Merge branch 'qdisc-null-deref'

Zhengchao Shao says: ==================== net: fix null pointer access issue in qdisc These three patches fix the same type of problem. Set the default qdisc, and then construct an init failure scenario when the dev qdisc is configured on mqprio to trigger the reset process. NULL pointer access may occur during the reset process. --- v2: for fq_codel, revert the patch --- ==================== Signed-off-by: David S. Miller <davem@davemloft.net>

Merge branch 'qdisc-null-deref'
Zhengchao Shao says: ==================== net: fix null pointer access issue in qdisc These three patches fix the same type of problem. Set the default qdisc, and then construct an init failure scenario when the dev qdisc is configured on mqprio to trigger the reset process. NULL pointer access may occur during the reset process. --- v2: for fq_codel, revert the patch --- ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
e38cf366 · David S. Miller · 7b55c2ed · 2a3fc782 · e38cf366 · e38cf366
Commit e38cf366 authored Oct 19, 2022 by David S. Miller
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 9 deletions

net/sched/sch_cake.c net/sched/sch_cake.c +4 -0

net/sched/sch_fq_codel.c net/sched/sch_fq_codel.c +17 -8

net/sched/sch_sfb.c net/sched/sch_sfb.c +2 -1

No files found.
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -2224,8 +2224,12 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch)

 static void cake_reset(struct Qdisc *sch)
 {
+	struct cake_sched_data *q = qdisc_priv(sch);
 	u32 c;

+	if (!q->tins)
+		return;
+
 	for (c = 0; c < CAKE_MAX_TINS; c++)
 		cake_clear_tin(sch, c);
 }

--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -478,24 +478,26 @@ static int fq_codel_init(struct Qdisc *sch, struct nlattr *opt,
 	if (opt) {
 		err = fq_codel_change(sch, opt, extack);
 		if (err)
-			return err;
+			goto init_failure;
 	}

 	err = tcf_block_get(&q->block, &q->filter_list, sch, extack);
 	if (err)
-		return err;
+		goto init_failure;

 	if (!q->flows) {
 		q->flows = kvcalloc(q->flows_cnt,
 				    sizeof(struct fq_codel_flow),
 				    GFP_KERNEL);
-		if (!q->flows)
-			return -ENOMEM;
-
+		if (!q->flows) {
+			err = -ENOMEM;
+			goto init_failure;
+		}
 		q->backlogs = kvcalloc(q->flows_cnt, sizeof(u32), GFP_KERNEL);
-		if (!q->backlogs)
-			return -ENOMEM;
-
+		if (!q->backlogs) {
+			err = -ENOMEM;
+			goto alloc_failure;
+		}
 		for (i = 0; i < q->flows_cnt; i++) {
 			struct fq_codel_flow *flow = q->flows + i;

@@ -508,6 +510,13 @@ static int fq_codel_init(struct Qdisc *sch, struct nlattr *opt,
 	else
 		sch->flags &= ~TCQ_F_CAN_BYPASS;
 	return 0;
+
+alloc_failure:
+	kvfree(q->flows);
+	q->flows = NULL;
+init_failure:
+	q->flows_cnt = 0;
+	return err;
 }

 static int fq_codel_dump(struct Qdisc *sch, struct sk_buff *skb)

--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -455,7 +455,8 @@ static void sfb_reset(struct Qdisc *sch)
 {
 	struct sfb_sched_data *q = qdisc_priv(sch);

-	qdisc_reset(q->qdisc);
+	if (likely(q->qdisc))
+		qdisc_reset(q->qdisc);
 	q->slot = 0;
 	q->double_buffering = false;
 	sfb_zero_all_buckets(q);