NACK: [SRU][J][PATCH v1 0/1] net/sched: cls_api: fix error handling causing NULL dereference
Thibault Ferrante
thibault.ferrante at canonical.com
Tue Aug 5 11:55:54 UTC 2025
Incorrect threading let's this thread stays opens on some tooling,
putting correct closure.
On 19/06/2025 19:38, Stav Aviram wrote:
> From 0ae08f477df8fea6078bd5ba581d19f44973ba9c Mon Sep 17 00:00:00 2001
> Message-Id: <cover.1750344948.git.saviram at nvidia.com>
> From: Stav Aviram <saviram at nvidia.com>
> Date: Thu, 19 Jun 2025 17:55:48 +0300
> To: kernel-team at lists.ubuntu.com
> Subject: [SRU][J][PATCH v1 0/1] net/sched: cls_api: fix error handling causing NULL dereference
>
> BugLink: https://bugs.launchpad.net/bugs/2114965
>
> SRU Justification:
>
> [IMPACT]
> tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can
> return 1 if the allocation succeeded after wrapping. This was treated as
> an error, with value 1 returned to caller tcf_exts_init_ex() which sets
> exts->actions to NULL and returns 1 to caller fl_change().
> fl_change() treats err == 1 as success, calling tcf_exts_validate_ex()
> which calls tcf_action_init() with exts->actions as argument, where it
> is dereferenced.
> [FIX]
> Cherry pick the fix commit from mainline:
> 071ed42cff4f net/sched: cls_api: fix error handling causing NULL dereference
> This commit updates the failure check in
> tcf_exts_miss_cookie_base_alloc() to treat err < 0 as an error, instead
> of incorrectly treating err == 1 as a failure.
> [TEST CASE]
> Compile tested.
> [Regression Potential]
> A regression here is unlikely due to the very limited scope
> of the patch.
>
> Pierre Riteau (1):
> net/sched: cls_api: fix error handling causing NULL dereference
>
> net/sched/cls_api.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --
> 2.34.1
>
More information about the kernel-team
mailing list