linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v3] net: sched: Fix a possible null-pointer dereference in dequeue_func()
@ 2019-07-29  8:24 Jia-Ju Bai
  2019-07-29  8:42 ` Jiri Pirko
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Jia-Ju Bai @ 2019-07-29  8:24 UTC (permalink / raw)
  To: jhs, xiyou.wangcong, jiri, davem; +Cc: netdev, linux-kernel, Jia-Ju Bai

In dequeue_func(), there is an if statement on line 74 to check whether
skb is NULL:
    if (skb)

When skb is NULL, it is used on line 77:
    prefetch(&skb->end);

Thus, a possible null-pointer dereference may occur.

To fix this bug, skb->end is used when skb is not NULL.

This bug is found by a static analysis tool STCheck written by us.

Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
v2:
* Add a fix tag.
  Thank Jiri Pirko for helpful advice.
v3:
* Use a correct fix tag.
  Thank Jiri Pirko for helpful advice.

---
 net/sched/sch_codel.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
index 25ef172c23df..30169b3adbbb 100644
--- a/net/sched/sch_codel.c
+++ b/net/sched/sch_codel.c
@@ -71,10 +71,10 @@ static struct sk_buff *dequeue_func(struct codel_vars *vars, void *ctx)
 	struct Qdisc *sch = ctx;
 	struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
 
-	if (skb)
+	if (skb) {
 		sch->qstats.backlog -= qdisc_pkt_len(skb);
-
-	prefetch(&skb->end); /* we'll need skb_shinfo() */
+		prefetch(&skb->end); /* we'll need skb_shinfo() */
+	}
 	return skb;
 }
 
-- 
2.17.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH v3] net: sched: Fix a possible null-pointer dereference in dequeue_func()
  2019-07-29  8:24 [PATCH v3] net: sched: Fix a possible null-pointer dereference in dequeue_func() Jia-Ju Bai
@ 2019-07-29  8:42 ` Jiri Pirko
  2019-07-29 16:47 ` David Miller
  2019-07-29 17:23 ` Cong Wang
  2 siblings, 0 replies; 5+ messages in thread
From: Jiri Pirko @ 2019-07-29  8:42 UTC (permalink / raw)
  To: Jia-Ju Bai; +Cc: jhs, xiyou.wangcong, davem, netdev, linux-kernel

Mon, Jul 29, 2019 at 10:24:33AM CEST, baijiaju1990@gmail.com wrote:
>In dequeue_func(), there is an if statement on line 74 to check whether
>skb is NULL:
>    if (skb)
>
>When skb is NULL, it is used on line 77:
>    prefetch(&skb->end);
>
>Thus, a possible null-pointer dereference may occur.
>
>To fix this bug, skb->end is used when skb is not NULL.
>
>This bug is found by a static analysis tool STCheck written by us.
>
>Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
>Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>

Reviewed-by: Jiri Pirko <jiri@mellanox.com>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v3] net: sched: Fix a possible null-pointer dereference in dequeue_func()
  2019-07-29  8:24 [PATCH v3] net: sched: Fix a possible null-pointer dereference in dequeue_func() Jia-Ju Bai
  2019-07-29  8:42 ` Jiri Pirko
@ 2019-07-29 16:47 ` David Miller
  2019-07-29 17:23 ` Cong Wang
  2 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2019-07-29 16:47 UTC (permalink / raw)
  To: baijiaju1990; +Cc: jhs, xiyou.wangcong, jiri, netdev, linux-kernel

From: Jia-Ju Bai <baijiaju1990@gmail.com>
Date: Mon, 29 Jul 2019 16:24:33 +0800

> In dequeue_func(), there is an if statement on line 74 to check whether
> skb is NULL:
>     if (skb)
> 
> When skb is NULL, it is used on line 77:
>     prefetch(&skb->end);
> 
> Thus, a possible null-pointer dereference may occur.
> 
> To fix this bug, skb->end is used when skb is not NULL.
> 
> This bug is found by a static analysis tool STCheck written by us.
> 
> Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>

