Re: [PATCH net 6/9] sch_fq_codel: avoid double free on init failure

[PATCH net 0/9] net/sched: init failure fixes · Nikolay Aleksandrov <hidden> · 2017-08-30
[PATCH net 1/9] sch_htb: fix crash on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
[PATCH net 2/9] sch_multiq: fix double free on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
[PATCH net 3/9] sch_hhf: fix null pointer dereference on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
[PATCH net 4/9] sch_hfsc: fix null pointer deref and double free on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
[PATCH net 6/9] sch_fq_codel: avoid double free on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
Re: [PATCH net 6/9] sch_fq_codel: avoid double free on init failure · Cong Wang <hidden> · 2017-08-30
Re: [PATCH net 6/9] sch_fq_codel: avoid double free on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
[PATCH net 7/9] sch_netem: avoid null pointer deref on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
[PATCH net 8/9] sch_sfq: fix null pointer dereference on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
[PATCH net 9/9] sch_tbf: fix two null pointer dereferences on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
Re: [PATCH net 9/9] sch_tbf: fix two null pointer dereferences on init failure · Cong Wang <hidden> · 2017-08-30
Re: [PATCH net 9/9] sch_tbf: fix two null pointer dereferences on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
[PATCH net 5/9] sch_cbq: fix null pointer dereferences on init failure · Nikolay Aleksandrov <hidden> · 2017-08-30
Re: [PATCH net 0/9] net/sched: init failure fixes · Jamal Hadi Salim <jhs@mojatatu.com> · 2017-08-30
Re: [PATCH net 0/9] net/sched: init failure fixes · Nikolay Aleksandrov <hidden> · 2017-08-30
Re: [PATCH net 0/9] net/sched: init failure fixes · David Miller <davem@davemloft.net> · 2017-08-30

From: Nikolay Aleksandrov <hidden>
Date: 2017-08-30 21:37:24

On 30/08/17 20:36, Cong Wang wrote:

On Wed, Aug 30, 2017 at 2:49 AM, Nikolay Aleksandrov
[off-list ref] wrote:

quoted

It is very unlikely to happen but the backlogs memory allocation
could fail and will free q->flows, but then ->destroy() will free
q->flows too. For correctness remove the first free and let ->destroy
clean up.

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: Nikolay Aleksandrov <redacted>
---
 net/sched/sch_fq_codel.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 337f2d6d81e4..2c0c05f2cc34 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c

@@ -491,10 +491,8 @@ static int fq_codel_init(struct Qdisc *sch, struct nlattr *opt)
                if (!q->flows)
                        return -ENOMEM;
                q->backlogs = kvzalloc(q->flows_cnt * sizeof(u32), GFP_KERNEL);
-               if (!q->backlogs) {
-                       kvfree(q->flows);
+               if (!q->backlogs)
                        return -ENOMEM;
-               }

This is fine. Or we can NULL it after kvfree().

I have no preference here. The only difference here is if we still
expect ->init() to cleanup its own failure.

We don't, that's the point of the changes that lead to these fixes,
the way ->destroy() is used by both the default qdisc infra and the
normal qdisc add suggest that it should clean up after ->init failure,
thus the change.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help