From nobody Sat Apr 4 01:35:43 2026 Received: from mail-ot1-f47.google.com (mail-ot1-f47.google.com [209.85.210.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D09CA1339B1 for ; Sat, 21 Mar 2026 09:56:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774086968; cv=none; b=UAy4Uh7QlTYuygHL1feATHAc7MW1jzfnz580rL1HtlXP9l9vvXn32sVZhg/0TKIRQrXDtow9FUA1rLDrO+r0XgHU24EL6drBsItdYjEoN6dqOtT9yuOwEPK7eIFiAd2k/4jarpNwTLAom3GbIFzsrzukvEVgxsJDWbxcHhrfWVw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774086968; c=relaxed/simple; bh=BRMcPG3WkII1jZkvKPnB2ca+qKpkuj00RNIV/TEnL0A=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Ctrc7r0g98U/nA9QbAiCFN4H88kUGKuWdAGup13WOP1u7aOpZseA3+uhQwIxSudD7j543+09PVHSLU5vomneCr4W0a08TruNoc10loXJGh1ZFprBzSgYJepoYe/o9lAbQ8O+ftEWQLtHpsOl+Llav7wYkejfNbJF7Dt+ZpnLI/I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=bSW8UZHU; arc=none smtp.client-ip=209.85.210.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="bSW8UZHU" Received: by mail-ot1-f47.google.com with SMTP id 46e09a7af769-7d7eb85fb81so1681970a34.0 for ; Sat, 21 Mar 2026 02:56:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774086966; x=1774691766; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=caEnVxc0GbRkH5ZoicQ0BGlIOG297AP/WSk2gGlKu68=; b=bSW8UZHUQ1t76Xkuy8oq2EAMUBm/BUkjoXCyYjH1WnrGDuqqDfgfDm2638Vnw++kta OH+DMKF3+TfPNK2TTkv+Miy3A9Ir3lyMsrQwYSKnL9veXCzfEZ3RoZ5UkU2n12bE/50m ZLZlzk4NakdlgE7E4TB+3uzK+INC7VbPZbsgEBCdfzZMHcYG7UooN9chwVLKfcCF27Ik gd3Bx+TKxiVA5NUDWuJro7iGll2cjjvCDnjUajTrJCka2VWEUMcg0E89bTfeUqkBgZmX XdgtwoQvJldMVG+/EZePWfy8fJDeAP/Odixpk9djux3X5ymHfyCK5Dk/nIyYSnzl3//6 +HIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774086966; x=1774691766; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=caEnVxc0GbRkH5ZoicQ0BGlIOG297AP/WSk2gGlKu68=; b=VSTK7hVyxJWubrta77jVvamgekZfgoEcWD9Ww+gchF8axGHMNgFyNNsuwvpcI226SP F41jMwfiIJqu3RI9UujR4sxOSWb+iCO6r4XBpNXI01g0k4HGKL1wmiSnGMMSmj92mkRp 7Czo2p+XqSdthfbaxQJ4Mmq8CuGj8D0sGnD3lYuN+LYZsN6rt9KomYFsAYQWAYKUZ5Ei FPcVcKHV30s1p4A6VBSe/KVdXEAns2DQsQRUQKFzz2LeTYe8QAfBVX0yzvTXKUHqMWPI 4Yov0yuZs/EwhVVxRbiPShCe+wF94Xp/gIQrZo+CA0kPOHXoLDICFirbc3SAvVK66m9A 0Hlg== X-Forwarded-Encrypted: i=1; AJvYcCVsDqGdSRcUD+43aI3j0RMXj4fpuC1JxoDdhiugSFPnXyr12hzVuR7WqG7JmTmuSayEl3ECR3taMqbYNyw=@vger.kernel.org X-Gm-Message-State: AOJu0YyE1Lq0+JVTcE+US0oAKNSB1+DxEN4rav1s3w+I31cmvF5jpfAA vCKo3sz1hJRV6UwQ7kNubqmxQfy5wlCqAs5hWulck38IIa2rU4r5N4Lq X-Gm-Gg: ATEYQzxymGipW8UHu8i7puDF4dtowHCFd++5i9UhPULDF2jgklJitz1RVOSboYmYIAN +GI30ejjIMaStAIwB1S5TP1+karAClMIcbGTcp5PTxN1kfih0d+C7lQYjkTSiLMXmCz2xYg6zbX 1ayfqpAVT54KIXCTjlHpSw1InlS7jzRZsABibV5rJswdX+Ou+liYmDYJMlf2b8cFDSDSJilmvk+ qUBHNbskwzh+9evnoXqnv3OOnE5SDgmsTnXyaOAnbAyaQk8E32p1jKX0tfeTq2oHJQ/nV0RIr3+ 