[SRU][J][PATCH v1 0/1] net/sched: cls_api: fix error handling causing NULL dereference
Stav Aviram
saviram at nvidia.com
Thu Jun 19 17:38:47 UTC 2025
>From 0ae08f477df8fea6078bd5ba581d19f44973ba9c Mon Sep 17 00:00:00 2001
Message-Id: <cover.1750344948.git.saviram at nvidia.com>
From: Stav Aviram <saviram at nvidia.com>
Date: Thu, 19 Jun 2025 17:55:48 +0300
To: kernel-team at lists.ubuntu.com
Subject: [SRU][J][PATCH v1 0/1] net/sched: cls_api: fix error handling causing NULL dereference
BugLink: https://bugs.launchpad.net/bugs/2114965
SRU Justification:
[IMPACT]
tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can
return 1 if the allocation succeeded after wrapping. This was treated as
an error, with value 1 returned to caller tcf_exts_init_ex() which sets
exts->actions to NULL and returns 1 to caller fl_change().
fl_change() treats err == 1 as success, calling tcf_exts_validate_ex()
which calls tcf_action_init() with exts->actions as argument, where it
is dereferenced.
[FIX]
Cherry pick the fix commit from mainline:
071ed42cff4f net/sched: cls_api: fix error handling causing NULL dereference
This commit updates the failure check in
tcf_exts_miss_cookie_base_alloc() to treat err < 0 as an error, instead
of incorrectly treating err == 1 as a failure.
[TEST CASE]
Compile tested.
[Regression Potential]
A regression here is unlikely due to the very limited scope
of the patch.
Pierre Riteau (1):
net/sched: cls_api: fix error handling causing NULL dereference
net/sched/cls_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.34.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250619/c93b0f1e/attachment.html>
More information about the kernel-team
mailing list