From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 366EF3D8912; Wed, 8 Apr 2026 18:54:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775674495; cv=none; b=OeYWJnYXbR7BDt1Vjrk6UUuNadZwbeE6FnsSe58pxl2sS4NFu9z7rSjuaHYE3n0Jmop3r2btur9+QCuPKIfbPXHX+p7gX5ItGloL+yM0/MfK708+NstGZrJWXxNly3Oe8eLRKiSd5WyErvQ5g1i4UXRlq0npq6tGDu01vOd5RL8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775674495; c=relaxed/simple; bh=OS/NCZAsutSnk6iZaJZJUKV6WuJDd9tfLMvJNtcMmPE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qP6XljDBFLNdyrQ8KfZUWULDO0PZBK4dq5PEMQOOMCfXDWf8BCKrIY8PV1tXUX2SFt+rr0eYoAi0a+s3ur1dqBDooiY+PgOwntCLPMe7UG9gx+by8yHNtmniKa4ycjbCKl/ODBavBfQSHYVbhvKpo5Z7Js3R23hp+yKQUSkmf+E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=xgO37KTI; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="xgO37KTI" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 742FEC2BC87; Wed, 8 Apr 2026 18:54:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1775674494; bh=OS/NCZAsutSnk6iZaJZJUKV6WuJDd9tfLMvJNtcMmPE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xgO37KTIk+Bxw7+N/YBnScmE87BxrQDNDWJPk7C5VqHdm8R9DAeBwUU9fieWSAjiS xX+A+v7omhP8sfi3U7v0LuEp1cCUIcXRfuel017Tdi6oS2PPr2RsMKZi0G9ENtpJzf Jqp5tj7pzKFlMfOXtFQCWaoaPYPeN66t2KpXtlhA= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Weiming Shi , Xiang Mei , Jamal Hadi Salim , Paolo Abeni , Sasha Levin Subject: [PATCH 6.19 120/311] net/sched: cls_flow: fix NULL pointer dereference on shared blocks Date: Wed, 8 Apr 2026 20:02:00 +0200 Message-ID: <20260408175943.897930235@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260408175939.393281918@linuxfoundation.org> References: <20260408175939.393281918@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Xiang Mei [ Upstream commit 1a280dd4bd1d616a01d6ffe0de284c907b555504 ] flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] ======================================================================= Fixes: 1abf272022cf ("net: sched: tcindex, fw, flow: use tcf_block_q helper to get struct Qdisc") Reported-by: Weiming Shi Signed-off-by: Xiang Mei Acked-by: Jamal Hadi Salim Link: https://patch.msgid.link/20260331050217.504278-2-xmei5@asu.edu Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin --- net/sched/cls_flow.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c index 5693b41b093f3..edf1252c1fde7 100644 --- a/net/sched/cls_flow.c +++ b/net/sched/cls_flow.c @@ -503,8 +503,16 @@ static int flow_change(struct net *net, struct sk_buff *in_skb, } if (TC_H_MAJ(baseclass) == 0) { - struct Qdisc *q = tcf_block_q(tp->chain->block); + struct tcf_block *block = tp->chain->block; + struct Qdisc *q; + if (tcf_block_shared(block)) { + NL_SET_ERR_MSG(extack, + "Must specify baseclass when attaching flow filter to block"); + goto err2; + } + + q = tcf_block_q(block); baseclass = TC_H_MAKE(q->handle, baseclass); } if (TC_H_MIN(baseclass) == 0) -- 2.53.0