lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260121131954.2710459-8-p@1g4.org>
Date: Wed, 21 Jan 2026 13:21:03 +0000
From: Paul Moses <p@....org>
To: netdev@...r.kernel.org
Cc: Jamal Hadi Salim <jhs@...atatu.com>, Cong Wang <xiyou.wangcong@...il.com>, Jiri Pirko <jiri@...nulli.us>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, linux-kernel@...r.kernel.org, Paul Moses <p@....org>, stable@...r.kernel.org
Subject: [PATCH net v3 7/7] net/sched: act_gate: guard NULL params in accessors

Guard NULL params in accessors/dump/timer paths to avoid crashes during
teardown or failed initialization. Other actions already guard params before
RCU cleanup (act_pedit, commit 52cf89f78c01bf; act_vlan, commits 4c5b9d9642c859
and 1edf8abe04090c), so act_gate should tolerate NULL in reader paths too.

Fixes: a51c328df310 ("net: qos: introduce a gate control flow action")
Signed-off-by: Paul Moses <p@....org>
Cc: stable@...r.kernel.org
---
 include/net/tc_act/tc_gate.h | 30 ++++++++++++++++++++----------
 net/sched/act_gate.c         | 13 ++++++++++++-
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/include/net/tc_act/tc_gate.h b/include/net/tc_act/tc_gate.h
index 9587d9e9fa38f..8c3309b0dd779 100644
--- a/include/net/tc_act/tc_gate.h
+++ b/include/net/tc_act/tc_gate.h
@@ -54,12 +54,13 @@ struct tcf_gate {
 
 static inline s32 tcf_gate_prio(const struct tc_action *a)
 {
-	s32 tcfg_prio;
+	s32 tcfg_prio = 0;
 	struct tcf_gate_params *p;
 
 	rcu_read_lock();
 	p = rcu_dereference(to_gate(a)->param);
-	tcfg_prio = p->tcfg_priority;
+	if (p)
+		tcfg_prio = p->tcfg_priority;
 	rcu_read_unlock();
 
 	return tcfg_prio;
@@ -67,12 +68,13 @@ static inline s32 tcf_gate_prio(const struct tc_action *a)
 
 static inline u64 tcf_gate_basetime(const struct tc_action *a)
 {
-	u64 tcfg_basetime;
+	u64 tcfg_basetime = 0;
 	struct tcf_gate_params *p;
 
 	rcu_read_lock();
 	p = rcu_dereference(to_gate(a)->param);
-	tcfg_basetime = p->tcfg_basetime;
+	if (p)
+		tcfg_basetime = p->tcfg_basetime;
 	rcu_read_unlock();
 
 	return tcfg_basetime;
@@ -80,12 +82,13 @@ static inline u64 tcf_gate_basetime(const struct tc_action *a)
 
 static inline u64 tcf_gate_cycletime(const struct tc_action *a)
 {
-	u64 tcfg_cycletime;
+	u64 tcfg_cycletime = 0;
 	struct tcf_gate_params *p;
 
 	rcu_read_lock();
 	p = rcu_dereference(to_gate(a)->param);
-	tcfg_cycletime = p->tcfg_cycletime;
+	if (p)
+		tcfg_cycletime = p->tcfg_cycletime;
 	rcu_read_unlock();
 
 	return tcfg_cycletime;
@@ -93,12 +96,13 @@ static inline u64 tcf_gate_cycletime(const struct tc_action *a)
 
 static inline u64 tcf_gate_cycletimeext(const struct tc_action *a)
 {
-	u64 tcfg_cycletimeext;
+	u64 tcfg_cycletimeext = 0;
 	struct tcf_gate_params *p;
 
 	rcu_read_lock();
 	p = rcu_dereference(to_gate(a)->param);
-	tcfg_cycletimeext = p->tcfg_cycletime_ext;
+	if (p)
+		tcfg_cycletimeext = p->tcfg_cycletime_ext;
 	rcu_read_unlock();
 
 	return tcfg_cycletimeext;
@@ -106,12 +110,13 @@ static inline u64 tcf_gate_cycletimeext(const struct tc_action *a)
 
 static inline u32 tcf_gate_num_entries(const struct tc_action *a)
 {
-	u32 num_entries;
+	u32 num_entries = 0;
 	struct tcf_gate_params *p;
 
 	rcu_read_lock();
 	p = rcu_dereference(to_gate(a)->param);
-	num_entries = p->num_entries;
+	if (p)
+		num_entries = p->num_entries;
 	rcu_read_unlock();
 
 	return num_entries;
@@ -128,6 +133,11 @@ static inline struct action_gate_entry
 
 	rcu_read_lock();
 	p = rcu_dereference(to_gate(a)->param);
+	if (!p) {
+		rcu_read_unlock();
+		return NULL;
+	}
+
 	num_entries = p->num_entries;
 
 	list_for_each_entry(entry, &p->entries, list)
diff --git a/net/sched/act_gate.c b/net/sched/act_gate.c
index e4134b9a4a314..65b53cbf37e67 100644
--- a/net/sched/act_gate.c
+++ b/net/sched/act_gate.c
@@ -82,7 +82,11 @@ static enum hrtimer_restart gate_timer_func(struct hrtimer *timer)
 
 	p = rcu_dereference_protected(gact->param,
 				      lockdep_is_held(&gact->tcf_lock));
+	if (!p)
+		goto out_unlock;
 	next = gact->next_entry;
+	if (!next)
+		goto out_unlock;
 
 	/* cycle start, clear pending bit, clear total octets */
 	gact->current_gate_status = next->gate_state ? GATE_ACT_GATE_OPEN : 0;
@@ -119,6 +123,11 @@ static enum hrtimer_restart gate_timer_func(struct hrtimer *timer)
 	spin_unlock(&gact->tcf_lock);
 
 	return HRTIMER_RESTART;
+
+out_unlock:
+	spin_unlock(&gact->tcf_lock);
+
+	return HRTIMER_NORESTART;
 }
 
 TC_INDIRECT_SCOPE int tcf_gate_act(struct sk_buff *skb,
@@ -584,8 +593,8 @@ static void tcf_gate_cleanup(struct tc_action *a)
 	struct tcf_gate *gact = to_gate(a);
 	struct tcf_gate_params *p;
 
-	p = rcu_replace_pointer(gact->param, NULL, lockdep_rtnl_is_held());
 	hrtimer_cancel(&gact->hitimer);
+	p = rcu_replace_pointer(gact->param, NULL, lockdep_rtnl_is_held());
 	if (p)
 		call_rcu(&p->rcu, tcf_gate_params_free_rcu);
 }
@@ -643,6 +652,8 @@ static int tcf_gate_dump(struct sk_buff *skb, struct tc_action *a,
 
 	rcu_read_lock();
 	p = rcu_dereference(gact->param);
+	if (!p)
+		goto nla_put_failure_rcu;
 
 	if (nla_put_u64_64bit(skb, TCA_GATE_BASE_TIME,
 			      p->tcfg_basetime, TCA_GATE_PAD))
-- 
2.52.GIT

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