diff mbox series

sched: address a potential NULL pointer dereference in the GRED scheduler.

Message ID 20250227160419.3065643-1-juny24602@gmail.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series sched: address a potential NULL pointer dereference in the GRED scheduler. | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers fail 7 maintainers not CCed: jhs@mojatatu.com xiyou.wangcong@gmail.com kuba@kernel.org jiri@resnulli.us horms@kernel.org edumazet@google.com pabeni@redhat.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff fail author Signed-off-by missing
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest fail net-next-2025-02-28--00-00 (tests: 896)

Commit Message

Jun Yang Feb. 27, 2025, 4:04 p.m. UTC 
If kzalloc in gred_init returns a NULL pointer, the code follows the error handling path, invoking gred_destroy. This, in turn, calls gred_offload, where memset could receive a NULL pointer as input, potentially leading to a kernel crash.
---
 net/sched/sch_gred.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

Comments

Cong Wang Feb. 27, 2025, 6:26 p.m. UTC | #1 
On Fri, Feb 28, 2025 at 12:04:19AM +0800, kwqcheii wrote:
> If kzalloc in gred_init returns a NULL pointer, the code follows the error handling path, invoking gred_destroy. This, in turn, calls gred_offload, where memset could receive a NULL pointer as input, potentially leading to a kernel crash.


Thanks for your patch.

Please add your Signed-off-by for your patch, which is a minimum
requirement here. You can check Linux kernel development process for
more details: https://docs.kernel.org/process/5.Posting.html#before-creating-patches

Also, ./scripts/checkpatch.pl could help you catch issues like this one,
it would save you and others a lot of time.

Lastly, if you saw a real crash, please include the kernel stack trace
in your patch description. There is a significant difference between a
real crash and a theoretical one.

Regards,
Cong
diff mbox series

Patch

diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
index ab6234b4fcd5..fa643e5709bd 100644
--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -317,10 +317,12 @@  static void gred_offload(struct Qdisc *sch, enum tc_gred_command command)
 	if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc)
 		return;
 
-	memset(opt, 0, sizeof(*opt));
-	opt->command = command;
-	opt->handle = sch->handle;
-	opt->parent = sch->parent;
+	if (opt) {
+		memset(opt, 0, sizeof(*opt));
+		opt->command = command;
+		opt->handle = sch->handle;
+		opt->parent = sch->parent;
+	}
 
 	if (command == TC_GRED_REPLACE) {
 		unsigned int i;