net: sched: Fix a possible null-pointer dereference in dequeue_func() [Linux 4.9.189]

This Linux kernel change "net: sched: Fix a possible null-pointer dereference in dequeue_func()" is included in the Linux 4.9.189 release. This change is authored by Jia-Ju Bai <baijiaju1990 [at] gmail.com> on Mon Jul 29 16:24:33 2019 +0800. The commit for this change in Linux stable tree is 4c6f0d6 (patch) which is from upstream commit 051c7b3. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 051c7b3.

net: sched: Fix a possible null-pointer dereference in dequeue_func()

[ Upstream commit 051c7b39be4a91f6b7d8c4548444e4b850f1f56c ]

In dequeue_func(), there is an if statement on line 74 to check whether
skb is NULL:
    if (skb)

When skb is NULL, it is used on line 77:
    prefetch(&skb->end);

Thus, a possible null-pointer dereference may occur.

To fix this bug, skb->end is used when skb is not NULL.

This bug is found by a static analysis tool STCheck written by us.

Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Jia-Ju Bai <[email protected]>
Reviewed-by: Jiri Pirko <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

There are 6 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/sched/sch_codel.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
index 5bfa79e..17a0838 100644
--- a/net/sched/sch_codel.c
+++ b/net/sched/sch_codel.c
@@ -71,10 +71,10 @@ static struct sk_buff *dequeue_func(struct codel_vars *vars, void *ctx)
    struct Qdisc *sch = ctx;
    struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);

-   if (skb)
+   if (skb) {
        sch->qstats.backlog -= qdisc_pkt_len(skb);
-
-   prefetch(&skb->end); /* we'll need skb_shinfo() */
+       prefetch(&skb->end); /* we'll need skb_shinfo() */
+   }
    return skb;
 }

Leave a Reply

Your email address will not be published. Required fields are marked *