[PATCH] Re: probably bug in drr scheduler, 2.6.29-rc5
From: Jarek Poplawski <hidden>
Date: 2009-02-27 10:16:41
Subsystem:
networking [general], tc subsystem, the rest · Maintainers:
"David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Jamal Hadi Salim, Jiri Pirko, Linus Torvalds
On 26-02-2009 16:45, Denys Fedoryschenko wrote:
Hi, triggered a bug in DRR seems
...
[65298.391392] BUG: unable to handle kernel NULL pointer dereference at (null) [65298.391397] IP: [<ffffffffa0021700>] drr_change_class+0x39/0x2de [sch_drr]
... Thanks for the report, Jarek P. -----------> pkt_sched: sch_drr: Fix oops in drr_change_class. drr_change_class lacks a check for NULL of tca[TCA_OPTIONS], so oops is possible. Reported-by: Denys Fedoryschenko <redacted> Signed-off-by: Jarek Poplawski <redacted> --- net/sched/sch_drr.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c
index f6b4fa9..e36e94a 100644
--- a/net/sched/sch_drr.c
+++ b/net/sched/sch_drr.c@@ -66,11 +66,15 @@ static int drr_change_class(struct Qdisc *sch, u32 classid, u32 parentid, { struct drr_sched *q = qdisc_priv(sch); struct drr_class *cl = (struct drr_class *)*arg; + struct nlattr *opt = tca[TCA_OPTIONS]; struct nlattr *tb[TCA_DRR_MAX + 1]; u32 quantum; int err; - err = nla_parse_nested(tb, TCA_DRR_MAX, tca[TCA_OPTIONS], drr_policy); + if (!opt) + return -EINVAL; + + err = nla_parse_nested(tb, TCA_DRR_MAX, opt, drr_policy); if (err < 0) return err;