Bug#266892: kernel panic with ingress scheduling

[Louis-David Mitterrand <ldm@apartia.org>]

Package: kernel-source-2.6.8
Version: 2.6.8-2
Severity: important
Tags: patch

A kernel panic is triggered when loading fiaif with htb scheduler
support.

Please see attached message from lkml with patch for details.


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (499, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-zenon
Locale: LANG=en_CA, LC_CTYPE=fr_FR@euro (ignored: LC_ALL set to en_US)

Versions of packages kernel-source-2.6.8 depends on:
ii  binutils                      2.15-1     The GNU assembler, linker and bina
ii  bzip2                         1.0.2-1    A high-quality block-sorting file 
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities
ii  fileutils                     5.2.1-2    The GNU file management utilities 

-- no debconf information

-- 
ldm@apartia.fr

--- Begin Message ---

• To: lkml@lazy.shacknet.nu
• Cc: linux-kernel@vger.kernel.org, netdev@oss.sgi.com, "David S. Miller" <davem@redhat.com>
• Subject: Re: [Panic] 2.6.8 and ingress scheduling
• From: Patrick McHardy <kaber@trash.net>
• Date: Sun, 15 Aug 2004 20:10:21 GMT
• Message-id: <fa.e29vo0k.12ku7pm@ifi.uio.no>
• In-reply-to: <20040815130635.GA3703@lazy.shacknet.nu>
• References: <fa.idmtofe.1gieeio@ifi.uio.no>

lkml@lazy.shacknet.nu wrote:

hello again,

the last line (filter add) in the "wondershaper" script does sth. to the
kernel, that lets it panic on receiving network packets.

actually, the last _two_ commands set up the kernel for panic. please
see attached script; running should produce this console message:

Fixed by this patch. qdisc_data was only aligned correctly in qdisc_create_dflt(),

not qdisc_create() which resulted in memory corruption.

Regards
Patrick

# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
#   2004/08/15 18:08:13+02:00 kaber@coreworks.de 
#   [PKT_SCHED]: cacheline-align qdisc data in qdisc_create()
#   
#   Signed-off-by: Patrick McHardy <kaber@trash.net>
# 
# net/sched/sch_api.c
#   2004/08/15 18:04:27+02:00 kaber@coreworks.de +13 -8
#   [PKT_SCHED]: cacheline-align qdisc data in qdisc_create()
# 
diff -Nru a/net/sched/sch_api.c b/net/sched/sch_api.c
--- a/net/sched/sch_api.c	2004-08-15 18:09:36 +02:00
+++ b/net/sched/sch_api.c	2004-08-15 18:09:36 +02:00
@@ -389,7 +389,8 @@
 {
 	int err;
 	struct rtattr *kind = tca[TCA_KIND-1];
-	struct Qdisc *sch = NULL;
+	void *p = NULL;
+	struct Qdisc *sch;
 	struct Qdisc_ops *ops;
 	int size;
 
@@ -407,12 +408,18 @@
 	if (ops == NULL)
 		goto err_out;
 
-	size = sizeof(*sch) + ops->priv_size;
+	/* ensure that the Qdisc and the private data are 32-byte aligned */
+	size = ((sizeof(*sch) + QDISC_ALIGN_CONST) & ~QDISC_ALIGN_CONST);
+	size += ops->priv_size + QDISC_ALIGN_CONST;
 
-	sch = kmalloc(size, GFP_KERNEL);
+	p = kmalloc(size, GFP_KERNEL);
 	err = -ENOBUFS;
-	if (!sch)
+	if (!p)
 		goto err_out;
+	memset(p, 0, size);
+	sch = (struct Qdisc *)(((unsigned long)p + QDISC_ALIGN_CONST)
+	                       & ~QDISC_ALIGN_CONST);
+	sch->padded = (char *)sch - (char *)p;
 
 	/* Grrr... Resolve race condition with module unload */
 
@@ -420,8 +427,6 @@
 	if (ops != qdisc_lookup_ops(kind))
 		goto err_out;
 
-	memset(sch, 0, size);
-
 	INIT_LIST_HEAD(&sch->list);
 	skb_queue_head_init(&sch->q);
 
@@ -470,8 +475,8 @@
 
 err_out:
 	*errp = err;
-	if (sch)
-		kfree(sch);
+	if (p)
+		kfree(p);
 	return NULL;
 }
 

--- End Message ---