net_sched: properly check for empty skb array on error path

congwang · davem330 · commit 1df94c3c5dad · 2017-12-19T14:13:12.000-05:00
First, the check of &q->ring.queue against NULL is wrong, it is always false. We should check the value rather than the address. Secondly, we need the same check in pfifo_fast_reset() too, as both ->reset() and ->destroy() are called in qdisc_destroy(). Fixes: c5ad119 ("net: sched: pfifo_fast use skb_array") Reported-by: syzbot <syzkaller@googlegroups.com> Cc: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
@@ -659,6 +659,12 @@ static void pfifo_fast_reset(struct Qdisc *qdisc)
 		struct skb_array *q = band2list(priv, band);
 		struct sk_buff *skb;
 
+		/* NULL ring is possible if destroy path is due to a failed
+		 * skb_array_init() in pfifo_fast_init() case.
+		 */
+		if (!q->ring.queue)
+			continue;
+
 		while ((skb = skb_array_consume_bh(q)) != NULL)
 			kfree_skb(skb);
 	}
@@ -719,7 +725,7 @@ static void pfifo_fast_destroy(struct Qdisc *sch)
 		/* NULL ring is possible if destroy path is due to a failed
 		 * skb_array_init() in pfifo_fast_init() case.
 		 */
-		if (!&q->ring.queue)
+		if (!q->ring.queue)
 			continue;
 		/* Destroy ring but no need to kfree_skb because a call to
 		 * pfifo_fast_reset() has already done that work.
