All of lore.kernel.org
 help / color / mirror / Atom feed
From: Vlad Buslov <vladbu@mellanox.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Linux Kernel Network Developers <netdev@vger.kernel.org>,
	David Miller <davem@davemloft.net>,
	Jamal Hadi Salim <jhs@mojatatu.com>,
	Jiri Pirko <jiri@resnulli.us>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Yevgeny Kliteynik <kliteyn@mellanox.com>
Subject: Re: [PATCH net-next v6 11/11] net: sched: change action API to use array of pointers to actions
Date: Wed, 08 Aug 2018 14:41:08 +0300	[thread overview]
Message-ID: <vbfr2j92ii3.fsf@reg-r-vrt-018-180.mtr.labs.mlnx> (raw)
In-Reply-To: <CAM_iQpWpxf=yRNadgN+q0rwhd_E0c7pAy7fG+A=asqgk9JRx0Q@mail.gmail.com>


On Tue 07 Aug 2018 at 23:26, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> On Thu, Jul 5, 2018 at 7:24 AM Vlad Buslov <vladbu@mellanox.com> wrote:
>>         attr_size = tcf_action_full_attrs_size(attr_size);
>>
>>         if (event == RTM_GETACTION)
>> -               ret = tcf_get_notify(net, portid, n, &actions, event, extack);
>> +               ret = tcf_get_notify(net, portid, n, actions, event, extack);
>>         else { /* delete */
>> -               ret = tcf_del_notify(net, n, &actions, portid, attr_size, extack);
>> +               ret = tcf_del_notify(net, n, actions, &acts_deleted, portid,
>> +                                    attr_size, extack);
>>                 if (ret)
>>                         goto err;
>>                 return ret;
>>         }
>>  err:
>> -       tcf_action_put_lst(&actions);
>> +       tcf_action_put_many(&actions[acts_deleted]);
>>         return ret;
>
> How does this even work?
>
> You save an index in 'acts_deleted', but you pass &actions[acts_deleted]
> to tcf_action_put_many(), which seems you want to start from
> where it fails, but inside tcf_action_put_many() it starts from 0
> to TCA_ACT_MAX_PRIO, out-of-bound access at least?

Actions array is declared to be TCA_ACT_MAX_PRIO+1 in size, and
initialized to NULL pointers. In loop inside tcf_action_put_many() there
are two checks: One is that index is less than TCA_ACT_MAX_PRIO and
another one that pointer is not NULL. In this case I rely on extra NULL
pointer at the end of actions array to prevent out-of-bound access.

  reply	other threads:[~2018-08-08 14:00 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-05 14:24 [PATCH net-next v6 00/11] Modify action API for implementing lockless actions Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 01/11] net: sched: use rcu for action cookie update Vlad Buslov
2018-07-13  3:52   ` Cong Wang
2018-07-13 13:30     ` Vlad Buslov
2018-07-13 21:51       ` Cong Wang
2018-07-13 22:11         ` David Miller
2018-07-14  0:14           ` Cong Wang
2018-07-16  8:31         ` Vlad Buslov
2018-07-17 20:46           ` Cong Wang
2018-07-05 14:24 ` [PATCH net-next v6 02/11] net: sched: change type of reference and bind counters Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 03/11] net: sched: implement unlocked action init API Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 04/11] net: sched: always take reference to action Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 05/11] net: sched: implement action API that deletes action by index Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 06/11] net: sched: add 'delete' function to action ops Vlad Buslov
2018-08-09 19:38   ` Cong Wang
2018-08-10  9:41     ` Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 07/11] net: sched: implement reference counted action release Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 08/11] net: sched: don't release reference on action overwrite Vlad Buslov
2018-08-13 23:00   ` Cong Wang
2018-08-14 17:23     ` Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 09/11] net: sched: use reference counting action init Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 10/11] net: sched: atomically check-allocate action Vlad Buslov
2018-08-08  1:20   ` Cong Wang
2018-08-08 12:06     ` Vlad Buslov
2018-08-09 23:43       ` Cong Wang
2018-08-10 10:29         ` Vlad Buslov
2018-08-10 21:45           ` Cong Wang
2018-08-13  7:55             ` Vlad Buslov
2018-07-05 14:24 ` [PATCH net-next v6 11/11] net: sched: change action API to use array of pointers to actions Vlad Buslov
2018-08-07 23:26   ` Cong Wang
2018-08-08 11:41     ` Vlad Buslov [this message]
2018-08-08 18:29       ` Cong Wang
2018-08-09  7:03         ` Vlad Buslov
2018-07-07 11:41 ` [PATCH net-next v6 00/11] Modify action API for implementing lockless actions David Miller
2018-07-08  3:43 ` David Miller
2018-07-13  3:54   ` Cong Wang
2018-07-13 13:40     ` Vlad Buslov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=vbfr2j92ii3.fsf@reg-r-vrt-018-180.mtr.labs.mlnx \
    --to=vladbu@mellanox.com \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=kliteyn@mellanox.com \
    --cc=netdev@vger.kernel.org \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.