[SRU][J:linux-bluefield][PATCH v1 1/1] UBUNTU: SAUCE: net/sched: cls_api: Add defensive actions pointer check
Stav Aviram
saviram at nvidia.com
Mon Jul 7 07:35:36 UTC 2025
BugLink: https://bugs.launchpad.net/bugs/2109993
Fix a kernel crash in tcf_action_init() that occurs when attempting to
store an action pointer into the actions array:
actions[i - 1] = act;
The crash stack shows:
tcf_action_init+0x200/0x340
tcf_exts_validate+0x16c/0x184
fl_set_parms+0x6c/0x5f0 [cls_flower]
fl_change+0x3a0/0xc2c [cls_flower]
tc_new_tfilter+0x2f4/0x8bc
rtnetlink_rcv_msg+0x2e8/0x3c4
Root cause analysis indicates that the actions pointer is NULL, invalid,
or uninitialized when this line is reached. While this shouldn't occur
in normal program flows, it appears the pointer may be getting corrupted
due to invalid input from user-space or a potential race condition.
Add a defensive NULL check before accessing the actions pointer to
prevent the kernel crash. Return -EINVAL if the actions pointer is
found to be NULL, which provides a graceful failure path instead of
a system crash.
Signed-off-by: Stav Aviram <saviram at nvidia.com>
---
net/sched/act_api.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 0b4deb33bdf7..862f30ae5a35 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -1133,6 +1133,13 @@ int tcf_action_init(struct net *net, struct tcf_proto *tp, struct nlattr *nla,
err = PTR_ERR(act);
goto err;
}
+
+ /* Defensive check: ensure 'actions' is valid */
+ if (!actions) {
+ err = -EINVAL;
+ goto err;
+ }
+
sz += tcf_action_fill_size(act);
/* Start from index 0 */
actions[i - 1] = act;
--
2.34.1
More information about the kernel-team
mailing list