From: Cong Wang <xiyou.wangc...@gmail.com> [ Upstream commit 6efb971ba8edfbd80b666f29de12882852f095ae ]
When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL pointer which leads to a crash in sfb_destroy(). Similar for sch_dsmark. Instead of fixing each separately, Linus suggested to just accept NULL pointer in qdisc_put(), which would make callers easier. (For sch_dsmark, the bug probably exists long before commit 6529eaba33f0.) Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure") Reported-by: syzbot+d5870a903591faaca...@syzkaller.appspotmail.com Suggested-by: Linus Torvalds <torva...@linux-foundation.org> Cc: Jamal Hadi Salim <j...@mojatatu.com> Cc: Jiri Pirko <j...@resnulli.us> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com> Acked-by: Jiri Pirko <j...@mellanox.com> Signed-off-by: David S. Miller <da...@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> --- net/sched/sch_generic.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/sched/sch_generic.c +++ b/net/sched/sch_generic.c @@ -985,6 +985,9 @@ static void qdisc_destroy(struct Qdisc * void qdisc_put(struct Qdisc *qdisc) { + if (!qdisc) + return; + if (qdisc->flags & TCQ_F_BUILTIN || !refcount_dec_and_test(&qdisc->refcnt)) return;