Commit adb25a46 authored Jan 05, 2026 by Shivani Gupta Committed by Jakub Kicinski Jan 06, 2026

net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy

syzbot reported a crash in tc_act_in_hw() during netns teardown where
tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action
pointer, leading to an invalid dereference.

Guard against ERR_PTR entries when iterating the action IDR so teardown
does not call tc_act_in_hw() on an error pointer.

Fixes: 84a7d679 ("net/sched: acp_api: no longer acquire RTNL in tc_action_net_exit()")
Link: https://syzkaller.appspot.com/bug?extid=8f1c492ffa4644ff3826

Reported-by: <syzbot+8f1c492ffa4644ff3826@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=8f1c492ffa4644ff3826

Signed-off-by: Shivani Gupta <shivani07g@gmail.com>
Link: https://patch.msgid.link/20260105005905.243423-1-shivani07g@gmail.com

Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 13ff3e72

net/sched/act_api.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -940,6 +940,8 @@ void tcf_idrinfo_destroy(const struct tc_action_ops *ops,
		int ret;

		idr_for_each_entry_ul(idr, p, tmp, id) {
		if (IS_ERR(p))
		continue;
		if (tc_act_in_hw(p) && !mutex_taken) {
		rtnl_lock();
		mutex_taken = true;