sched: address a potential NULL pointer dereference in the GRED scheduler.

Jun Yang · kuba-moo · commit 115ef44a9822 · 2025-03-06T16:35:14.000-08:00
If kzalloc in gred_init returns a NULL pointer, the code follows the error handling path, invoking gred_destroy. This, in turn, calls gred_offload, where memset could receive a NULL pointer as input, potentially leading to a kernel crash. When table->opt is NULL in gred_init(), gred_change_table_def() is not called yet, so it is not necessary to call ->ndo_setup_tc() in gred_offload(). Signed-off-by: Jun Yang <juny24602@gmail.com> Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com> Fixes: f25c051 ("net: sched: gred: dynamically allocate tc_gred_qopt_offload") Link: https://patch.msgid.link/20250305154410.3505642-1-juny24602@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
@@ -913,7 +913,8 @@ static void gred_destroy(struct Qdisc *sch)
 	for (i = 0; i < table->DPs; i++)
 		gred_destroy_vq(table->tab[i]);
 
-	gred_offload(sch, TC_GRED_DESTROY);
+	if (table->opt)
+		gred_offload(sch, TC_GRED_DESTROY);
 	kfree(table->opt);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -913,7 +913,8 @@ static void gred_destroy(struct Qdisc *sch)`
`913`	`913`	`for (i = 0; i < table->DPs; i++)`
`914`	`914`	`gred_destroy_vq(table->tab[i]);`
`915`	`915`
`916`		`- gred_offload(sch, TC_GRED_DESTROY);`
	`916`	`+ if (table->opt)`
	`917`	`+ gred_offload(sch, TC_GRED_DESTROY);`
`917`	`918`	`kfree(table->opt);`
`918`	`919`	`}`
`919`	`920`