APPLIED: [SRU][J:linux-bluefield][PATCH v1 0/1] UBUNTU: SAUCE: net/sched: cls_api: Add defensive actions pointer check

Thu Jul 17 06:26:05 UTC 2025

On 7.07.2025 09:35, Stav Aviram wrote:
> BugLink: https://bugs.launchpad.net/bugs/2109993
>
> SRU Justification:
>
> [IMPACT]
> Kernel crashes occur in tcf_action_init() at the line "actions[i - 1] = act;"
> when the actions pointer is NULL or invalid. Analysis shows that while
> normal program flows shouldn't reach this line with a NULL actions pointer,
> it appears to be getting corrupted due to invalid Netlink Attribute (NLA)
> sent by a user-space application or race conditions. The crash has been
> observed on BF3 systems.
>
> [FIX]
> Add a defensive NULL check before accessing the actions pointer in
> tcf_action_init(). Return -EINVAL if the pointer is NULL instead of
> crashing the kernel.
>
> [TEST CASE]
> Compile tested.
> This issue is hard to reproduce, but when it reproduces we'd expect to
> see the -EINVAL error.
>
> [Regression Potential]
> Very low risk. The patch only adds a NULL check that returns an error
> in a case that would previously cause a kernel crash. No existing logic
> paths are modified.
>
> Stav Aviram (1):
>    UBUNTU: SAUCE: net/sched: cls_api: Add defensive actions pointer check
>
>   net/sched/act_api.c | 7 +++++++
>   1 file changed, 7 insertions(+)
>
Applied-by: Kuba Pawlak <kuba.pawlak at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x216A9D7E3B63DCB4.asc
Type: application/pgp-keys
Size: 3139 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250717/06b3f316/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250717/06b3f316/attachment-0001.sig>