
Received: by mail-yb1-xb30.google.com with SMTP id b145so15628038yba.0
 for <cake@lists.bufferbloat.net>; Mon, 17 Oct 2022 21:02:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=HalKK5SyX7FJhYB5Tf86gqfUkX66otPt4pr9pNs2XmA=;
 b=Xm71qlnvRqyuKfZiXZ6kysTR2sRjb9zTfNa42alQ+cKjHsZx2xgw+rdFQsQAy9JchL
 DI30gqjH4RqKPJdg/Mdk4S0PODBtMnTwuOF+cpc3Tu2z43Qsjtml3JTAaePN9pR+QvBE
 RCgvZtHchl+2diBPREa5X+GG6VtFrd80fXVmGQ7sLi6uUMuVDDSZ87a2rGHvGRxeFAqk
 uF82P6zMl0jdvCEGjBKbonMCkM6NXs3tyd/VH7nKBbK+xOVxaQrUB1k5MXtmfIs/ubI0
 lijPS189ySTUDCj68W1GLbzP9dCX+Akj7VZ044VrGwXyGTYZ1oMKjBGzgOtyhZCr7NVd
 0/uQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=HalKK5SyX7FJhYB5Tf86gqfUkX66otPt4pr9pNs2XmA=;
 b=0f0MI2MTX7cVsmqYOsNsqPRJYbb2EbrZgifiwFzBhauQJ2ThV3H00V5FloWpA6CeoI
 rnbHhaX+GSy24Ysf/ofsJfNSORQLP3QCqoUQpwCd1F1VLmSpImJzSNxAwZzgY5tsV8Bt
 64TzaCnbvPy39l1RkdPqfSUqlTJCvTl2PS8G+aAC8Olfzl+vNFiugrK3bn8i68eNtL4Q
 yfnYcteCM4H6K2RVg+1b3cq4naDI9B3lhkGGS09zFRRIayaZmkdVdrLL4Kd9oMDABWgK
 pSFaXPpge9/gcCrprSZlS/2EzcD7Rgzs6c/0nRmeQ8blU4BAkfWGvsNWZeOWVZ6LLpoR
 bIvQ==
X-Gm-Message-State: ACrzQf0iPQMzaKpUWssriCzRL++niAEsQP3oYtLYpag6a4r+de43uDVH
 f/Z4UpEk+g/40Gxw89ezd0aMs9qq241D5iOj49/9xg==
X-Google-Smtp-Source: AMsMyM5a72J+oURrN1Xn65POqIcaJbOb/V5ADXI1msRfSesaXYIp7KdxQCFidqm8CWl7fZdfIE8dj2k7QBC+tgvGSi0=
X-Received: by 2002:a25:328c:0:b0:6be:2d4a:e77 with SMTP id
 y134-20020a25328c000000b006be2d4a0e77mr762263yby.407.1666065757722; Mon, 17
 Oct 2022 21:02:37 -0700 (PDT)
MIME-Version: 1.0
References: <20221018034718.82389-1-shaozhengchao@huawei.com>
 <20221018034718.82389-3-shaozhengchao@huawei.com>
In-Reply-To: <20221018034718.82389-3-shaozhengchao@huawei.com>
From: Eric Dumazet <edumazet@google.com>
Date: Mon, 17 Oct 2022 21:02:26 -0700
Message-ID: <CANn89iJubvtbdpgKXhP8CMcWEn8Ws80sLeu=F4RMTAEKWePoyg@mail.gmail.com>
To: Zhengchao Shao <shaozhengchao@huawei.com>
Cc: cake@lists.bufferbloat.net, netdev@vger.kernel.org, toke@toke.dk, 
 jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, 
 davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, dave.taht@gmail.com, 
 weiyongjun1@huawei.com, yuehaibing@huawei.com
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [Cake] [PATCH net 2/3] net: sched: fq_codel: fix null pointer
 access issue when fq_codel_init() fails
X-BeenThere: cake@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Cake - FQ_codel the next generation <cake.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cake>
List-Post: <mailto:cake@lists.bufferbloat.net>
List-Help: <mailto:cake-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2022 04:02:38 -0000

On Mon, Oct 17, 2022 at 8:39 PM Zhengchao Shao <shaozhengchao@huawei.com> wrote:
>
> When the default qdisc is fq_codel, if the qdisc of dev_queue fails to be
> inited during mqprio_init(), fq_codel_reset() is invoked to clear
> resources. In this case, the flow is NULL, and it will cause gpf issue.
>
> The process is as follows:
> qdisc_create_dflt()
>         fq_codel_init()
>                 ...
>                 q->flows_cnt = 1024;
>                 ...
>                 q->flows = kvcalloc(...)      --->failed, q->flows is NULL
>                 ...
>         ...
>         qdisc_put()
>                 ...
>                 fq_codel_reset()
>                         ...
>                         flow = q->flows + i   --->q->flows is NULL
>
> The following is the Call Trace information:
> general protection fault, probably for non-canonical address
> 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> RIP: 0010:fq_codel_reset+0x14d/0x350
> Call Trace:
> <TASK>
> qdisc_reset+0xed/0x6f0
> qdisc_destroy+0x82/0x4c0
> qdisc_put+0x9e/0xb0
> qdisc_create_dflt+0x2c3/0x4a0
> mqprio_init+0xa71/0x1760
> qdisc_create+0x3eb/0x1000
> tc_modify_qdisc+0x408/0x1720
> rtnetlink_rcv_msg+0x38e/0xac0
> netlink_rcv_skb+0x12d/0x3a0
> netlink_unicast+0x4a2/0x740
> netlink_sendmsg+0x826/0xcc0
> sock_sendmsg+0xc5/0x100
> ____sys_sendmsg+0x583/0x690
> ___sys_sendmsg+0xe8/0x160
> __sys_sendmsg+0xbf/0x160
> do_syscall_64+0x35/0x80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
> RIP: 0033:0x7fd272b22d04
> </TASK>
>
> Fixes: 494f5063b86c ("net: sched: fq_codel: remove redundant resource cleanup in fq_codel_init()")
> Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
> ---

I vote for a revert, previous code was much cleaner.