diff options
| author | Xiang Mei <xmei5@asu.edu> | 2026-03-30 22:02:15 -0700 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2026-04-02 15:08:41 +0200 |
| commit | faeea8bbf6e958bf3c00cb08263109661975987c (patch) | |
| tree | e21bdc1e46f158dd9081d8f896de48f6ae494377 /fs/devfs/git@git.tavy.me:linux.git | |
| parent | a80a014f83bded5a2f498c22b4a06a7a31256f98 (diff) | |
net/sched: cls_fw: fix NULL pointer dereference on shared blocks
The old-method path in fw_classify() calls tcf_block_q() and
dereferences q->handle. Shared blocks leave block->q NULL, causing a
NULL deref when an empty cls_fw filter is attached to a shared block
and a packet with a nonzero major skb mark is classified.
Reject the configuration in fw_change() when the old method (no
TCA_OPTIONS) is used on a shared block, since fw_classify()'s
old-method path needs block->q which is NULL for shared blocks.
The fixed null-ptr-deref calling stack:
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:fw_classify (net/sched/cls_fw.c:81)
Call Trace:
tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)
tc_run (net/core/dev.c:4401)
__dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)
Fixes: 1abf272022cf ("net: sched: tcindex, fw, flow: use tcf_block_q helper to get struct Qdisc")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260331050217.504278-1-xmei5@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'fs/devfs/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions