diff mbox series

sched: address a potential NULL pointer dereference in the GRED scheduler.

Message ID 20250305154410.3505642-1-juny24602@gmail.com (mailing list archive)
State New
Delegated to: Netdev Maintainers
Headers show
Series sched: address a potential NULL pointer dereference in the GRED scheduler. | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 6 maintainers not CCed: jhs@mojatatu.com jiri@resnulli.us pabeni@redhat.com kuba@kernel.org horms@kernel.org edumazet@google.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2025-03-06--03-00 (tests: 894)

Commit Message

Jun Yang March 5, 2025, 3:44 p.m. UTC 
If kzalloc in gred_init returns a NULL pointer, the code follows the
error handling path, invoking gred_destroy. This, in turn, calls
gred_offload, where memset could receive a NULL pointer as input,
potentially leading to a kernel crash.

Signed-off-by: Jun Yang <juny24602@gmail.com>
---
 net/sched/sch_gred.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Cong Wang March 5, 2025, 6:22 p.m. UTC | #1 
On Wed, Mar 05, 2025 at 11:44:10PM +0800, Jun Yang wrote:
> If kzalloc in gred_init returns a NULL pointer, the code follows the
> error handling path, invoking gred_destroy. This, in turn, calls
> gred_offload, where memset could receive a NULL pointer as input,
> potentially leading to a kernel crash.
> 
> Signed-off-by: Jun Yang <juny24602@gmail.com>

When table->opt is NULL in gred_init(), gred_change_table_def() is not
called yet, so it is not necessary to call ->ndo_setup_tc() in
gred_offload().

Fixes: f25c0515c521 ("net: sched: gred: dynamically allocate tc_gred_qopt_offload")
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>

Thanks!
diff mbox series

Patch

diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
index ab6234b4fcd5..532fde548b88 100644
--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -913,7 +913,8 @@  static void gred_destroy(struct Qdisc *sch)
 	for (i = 0; i < table->DPs; i++)
 		gred_destroy_vq(table->tab[i]);
 
-	gred_offload(sch, TC_GRED_DESTROY);
+	if (table->opt)
+		gred_offload(sch, TC_GRED_DESTROY);
 	kfree(table->opt);
 }