The 'pfp' pointer could be null if can't find the target filter.
Check 'pfp' pointer and fix this error path.

Signed-off-by: Li Qiong <liqiong@nfschina.com>
---
 net/sched/cls_fw.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index a32351da968c..b898e4a81146 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -289,6 +289,12 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
 			if (pfp == f)
 				break;
 
+		if (!pfp) {
+			tcf_exts_destroy(&fnew->exts);
+			kfree(fnew);
+			return err;
+		}
+
 		RCU_INIT_POINTER(fnew->next, rtnl_dereference(pfp->next));
 		rcu_assign_pointer(*fp, fnew);
 		tcf_unbind_filter(tp, &f->res);
-- 
2.11.0

On Thu, Dec 01, 2022 at 11:15:32PM +0800, Li Qiong wrote:
> The 'pfp' pointer could be null if can't find the target filter.
> Check 'pfp' pointer and fix this error path.

Did you see any actual kernel crash? And do you have a reproducer too?
Please include them if you do.

> 
> Signed-off-by: Li Qiong <liqiong@nfschina.com>
> ---
>  net/sched/cls_fw.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
> index a32351da968c..b898e4a81146 100644
> --- a/net/sched/cls_fw.c
> +++ b/net/sched/cls_fw.c
> @@ -289,6 +289,12 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
>  			if (pfp == f)
>  				break;
>  
> +		if (!pfp) {
> +			tcf_exts_destroy(&fnew->exts);
> +			kfree(fnew);
> +			return err;


BTW, err is 0 here, you have to set some error here.

Thanks.

在 2022年12月04日 03:46, Cong Wang 写道:
> On Thu, Dec 01, 2022 at 11:15:32PM +0800, Li Qiong wrote:
>> The 'pfp' pointer could be null if can't find the target filter.
>> Check 'pfp' pointer and fix this error path.
> Did you see any actual kernel crash? And do you have a reproducer too?
> Please include them if you do.
Found this by  'smatch' tool,  I check and find it may be a real problem at the risk
of NULL pointer. Like 'fw_delete()', It checks  'pfp' and 'pfp == f' too.
 



>
>> Signed-off-by: Li Qiong <liqiong@nfschina.com>
>> ---
>>  net/sched/cls_fw.c | 6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
>> index a32351da968c..b898e4a81146 100644
>> --- a/net/sched/cls_fw.c
>> +++ b/net/sched/cls_fw.c
>> @@ -289,6 +289,12 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
>>  			if (pfp == f)
>>  				break;
>>  
>> +		if (!pfp) {
>> +			tcf_exts_destroy(&fnew->exts);
>> +			kfree(fnew);
>> +			return err;
>
> BTW, err is 0 here, you have to set some error here.
You are right,  It should return  '-EINVAL'  -- can't get the target filter.



>
> Thanks.

On Thu,  1 Dec 2022 23:15:32 +0800 Li Qiong wrote:
> The 'pfp' pointer could be null if can't find the target filter.
> Check 'pfp' pointer and fix this error path.

Sounds like a fix, we need a Fixes tag.