99Ksfv+6d9Nwr8bdizSmaljniKtG8wF15ahOzUUGXPhLAnRaMykFGF+A+U0mxkJvdjonJw1xxhE GpBI8AWac7Oy5YHAk7KxHcQF+2MxvwOtytFZqV5kgb/FmG0RNkeJ+GUngDHf7gxVczJ7E9WB7EB PTfC/Do5ZdukaNSuYKvvSHfgRbXYCaSs2QEheGYbAYs112zBBrgqQ6N51KKMUTLQ== X-Received: by 2002:a05:6830:448f:b0:7d7:d50d:b088 with SMTP id 46e09a7af769-7d7eafd8a80mr4025483a34.28.1774086965723; Sat, 21 Mar 2026 02:56:05 -0700 (PDT) Received: from Linux-Ub241.fyre.ibm.com ([170.225.223.17]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7d7eae10537sm4507609a34.22.2026.03.21.02.56.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Mar 2026 02:56:04 -0700 (PDT) From: Chelsy Ratnawat To: stable@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, kuba@kernel.org, edumazet@google.com, linux-kernel@vger.kernel.org, syzbot+f3a497f02c389d86ef16@syzkaller.appspotmail.com, Chelsy Ratnawat Subject: [PATCH 6.6.y] net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr() Date: Sat, 21 Mar 2026 02:55:39 -0700 Message-ID: <20260321095539.239506-1-chelsyratnawat2001@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Eric Dumazet [Upstream commit 4fe5a00ec70717a7f1002d8913ec6143582b3c8e] syzbot reported that tcf_get_base_ptr() can be called while transport header is not set [1]. Instead of returning a dangling pointer, return NULL. Fix tcf_get_base_ptr() callers to handle this NULL value. [1] WARNING: CPU: 1 PID: 6019 at ./include/linux/skbuff.h:3071 skb_transport_h= eader include/linux/skbuff.h:3071 [inline] WARNING: CPU: 1 PID: 6019 at ./include/linux/skbuff.h:3071 tcf_get_base_pt= r include/net/pkt_cls.h:539 [inline] WARNING: CPU: 1 PID: 6019 at ./include/linux/skbuff.h:3071 em_nbyte_match+= 0x2d8/0x3f0 net/sched/em_nbyte.c:43 Modules linked in: CPU: 1 UID: 0 PID: 6019 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(ful= l) Call Trace: tcf_em_match net/sched/ematch.c:494 [inline] __tcf_em_tree_match+0x1ac/0x770 net/sched/ematch.c:520 tcf_em_tree_match include/net/pkt_cls.h:512 [inline] basic_classify+0x115/0x2d0 net/sched/cls_basic.c:50 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1764 [inline] tcf_classify+0x4cf/0x1140 net/sched/cls_api.c:1860 multiq_classify net/sched/sch_multiq.c:39 [inline] multiq_enqueue+0xfd/0x4c0 net/sched/sch_multiq.c:66 dev_qdisc_enqueue+0x4e/0x260 net/core/dev.c:4118 __dev_xmit_skb net/core/dev.c:4214 [inline] __dev_queue_xmit+0xe83/0x3b50 net/core/dev.c:4729 packet_snd net/packet/af_packet.c:3076 [inline] packet_sendmsg+0x3e33/0x5080 net/packet/af_packet.c:3108 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x830 net/socket.c:2630 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+f3a497f02c389d86ef16@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6920855a.a70a0220.2ea503.0058.GAE@go= ogle.com/T/#u