From 659b3b2c488532140676affef036a1702fde6e32 Mon Sep 17 00:00:00 2001 From: Amery Hung Date: Fri, 2 May 2025 13:16:20 -0700 Subject: [PATCH] bpf: net_sched: Fix bpf qdisc init prologue when set as default qdisc Allow .init to proceed if qdisc_lookup() returns NULL as it only happens when called by qdisc_create_dflt() in mq/mqprio_init and the parent qdisc has not been added to qdisc_hash yet. In qdisc_create(), the caller, __tc_modify_qdisc(), would have made sure the parent qdisc already exist. In addition, call qdisc_watchdog_init() whether .init succeeds or not to prevent null-pointer dereference. In qdisc_create() and qdisc_create_dflt(), if .init fails, .destroy will be called. As a result, the destroy epilogue could call qdisc_watchdog_cancel() with an uninitialized timer, causing null-pointer deference in hrtimer_cancel(). Fixes: c8240344956e ("bpf: net_sched: Support implementation of Qdisc_ops in bpf") Signed-off-by: Amery Hung Signed-off-by: Martin KaFai Lau --- net/sched/bpf_qdisc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/sched/bpf_qdisc.c b/net/sched/bpf_qdisc.c index 9f32b305636f..a8efc3ff2b7e 100644 --- a/net/sched/bpf_qdisc.c +++ b/net/sched/bpf_qdisc.c @@ -234,18 +234,20 @@ __bpf_kfunc int bpf_qdisc_init_prologue(struct Qdisc *sch, struct net_device *dev = qdisc_dev(sch); struct Qdisc *p; + qdisc_watchdog_init(&q->watchdog, sch); + if (sch->parent != TC_H_ROOT) { + /* If qdisc_lookup() returns NULL, it means .init is called by + * qdisc_create_dflt() in mq/mqprio_init and the parent qdisc + * has not been added to qdisc_hash yet. + */ p = qdisc_lookup(dev, TC_H_MAJ(sch->parent)); - if (!p) - return -ENOENT; - - if (!(p->flags & TCQ_F_MQROOT)) { + if (p && !(p->flags & TCQ_F_MQROOT)) { NL_SET_ERR_MSG(extack, "BPF qdisc only supported on root or mq"); return -EINVAL; } } - qdisc_watchdog_init(&q->watchdog, sch); return 0; } -- 2.50.1