On 9/11/19 8:34 PM, Cong Wang wrote:
> When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL
> pointer which leads to a crash in sfb_destroy().
>
> Linus suggested three solutions for this problem, the simplest fix
> is just moving the noop_qdisc assignment before tcf_block_get()
> so that qdisc_put() would become a nop.
>
> Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
> Reported-by: syzbot+d5870a903591faaca...@syzkaller.appspotmail.com
> Suggested-by: Linus Torvalds <torva...@linux-foundation.org>
> Cc: Jamal Hadi Salim <j...@mojatatu.com>
> Cc: Jiri Pirko <j...@resnulli.us>
> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
> ---
> net/sched/sch_sfb.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
> index 1dff8506a715..db1c8eb521a2 100644
> --- a/net/sched/sch_sfb.c
> +++ b/net/sched/sch_sfb.c
> @@ -552,11 +552,11 @@ static int sfb_init(struct Qdisc *sch, struct nlattr
> *opt,
> struct sfb_sched_data *q = qdisc_priv(sch);
> int err;
>
> + q->qdisc = &noop_qdisc;
> +
> err = tcf_block_get(&q->block, &q->filter_list, sch, extack);
> if (err)
> return err;
> -
> - q->qdisc = &noop_qdisc;
> return sfb_change(sch, opt, extack);
> }
>
>
It seems a similar fix would be needed in net/sched/sch_dsmark.c ?
