| Message ID | 20190420000052.4242-4-andre.guedes@intel.com |
|---|---|
| State | Changes Requested |
| Delegated to: | David Miller |
| Headers | show |
| Series | Taprio qdisc fixes | expand |
On Fri, Apr 19, 2019 at 6:06 PM Andre Guedes <andre.guedes@intel.com> wrote: > > If 'entry' is NULL we WARN_ON() but dereference the pointer anyway, > generating a null pointer dereference bug. This patch fixes should_ > restart_cycle() so we return if the pointer is NULL. Hmm, while you are on it, how is it possible to have entry==NULL for should_restart_cycle(). It is only called in advance_sched() where entry is already checked against NULL right before it, so for me, entry is always NULL at the point of calling should_restart_cycle(). Am I missing anything? Thanks.
On Mon, Apr 22, 2019 at 11:04 AM Cong Wang <xiyou.wangcong@gmail.com> wrote: > > On Fri, Apr 19, 2019 at 6:06 PM Andre Guedes <andre.guedes@intel.com> wrote: > > > > If 'entry' is NULL we WARN_ON() but dereference the pointer anyway, > > generating a null pointer dereference bug. This patch fixes should_ > > restart_cycle() so we return if the pointer is NULL. > > Hmm, while you are on it, how is it possible to have entry==NULL > for should_restart_cycle(). It is only called in advance_sched() > where entry is already checked against NULL right before it, > so for me, entry is always NULL at the point of calling > should_restart_cycle(). I meant, 'entry' is always non-NULL here... I typed too fast.
> On Apr 22, 2019, at 11:07 AM, Cong Wang <xiyou.wangcong@gmail.com> wrote: > > On Mon, Apr 22, 2019 at 11:04 AM Cong Wang <xiyou.wangcong@gmail.com> wrote: >> >> On Fri, Apr 19, 2019 at 6:06 PM Andre Guedes <andre.guedes@intel.com> wrote: >>> >>> If 'entry' is NULL we WARN_ON() but dereference the pointer anyway, >>> generating a null pointer dereference bug. This patch fixes should_ >>> restart_cycle() so we return if the pointer is NULL. >> >> Hmm, while you are on it, how is it possible to have entry==NULL >> for should_restart_cycle(). It is only called in advance_sched() >> where entry is already checked against NULL right before it, >> so for me, entry is always NULL at the point of calling >> should_restart_cycle(). > > I meant, 'entry' is always non-NULL here... I typed too fast. Your assessment is correct. I believe the WARN_ON() was added as a defensive practice to prevent null pointer dereference in case someone misuse that helper in the future. - Andre
On Mon, Apr 22, 2019 at 12:24 PM Guedes, Andre <andre.guedes@intel.com> wrote: > > > > On Apr 22, 2019, at 11:07 AM, Cong Wang <xiyou.wangcong@gmail.com> wrote: > > > > On Mon, Apr 22, 2019 at 11:04 AM Cong Wang <xiyou.wangcong@gmail.com> wrote: > >> > >> On Fri, Apr 19, 2019 at 6:06 PM Andre Guedes <andre.guedes@intel.com> wrote: > >>> > >>> If 'entry' is NULL we WARN_ON() but dereference the pointer anyway, > >>> generating a null pointer dereference bug. This patch fixes should_ > >>> restart_cycle() so we return if the pointer is NULL. > >> > >> Hmm, while you are on it, how is it possible to have entry==NULL > >> for should_restart_cycle(). It is only called in advance_sched() > >> where entry is already checked against NULL right before it, > >> so for me, entry is always NULL at the point of calling > >> should_restart_cycle(). > > > > I meant, 'entry' is always non-NULL here... I typed too fast. > > Your assessment is correct. I believe the WARN_ON() was added as a defensive practice to prevent null pointer dereference in case someone misuse that helper in the future. Yeah, so we can just remove it. :)
> On Apr 22, 2019, at 12:36 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote: > > On Mon, Apr 22, 2019 at 12:24 PM Guedes, Andre <andre.guedes@intel.com> wrote: >> >> >>> On Apr 22, 2019, at 11:07 AM, Cong Wang <xiyou.wangcong@gmail.com> wrote: >>> >>> On Mon, Apr 22, 2019 at 11:04 AM Cong Wang <xiyou.wangcong@gmail.com> wrote: >>>> >>>> On Fri, Apr 19, 2019 at 6:06 PM Andre Guedes <andre.guedes@intel.com> wrote: >>>>> >>>>> If 'entry' is NULL we WARN_ON() but dereference the pointer anyway, >>>>> generating a null pointer dereference bug. This patch fixes should_ >>>>> restart_cycle() so we return if the pointer is NULL. >>>> >>>> Hmm, while you are on it, how is it possible to have entry==NULL >>>> for should_restart_cycle(). It is only called in advance_sched() >>>> where entry is already checked against NULL right before it, >>>> so for me, entry is always NULL at the point of calling >>>> should_restart_cycle(). >>> >>> I meant, 'entry' is always non-NULL here... I typed too fast. >> >> Your assessment is correct. I believe the WARN_ON() was added as a defensive practice to prevent null pointer dereference in case someone misuse that helper in the future. > > Yeah, so we can just remove it. :) Fine by me. In that case, the function should_restart_cycle() will be just a dummy wrapper on list_is_last() so we should probably get rid of it and call list_is_last() within advance_sched().
On Tue, Apr 23, 2019 at 12:21 PM Guedes, Andre <andre.guedes@intel.com> wrote: > > > > On Apr 22, 2019, at 12:36 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote: > > Yeah, so we can just remove it. :) > > Fine by me. In that case, the function should_restart_cycle() will be just a dummy wrapper on list_is_last() so we should probably get rid of it and call list_is_last() within advance_sched(). Yes, agreed. Thanks.
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index f7139e6179b6..1671510c187f 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -204,7 +204,8 @@ static struct sk_buff *taprio_dequeue(struct Qdisc *sch) static bool should_restart_cycle(const struct taprio_sched *q, const struct sched_entry *entry) { - WARN_ON(!entry); + if (WARN_ON(!entry)) + return false; return list_is_last(&entry->list, &q->entries); }
If 'entry' is NULL we WARN_ON() but dereference the pointer anyway, generating a null pointer dereference bug. This patch fixes should_ restart_cycle() so we return if the pointer is NULL. Fixes: 5a781ccbd19e (“tc: Add support for configuring the taprio scheduler”) Signed-off-by: Andre Guedes <andre.guedes@intel.com> --- net/sched/sch_taprio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)