Applied and queued up for -stable.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v3] net: sched: Fix a possible null-pointer dereference in dequeue_func()
  2019-07-29  8:24 [PATCH v3] net: sched: Fix a possible null-pointer dereference in dequeue_func() Jia-Ju Bai
  2019-07-29  8:42 ` Jiri Pirko
  2019-07-29 16:47 ` David Miller
@ 2019-07-29 17:23 ` Cong Wang
  2019-08-05  8:05   ` Eric Dumazet
  2 siblings, 1 reply; 5+ messages in thread
From: Cong Wang @ 2019-07-29 17:23 UTC (permalink / raw)
  To: Jia-Ju Bai
  Cc: Jamal Hadi Salim, Jiri Pirko, David Miller,
	Linux Kernel Network Developers, LKML

On Mon, Jul 29, 2019 at 1:24 AM Jia-Ju Bai <baijiaju1990@gmail.com> wrote:
>
> In dequeue_func(), there is an if statement on line 74 to check whether
> skb is NULL:
>     if (skb)
>
> When skb is NULL, it is used on line 77:
>     prefetch(&skb->end);
>
> Thus, a possible null-pointer dereference may occur.
>
> To fix this bug, skb->end is used when skb is not NULL.
>
> This bug is found by a static analysis tool STCheck written by us.

It doesn't dereference the pointer, it simply calculates the address
and passes it to gcc builtin prefetch. Both are fine when it is NULL,
as prefetching a NULL address should be okay for kernel.

So your changelog is misleading and it doesn't fix any bug,
although it does very slightly make the code better.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v3] net: sched: Fix a possible null-pointer dereference in dequeue_func()
  2019-07-29 17:23 ` Cong Wang
@ 2019-08-05  8:05   ` Eric Dumazet
  0 siblings, 0 replies; 5+ messages in thread
From: Eric Dumazet @ 2019-08-05  8:05 UTC (permalink / raw)
  To: Cong Wang, Jia-Ju Bai
  Cc: Jamal Hadi Salim, Jiri Pirko, David Miller,
	Linux Kernel Network Developers, LKML



On 7/29/19 7:23 PM, Cong Wang wrote:
> On Mon, Jul 29, 2019 at 1:24 AM Jia-Ju Bai <baijiaju1990@gmail.com> wrote:
>>
>> In dequeue_func(), there is an if statement on line 74 to check whether
>> skb is NULL:
>>     if (skb)
>>
>> When skb is NULL, it is used on line 77:
>>     prefetch(&skb->end);
>>
>> Thus, a possible null-pointer dereference may occur.
>>
>> To fix this bug, skb->end is used when skb is not NULL.
>>
>> This bug is found by a static analysis tool STCheck written by us.
> 
> It doesn't dereference the pointer, it simply calculates the address
> and passes it to gcc builtin prefetch. Both are fine when it is NULL,
> as prefetching a NULL address should be okay for kernel.
> 
> So your changelog is misleading and it doesn't fix any bug,
> although it does very slightly make the code better.
> 

Original code was intentional.

A prefetch() need to be done as early as possible.

At the time of commit 76e3cc126bb223013a6b9a0e2a51238d1ef2e409
this was pretty clear :

+static struct sk_buff *dequeue(struct codel_vars *vars, struct Qdisc *sch)
+{
+	struct sk_buff *skb = __skb_dequeue(&sch->q);
+
+	prefetch(&skb->end); /* we'll need skb_shinfo() */
+	return skb;
+}


Really static analysis should learn about prefetch(X) being legal for _any_ value of X

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-08-05  8:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-29  8:24 [PATCH v3] net: sched: Fix a possible null-pointer dereference in dequeue_func() Jia-Ju Bai
2019-07-29  8:42 ` Jiri Pirko
2019-07-29 16:47 ` David Miller
2019-07-29 17:23 ` Cong Wang
2019-08-05  8:05   ` Eric Dumazet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).