At 2017-06-28 01:49:50, "Eric Dumazet" <eric.duma...@gmail.com> wrote: >On Tue, 2017-06-27 at 10:08 -0700, Cong Wang wrote: >> On Tue, Jun 27, 2017 at 9:50 AM, Eric Dumazet <eric.duma...@gmail.com> wrote: >> > On Tue, 2017-06-27 at 09:30 -0700, Cong Wang wrote: >> >> On Mon, Jun 26, 2017 at 6:35 PM, <gfree.w...@vip.163.com> wrote: >> >> > From: Gao Feng <gfree.w...@vip.163.com> >> >> > >> >> > When qdisc fail to init, qdisc_create would invoke the destroy callback >> >> > to cleanup. But there is no check if the callback exists really. So it >> >> > would cause the panic if there is no real destroy callback like these >> >> > qdisc codel, pfifo, pfifo_fast, and so on. >> >> > >> >> > Now add one the check for destroy to avoid the possible panic. >> >> > >> >> > Signed-off-by: Gao Feng <gfree.w...@vip.163.com> >> >> >> >> Looks good, >> >> >> >> Acked-by: Cong Wang <xiyou.wangc...@gmail.com> >> >> >> >> This is introduced by commit 87b60cfacf9f17cf71933c6e33b. >> >> Please add proper Fixes tag next time.
OK. Actually I didn't know it is introduced by this commit before :) Need I send an update patch again ? >> > >> > Given that pfifo, pfifo_fast or codel can not fail their init, >> >> >> How about codel_init() -> codel_change() -> nla_parse_nested() ? > > >Yeah, with a malicious user space then (iproute2/tc is fine), codel >could be problematic. > >pfifo and pfifo_fast can definitely not hit this bug. > >changelog needs a bit of attention, even if the bug is real. > >Thanks. > > Yes, the codel could fail to init, and the fifo/pfifo could failed When "nla_len(opt) < sizeof(*ctl)". Best Regards Feng
