From: Amery Hung Date: Fri, 2 May 2025 20:16:20 +0000 (-0700) Subject: bpf: net_sched: Fix bpf qdisc init prologue when set as default qdisc X-Git-Tag: v6.16-rc1~132^2~173^2^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=659b3b2c488532140676affef036a1702fde6e32;p=thirdparty%2Flinux.git bpf: net_sched: Fix bpf qdisc init prologue when set as default qdisc Allow .init to proceed if qdisc_lookup() returns NULL as it only happens when called by qdisc_create_dflt() in mq/mqprio_init and the parent qdisc has not been added to qdisc_hash yet. In qdisc_create(), the caller, __tc_modify_qdisc(), would have made sure the parent qdisc already exist. In addition, call qdisc_watchdog_init() whether .init succeeds or not to prevent null-pointer dereference. In qdisc_create() and qdisc_create_dflt(), if .init fails, .destroy will be called. As a result, the destroy epilogue could call qdisc_watchdog_cancel() with an uninitialized timer, causing null-pointer deference in hrtimer_cancel(). Fixes: c8240344956e ("bpf: net_sched: Support implementation of Qdisc_ops in bpf") Signed-off-by: Amery Hung Signed-off-by: Martin KaFai Lau --- diff --git a/net/sched/bpf_qdisc.c b/net/sched/bpf_qdisc.c index 9f32b305636fc..a8efc3ff2b7e4 100644 --- a/net/sched/bpf_qdisc.c +++ b/net/sched/bpf_qdisc.c @@ -234,18 +234,20 @@ __bpf_kfunc int bpf_qdisc_init_prologue(struct Qdisc *sch, struct net_device *dev = qdisc_dev(sch); struct Qdisc *p; + qdisc_watchdog_init(&q->watchdog, sch); + if (sch->parent != TC_H_ROOT) { + /* If qdisc_lookup() returns NULL, it means .init is called by + * qdisc_create_dflt() in mq/mqprio_init and the parent qdisc + * has not been added to qdisc_hash yet. + */ p = qdisc_lookup(dev, TC_H_MAJ(sch->parent)); - if (!p) - return -ENOENT; - - if (!(p->flags & TCQ_F_MQROOT)) { + if (p && !(p->flags & TCQ_F_MQROOT)) { NL_SET_ERR_MSG(extack, "BPF qdisc only supported on root or mq"); return -EINVAL; } } - qdisc_watchdog_init(&q->watchdog, sch); return 0; }