If qdisc_create_dflt() fails, it returns NULL. With CONFIG_NET_SCHED enabled, the check qdisc != &noop_qdisc passes and qdisc will be passed to qdisc_hash_add(), which dereferences it.
This assignment was present in the upstream commit 5891cd5ec46c2 ("net_sched: add __rcu annotation to netdev->qdisc") but was missed in the backport 22d95b5449249 ("net_sched: add __rcu annotation to netdev->qdisc"), perhaps due to merge conflicts. dev->qdisc is &noop_qdisc by default and if qdisc_create_dflt() fails, this assignment will make sure qdisc == &noop_qdisc and no NULL dereference will take place.
This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.
Fixes: 22d95b5449249 ("net_sched: add __rcu annotation to netdev->qdisc") Signed-off-by: Pratyush Yadav ptyadav@amazon.de ---
As usual, this was found by our static code analysis bot. I have compile-tested this patch and ran a simple boot test. Did not do any testing specifically to hit this bug.
net/sched/sch_generic.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c index 1f055c21be4cf..4250f3cf30e72 100644 --- a/net/sched/sch_generic.c +++ b/net/sched/sch_generic.c @@ -1116,6 +1116,7 @@ static void attach_default_qdiscs(struct net_device *dev) qdisc->ops->attach(qdisc); } } + qdisc = rtnl_dereference(dev->qdisc);
#ifdef CONFIG_NET_SCHED if (qdisc != &noop_qdisc) -- 2.39.2