[PATCH net v3 1/3] net/sched: cls_fw: fix NULL pointer dereference on shared blocks

[PATCH net v3 1/3] net/sched: cls_fw: fix NULL pointer dereference on shared blocks

[Xiang Mei]

The old-method path in fw_classify() calls tcf_block_q() and
dereferences q->handle.  Shared blocks leave block->q NULL, causing a
NULL deref when an empty cls_fw filter is attached to a shared block
and a packet with a nonzero major skb mark is classified.

Reject the configuration in fw_change() when the old method (no
TCA_OPTIONS) is used on a shared block, since fw_classify()'s
old-method path needs block->q which is NULL for shared blocks.

The fixed null-ptr-deref calling stack:
 KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
 RIP: 0010:fw_classify (net/sched/cls_fw.c:81)
 Call Trace:
  tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)
  tc_run (net/core/dev.c:4401)
  __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)

Fixes: 1abf272022cf ("net: sched: tcindex, fw, flow: use tcf_block_q helper to get struct Qdisc")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
v2: Correct 3/3 selftest case
v3: Avoid the bug earlier in fw_change

 net/sched/cls_fw.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index be81c108179d..23884ef8b80c 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -247,8 +247,18 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
 	struct nlattr *tb[TCA_FW_MAX + 1];
 	int err;
 
-	if (!opt)
-		return handle ? -EINVAL : 0; /* Succeed if it is old method. */
+	if (!opt) {
+		if (handle)
+			return -EINVAL;
+
+		if (tcf_block_shared(tp->chain->block)) {
+			NL_SET_ERR_MSG(extack,
+				       "Must specify mark when attaching fw filter to block");
+			return -EINVAL;
+		}
+
+		return 0; /* Succeed if it is old method. */
+	}
 
 	err = nla_parse_nested_deprecated(tb, TCA_FW_MAX, opt, fw_policy,
 					  NULL);
-- 
2.43.0

[PATCH net v3 2/3] net/sched: cls_flow: fix NULL pointer dereference on shared blocks

[Xiang Mei]

flow_change() calls tcf_block_q() and dereferences q->handle to derive
a default baseclass.  Shared blocks leave block->q NULL, causing a NULL
deref when a flow filter without a fully qualified baseclass is created
on a shared block.

Check tcf_block_shared() before accessing block->q and return -EINVAL
for shared blocks.  This avoids the null-deref shown below:

=======================================================================
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:flow_change (net/sched/cls_flow.c:508)
Call Trace:
 tc_new_tfilter (net/sched/cls_api.c:2432)
 rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)
 [...]
=======================================================================

Fixes: 1abf272022cf ("net: sched: tcindex, fw, flow: use tcf_block_q helper to get struct Qdisc")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
v2: Correct 3/3 selftest case
v3: add error message

 net/sched/cls_flow.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
index 339c664beff6..ab364e4e4686 100644
--- a/net/sched/cls_flow.c
+++ b/net/sched/cls_flow.c
@@ -503,8 +503,16 @@ static int flow_change(struct net *net, struct sk_buff *in_skb,
 		}
 
 		if (TC_H_MAJ(baseclass) == 0) {
-			struct Qdisc *q = tcf_block_q(tp->chain->block);
+			struct tcf_block *block = tp->chain->block;
+			struct Qdisc *q;
 
+			if (tcf_block_shared(block)) {
+				NL_SET_ERR_MSG(extack,
+					       "Must specify baseclass when attaching flow filter to block");
+				goto err2;
+			}
+
+			q = tcf_block_q(block);
 			baseclass = TC_H_MAKE(q->handle, baseclass);
 		}
 		if (TC_H_MIN(baseclass) == 0)
-- 
2.43.0

[PATCH net v3 3/3] selftests/tc-testing: add tests for cls_fw and cls_flow on shared blocks

[Xiang Mei]

Regression tests for the shared-block NULL derefs fixed in the previous
two patches:

  - fw: attempt to attach an empty fw filter to a shared block and
    verify the configuration is rejected with EINVAL.
  - flow: create a flow filter on a shared block without a baseclass
    and verify the configuration is rejected with EINVAL.

Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
v2: Correct 3/3 selftest case
v3: make b7e3 forcus on fw_change
 
 .../tc-testing/tc-tests/infra/filter.json     | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/tools/testing/selftests/tc-testing/tc-tests/infra/filter.json b/tools/testing/selftests/tc-testing/tc-tests/infra/filter.json
index 8d10042b489b..dbce6436ed26 100644
--- a/tools/testing/selftests/tc-testing/tc-tests/infra/filter.json
+++ b/tools/testing/selftests/tc-testing/tc-tests/infra/filter.json
@@ -22,5 +22,49 @@
         "teardown": [
             "$TC qdisc del dev $DUMMY root handle 1: htb default 1"
         ]
+    },
+    {
+        "id": "b7e3",
+        "name": "Empty fw filter on shared block - rejected at config time",
+        "category": [
+            "filter",
+            "fw"
+        ],
+        "plugins": {
+            "requires": "nsPlugin"
+        },
+        "setup": [
+            "$TC qdisc add dev $DEV1 egress_block 1 clsact"
+        ],
+        "cmdUnderTest": "$TC filter add block 1 protocol ip prio 1 fw",
+        "expExitCode": "2",
+        "verifyCmd": "$TC filter show block 1",
+        "matchPattern": "fw",
+        "matchCount": "0",
+        "teardown": [
+            "$TC qdisc del dev $DEV1 clsact"
+        ]
+    },
+    {
+        "id": "c8f4",
+        "name": "Flow filter on shared block without baseclass - rejected at config time",
+        "category": [
+            "filter",
+            "flow"
+        ],
+        "plugins": {
+            "requires": "nsPlugin"
+        },
+        "setup": [
+            "$TC qdisc add dev $DEV1 ingress_block 1 clsact"
+        ],
+        "cmdUnderTest": "$TC filter add block 1 protocol ip prio 1 handle 1 flow map key dst",
+        "expExitCode": "2",
+        "verifyCmd": "$TC filter show block 1",
+        "matchPattern": "flow",
+        "matchCount": "0",
+        "teardown": [
+            "$TC qdisc del dev $DEV1 clsact"
+        ]
     }
 ]
-- 
2.43.0

Re: [PATCH net v3 1/3] net/sched: cls_fw: fix NULL pointer dereference on shared blocks

[Jamal Hadi Salim]

On Tue, Mar 31, 2026 at 1:02 AM Xiang Mei <xmei5@asu.edu> wrote:
>
> The old-method path in fw_classify() calls tcf_block_q() and
> dereferences q->handle.  Shared blocks leave block->q NULL, causing a
> NULL deref when an empty cls_fw filter is attached to a shared block
> and a packet with a nonzero major skb mark is classified.
>
> Reject the configuration in fw_change() when the old method (no
> TCA_OPTIONS) is used on a shared block, since fw_classify()'s
> old-method path needs block->q which is NULL for shared blocks.
>
> The fixed null-ptr-deref calling stack:
>  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
>  RIP: 0010:fw_classify (net/sched/cls_fw.c:81)
>  Call Trace:
>   tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)
>   tc_run (net/core/dev.c:4401)
>   __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)
>
> Fixes: 1abf272022cf ("net: sched: tcindex, fw, flow: use tcf_block_q helper to get struct Qdisc")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Signed-off-by: Xiang Mei <xmei5@asu.edu>

Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>

cheers,
jamal

> ---
> v2: Correct 3/3 selftest case
> v3: Avoid the bug earlier in fw_change
>
>  net/sched/cls_fw.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
> index be81c108179d..23884ef8b80c 100644
> --- a/net/sched/cls_fw.c
> +++ b/net/sched/cls_fw.c
> @@ -247,8 +247,18 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
>         struct nlattr *tb[TCA_FW_MAX + 1];
>         int err;
>
> -       if (!opt)
> -               return handle ? -EINVAL : 0; /* Succeed if it is old method. */
> +       if (!opt) {
> +               if (handle)
> +                       return -EINVAL;
> +
> +               if (tcf_block_shared(tp->chain->block)) {
> +                       NL_SET_ERR_MSG(extack,
> +                                      "Must specify mark when attaching fw filter to block");
> +                       return -EINVAL;
> +               }
> +
> +               return 0; /* Succeed if it is old method. */
> +       }
>
>         err = nla_parse_nested_deprecated(tb, TCA_FW_MAX, opt, fw_policy,
>                                           NULL);
> --
> 2.43.0
>

Re: [PATCH net v3 2/3] net/sched: cls_flow: fix NULL pointer dereference on shared blocks

[Jamal Hadi Salim]

