On 7/29/19 7:23 PM, Cong Wang wrote: > On Mon, Jul 29, 2019 at 1:24 AM Jia-Ju Bai <[email protected]> wrote: >> >> In dequeue_func(), there is an if statement on line 74 to check whether >> skb is NULL: >> if (skb) >> >> When skb is NULL, it is used on line 77: >> prefetch(&skb->end); >> >> Thus, a possible null-pointer dereference may occur. >> >> To fix this bug, skb->end is used when skb is not NULL. >> >> This bug is found by a static analysis tool STCheck written by us. > > It doesn't dereference the pointer, it simply calculates the address > and passes it to gcc builtin prefetch. Both are fine when it is NULL, > as prefetching a NULL address should be okay for kernel. > > So your changelog is misleading and it doesn't fix any bug, > although it does very slightly make the code better. > Original code was intentional. A prefetch() need to be done as early as possible. At the time of commit 76e3cc126bb223013a6b9a0e2a51238d1ef2e409 this was pretty clear : +static struct sk_buff *dequeue(struct codel_vars *vars, struct Qdisc *sch) +{ + struct sk_buff *skb = __skb_dequeue(&sch->q); + + prefetch(&skb->end); /* we'll need skb_shinfo() */ + return skb; +} Really static analysis should learn about prefetch(X) being legal for _any_ value of X
