diff options
| author | Jun Yang <juny24602@gmail.com> | 2025-03-05 23:44:10 +0800 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2025-03-06 16:35:14 -0800 |
| commit | 115ef44a98220fddfab37a39a19370497cd718b9 (patch) | |
| tree | 55fcb7eca14935389f64eb9ef0e8d7143536fd5d /net/sched | |
| parent | e4e832d2b9e84d1a290f0279b10593cf465e6fb1 (diff) | |
sched: address a potential NULL pointer dereference in the GRED scheduler.
If kzalloc in gred_init returns a NULL pointer, the code follows the
error handling path, invoking gred_destroy. This, in turn, calls
gred_offload, where memset could receive a NULL pointer as input,
potentially leading to a kernel crash.
When table->opt is NULL in gred_init(), gred_change_table_def()
is not called yet, so it is not necessary to call ->ndo_setup_tc()
in gred_offload().
Signed-off-by: Jun Yang <juny24602@gmail.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Fixes: f25c0515c521 ("net: sched: gred: dynamically allocate tc_gred_qopt_offload")
Link: https://patch.msgid.link/20250305154410.3505642-1-juny24602@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/sched')
| -rw-r--r-- | net/sched/sch_gred.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c index ab6234b4fcd5..532fde548b88 100644 --- a/net/sched/sch_gred.c +++ b/net/sched/sch_gred.c @@ -913,7 +913,8 @@ static void gred_destroy(struct Qdisc *sch) for (i = 0; i < table->DPs; i++) gred_destroy_vq(table->tab[i]); - gred_offload(sch, TC_GRED_DESTROY); + if (table->opt) + gred_offload(sch, TC_GRED_DESTROY); kfree(table->opt); } |