On Tue, Mar 31, 2026 at 1:02 AM Xiang Mei <xmei5@asu.edu> wrote:
>
> flow_change() calls tcf_block_q() and dereferences q->handle to derive
> a default baseclass.  Shared blocks leave block->q NULL, causing a NULL
> deref when a flow filter without a fully qualified baseclass is created
> on a shared block.
>
> Check tcf_block_shared() before accessing block->q and return -EINVAL
> for shared blocks.  This avoids the null-deref shown below:
>
> =======================================================================
> KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
> RIP: 0010:flow_change (net/sched/cls_flow.c:508)
> Call Trace:
>  tc_new_tfilter (net/sched/cls_api.c:2432)
>  rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)
>  [...]
> =======================================================================
>
> Fixes: 1abf272022cf ("net: sched: tcindex, fw, flow: use tcf_block_q helper to get struct Qdisc")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Signed-off-by: Xiang Mei <xmei5@asu.edu>

Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>

cheers,
jamal

> v2: Correct 3/3 selftest case
> v3: add error message
>
>  net/sched/cls_flow.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
> index 339c664beff6..ab364e4e4686 100644
> --- a/net/sched/cls_flow.c
> +++ b/net/sched/cls_flow.c
> @@ -503,8 +503,16 @@ static int flow_change(struct net *net, struct sk_buff *in_skb,
>                 }
>
>                 if (TC_H_MAJ(baseclass) == 0) {
> -                       struct Qdisc *q = tcf_block_q(tp->chain->block);
> +                       struct tcf_block *block = tp->chain->block;
> +                       struct Qdisc *q;
>
> +                       if (tcf_block_shared(block)) {
> +                               NL_SET_ERR_MSG(extack,
> +                                              "Must specify baseclass when attaching flow filter to block");
> +                               goto err2;
> +                       }
> +
> +                       q = tcf_block_q(block);
>                         baseclass = TC_H_MAKE(q->handle, baseclass);
>                 }
>                 if (TC_H_MIN(baseclass) == 0)
> --
> 2.43.0
>

Re: [PATCH net v3 3/3] selftests/tc-testing: add tests for cls_fw and cls_flow on shared blocks

[Jamal Hadi Salim]

On Tue, Mar 31, 2026 at 1:02 AM Xiang Mei <xmei5@asu.edu> wrote:
>
> Regression tests for the shared-block NULL derefs fixed in the previous
> two patches:
>
>   - fw: attempt to attach an empty fw filter to a shared block and
>     verify the configuration is rejected with EINVAL.
>   - flow: create a flow filter on a shared block without a baseclass
>     and verify the configuration is rejected with EINVAL.
>
> Signed-off-by: Xiang Mei <xmei5@asu.edu>

Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>

cheers,
jamal

Re: [PATCH net v3 3/3] selftests/tc-testing: add tests for cls_fw and cls_flow on shared blocks

[Victor Nogueira]

On 31/03/2026 02:02, Xiang Mei wrote:
> Regression tests for the shared-block NULL derefs fixed in the previous
> two patches:
> 
>    - fw: attempt to attach an empty fw filter to a shared block and
>      verify the configuration is rejected with EINVAL.
>    - flow: create a flow filter on a shared block without a baseclass
>      and verify the configuration is rejected with EINVAL.
> 
> Signed-off-by: Xiang Mei <xmei5@asu.edu>

Reviewed-by: Victor Nogueira <victor@mojatatu.com>

Re: [PATCH net v3 1/3] net/sched: cls_fw: fix NULL pointer dereference on shared blocks

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Mon, 30 Mar 2026 22:02:15 -0700 you wrote:
> The old-method path in fw_classify() calls tcf_block_q() and
> dereferences q->handle.  Shared blocks leave block->q NULL, causing a
> NULL deref when an empty cls_fw filter is attached to a shared block
> and a packet with a nonzero major skb mark is classified.
> 
> Reject the configuration in fw_change() when the old method (no
> TCA_OPTIONS) is used on a shared block, since fw_classify()'s
> old-method path needs block->q which is NULL for shared blocks.
> 
> [...]

Here is the summary with links:
  - [net,v3,1/3] net/sched: cls_fw: fix NULL pointer dereference on shared blocks
    https://git.kernel.org/netdev/net/c/faeea8bbf6e9
  - [net,v3,2/3] net/sched: cls_flow: fix NULL pointer dereference on shared blocks
    https://git.kernel.org/netdev/net/c/1a280dd4bd1d
  - [net,v3,3/3] selftests/tc-testing: add tests for cls_fw and cls_flow on shared blocks
    https://git.kernel.org/netdev/net/c/70f73562d278

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html