Commit 659b3b2c authored May 02, 2025 by Amery Hung Committed by Martin KaFai Lau May 02, 2025

bpf: net_sched: Fix bpf qdisc init prologue when set as default qdisc



Allow .init to proceed if qdisc_lookup() returns NULL as it only happens
when called by qdisc_create_dflt() in mq/mqprio_init and the parent qdisc
has not been added to qdisc_hash yet. In qdisc_create(), the caller,
__tc_modify_qdisc(), would have made sure the parent qdisc already exist.

In addition, call qdisc_watchdog_init() whether .init succeeds or not to
prevent null-pointer dereference. In qdisc_create() and
qdisc_create_dflt(), if .init fails, .destroy will be called. As a
result, the destroy epilogue could call qdisc_watchdog_cancel() with an
uninitialized timer, causing null-pointer deference in hrtimer_cancel().

Fixes: c8240344 ("bpf: net_sched: Support implementation of Qdisc_ops in bpf")
Signed-off-by: Amery Hung <ameryhung@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>

parent 1b1f563a

net/sched/bpf_qdisc.c

+7 −5

Original line number	Diff line number	Diff line
		@@ -234,18 +234,20 @@ __bpf_kfunc int bpf_qdisc_init_prologue(struct Qdisc *sch,
		struct net_device *dev = qdisc_dev(sch);
		struct Qdisc *p;

		qdisc_watchdog_init(&q->watchdog, sch);

		if (sch->parent != TC_H_ROOT) {
		/* If qdisc_lookup() returns NULL, it means .init is called by
		* qdisc_create_dflt() in mq/mqprio_init and the parent qdisc
		* has not been added to qdisc_hash yet.
		*/
		p = qdisc_lookup(dev, TC_H_MAJ(sch->parent));
		if (!p)
		return -ENOENT;

		if (!(p->flags & TCQ_F_MQROOT)) {
		if (p && !(p->flags & TCQ_F_MQROOT)) {
		NL_SET_ERR_MSG(extack, "BPF qdisc only supported on root or mq");
		return -EINVAL;
		}
		}

		qdisc_watchdog_init(&q->watchdog, sch);
		return 0;
		}