Signed-off-by: Eric Dumazet Reviewed-by: Jamal Hadi Salim Link: https://patch.msgid.link/20251121154100.1616228-1-edumazet@google.com Signed-off-by: Jakub Kicinski (cherry picked from commit 4fe5a00ec70717a7f1002d8913ec6143582b3c8e) Signed-off-by: Chelsy Ratnawat --- include/net/pkt_cls.h | 2 ++ net/sched/em_cmp.c | 5 ++++- net/sched/em_nbyte.c | 2 ++ net/sched/em_text.c | 11 +++++++++-- 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h index f308e8268651..ccc1c698ed00 100644 --- a/include/net/pkt_cls.h +++ b/include/net/pkt_cls.h @@ -525,6 +525,8 @@ static inline unsigned char * tcf_get_base_ptr(struct s= k_buff *skb, int layer) case TCF_LAYER_NETWORK: return skb_network_header(skb); case TCF_LAYER_TRANSPORT: + if (!skb_transport_header_was_set(skb)) + break; return skb_transport_header(skb); } =20 diff --git a/net/sched/em_cmp.c b/net/sched/em_cmp.c index f17b049ea530..71ce113f2d08 100644 --- a/net/sched/em_cmp.c +++ b/net/sched/em_cmp.c @@ -22,9 +22,12 @@ static int em_cmp_match(struct sk_buff *skb, struct tcf_= ematch *em, struct tcf_pkt_info *info) { struct tcf_em_cmp *cmp =3D (struct tcf_em_cmp *) em->data; - unsigned char *ptr =3D tcf_get_base_ptr(skb, cmp->layer) + cmp->off; + unsigned char *ptr =3D tcf_get_base_ptr(skb, cmp->layer); u32 val =3D 0; =20 + if (!ptr) + return 0; + ptr +=3D cmp->off; if (!tcf_valid_offset(skb, ptr, cmp->align)) return 0; =20 diff --git a/net/sched/em_nbyte.c b/net/sched/em_nbyte.c index a83b237cbeb0..2e3c1d58d456 100644 --- a/net/sched/em_nbyte.c +++ b/net/sched/em_nbyte.c @@ -42,6 +42,8 @@ static int em_nbyte_match(struct sk_buff *skb, struct tcf= _ematch *em, struct nbyte_data *nbyte =3D (struct nbyte_data *) em->data; unsigned char *ptr =3D tcf_get_base_ptr(skb, nbyte->hdr.layer); =20 + if (!ptr) + return 0; ptr +=3D nbyte->hdr.off; =20 if (!tcf_valid_offset(skb, ptr, nbyte->hdr.len)) diff --git a/net/sched/em_text.c b/net/sched/em_text.c index f176afb70559..32aae8a9deda 100644 --- a/net/sched/em_text.c +++ b/net/sched/em_text.c @@ -29,12 +29,19 @@ static int em_text_match(struct sk_buff *skb, struct tc= f_ematch *m, struct tcf_pkt_info *info) { struct text_match *tm =3D EM_TEXT_PRIV(m); + unsigned char *ptr; int from, to; =20 - from =3D tcf_get_base_ptr(skb, tm->from_layer) - skb->data; + ptr =3D tcf_get_base_ptr(skb, tm->from_layer); + if (!ptr) + return 0; + from =3D ptr - skb->data; from +=3D tm->from_offset; =20 - to =3D tcf_get_base_ptr(skb, tm->to_layer) - skb->data; + ptr =3D tcf_get_base_ptr(skb, tm->to_layer); + if (!ptr) + return 0; + to =3D ptr - skb->data; to +=3D tm->to_offset; =20 return skb_find_text(skb, from, to, tm->config) !=3D UINT_MAX; --=20 2.43.0