When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL
pointer which leads to a crash in sfb_destroy().
Linus suggested three solutions for this problem, the simplest fix
is just moving the noop_qdisc assignment before tcf_block_get()
so that qdisc_put() would become a nop.
Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
Reported-by: syzbot+d5870a903591faaca...@syzkaller.appspotmail.com
Suggested-by: Linus Torvalds <torva...@linux-foundation.org>
Cc: Jamal Hadi Salim <j...@mojatatu.com>
Cc: Jiri Pirko <j...@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
---
net/sched/sch_sfb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index 1dff8506a715..db1c8eb521a2 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -552,11 +552,11 @@ static int sfb_init(struct Qdisc *sch, struct nlattr *opt,
struct sfb_sched_data *q = qdisc_priv(sch);
int err;
+ q->qdisc = &noop_qdisc;
+
err = tcf_block_get(&q->block, &q->filter_list, sch, extack);
if (err)
return err;
-
- q->qdisc = &noop_qdisc;
return sfb_change(sch, opt, extack);
}
--
2.21.0
