net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

syzbot reported a crash in tc_act_in_hw() during netns teardown where
tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action
pointer, leading to an invalid dereference.

Guard against ERR_PTR entries when iterating the action IDR so teardown
does not call tc_act_in_hw() on an error pointer.

Fixes: 84a7d6797e6a ("net/sched: acp_api: no longer acquire RTNL in tc_action_net_exit()")
Link: https://syzkaller.appspot.com/bug?extid=8f1c492ffa4644ff3826
Reported-by: syzbot+8f1c492ffa4644ff3826@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8f1c492ffa4644ff3826
Signed-off-by: Shivani Gupta <shivani07g@gmail.com>
Link: https://patch.msgid.link/20260105005905.243423-1-shivani07g@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Shivani Gupta and committed by

Jakub Kicinski 3 months ago adb25a46 13ff3e72

1 changed file

expand all

net

sched

act_api.c

net/sched/act_api.c

··· 940 940 int ret; 941 941 942 942 idr_for_each_entry_ul(idr, p, tmp, id) { 943 + if (IS_ERR(p)) 944 + continue; 943 945 if (tc_act_in_hw(p) && !mutex_taken) { 944 946 rtnl_lock(); 945 947 mutex_taken = true;