From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
To: Pierre Riteau <pierre@stackhpc.com>
Cc: netdev@vger.kernel.org
Subject: Re: [PATCH net] net/sched: cls_api: fix error handling causing NULL dereference
Date: Fri, 14 Feb 2025 13:43:03 +0100 [thread overview]
Message-ID: <Z685fovQy0yL6stZ@mev-dev.igk.intel.com> (raw)
In-Reply-To: <20250213223610.320278-1-pierre@stackhpc.com>
On Thu, Feb 13, 2025 at 11:36:10PM +0100, Pierre Riteau wrote:
> tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can
> return 1 if the allocation succeeded after wrapping. This was treated as
> an error, with value 1 returned to caller tcf_exts_init_ex() which sets
> exts->actions to NULL and returns 1 to caller fl_change().
>
> fl_change() treats err == 1 as success, calling tcf_exts_validate_ex()
> which calls tcf_action_init() with exts->actions as argument, where it
> is dereferenced.
>
> Example trace:
>
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1
> RIP: 0010:tcf_action_init+0x1f8/0x2c0
> Call Trace:
> tcf_action_init+0x1f8/0x2c0
> tcf_exts_validate_ex+0x175/0x190
> fl_change+0x537/0x1120 [cls_flower]
>
> Fixes: 80cd22c35c90 ("net/sched: cls_api: Support hardware miss to tc action")
> Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
> ---
> net/sched/cls_api.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
> index 8e47e5355be6..4f648af8cfaa 100644
> --- a/net/sched/cls_api.c
> +++ b/net/sched/cls_api.c
> @@ -97,7 +97,7 @@ tcf_exts_miss_cookie_base_alloc(struct tcf_exts *exts, struct tcf_proto *tp,
>
> err = xa_alloc_cyclic(&tcf_exts_miss_cookies_xa, &n->miss_cookie_base,
> n, xa_limit_32b, &next, GFP_KERNEL);
> - if (err)
> + if (err < 0)
> goto err_xa_alloc;
>
> exts->miss_cookie_node = n;
Thanks for fixing.
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
The same thing is done in devlink_rel_alloc() (net/devlink/core.c). I am
not sure if it can lead to NULL pointer dereference as here.
Thanks,
Michal
> --
> 2.43.5
next prev parent reply other threads:[~2025-02-14 12:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-13 22:36 [PATCH net] net/sched: cls_api: fix error handling causing NULL dereference Pierre Riteau
2025-02-14 12:43 ` Michal Swiatkowski [this message]
2025-02-14 14:21 ` Pierre Riteau
2025-02-14 14:38 ` Pierre Riteau
2025-02-15 17:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z685fovQy0yL6stZ@mev-dev.igk.intel.com \
--to=michal.swiatkowski@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=pierre@stackhpc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.