In the Linux kernel, the following vulnerability has been resolved:

net: sched: sfb: fix null pointer access issue when sfb init() fails

When the default qdisc is sfb, if the qdisc of dev queue fails to be

inited during mqprio init(), sfb reset() is invoked to clear resources.

In this case, the q->qdisc is NULL, and it will cause gpf issue.

The process is as follows:

qdisc create dflt()

sfb init()

tcf block get() --->failed, q->qdisc is NULL

...

qdisc put()

...

sfb reset()

qdisc reset(q->qdisc) --->q->qdisc is NULL

ops = qdisc->ops

The following is the Call Trace information:

general protection fault, probably for non-canonical address

0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN

KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]

RIP: 0010:qdisc reset+0x2b/0x6f0

Call Trace:

<TASK>

sfb reset+0x37/0xd0

qdisc reset+0xed/0x6f0

qdisc destroy+0x82/0x4c0

qdisc put+0x9e/0xb0

qdisc create dflt+0x2c3/0x4a0

mqprio init+0xa71/0x1760

qdisc create+0x3eb/0x1000

tc modify qdisc+0x408/0x1720

rtnetlink rcv msg+0x38e/0xac0

netlink rcv skb+0x12d/0x3a0

netlink unicast+0x4a2/0x740

netlink sendmsg+0x826/0xcc0

sock sendmsg+0xc5/0x100

sys sendmsg+0x583/0x690

sys sendmsg+0xe8/0x160

sys sendmsg+0xbf/0x160

do syscall 64+0x35/0x80

entry SYSCALL 64 after hwframe+0x46/0xb0

RIP: 0033:0x7f2164122d04

</TASK>