On Thu, May 01, 2025 at 03:30:21PM -0700, Amery Hung wrote:
> Allow .init to proceed if qdisc_lookup() returns NULL as it only happens
> when called by qdisc_create_dflt() in mq/mqprio_init and the parent qdisc
> has not been added to qdisc_hash yet. In qdisc_create(), the caller,
> __tc_modify_qdisc(), would have made sure the parent qdisc already exist.
>
> In addition, call qdisc_watchdog_init() whether .init succeeds or not to
> prevent null-pointer dereference. In qdisc_create() and
> qdisc_create_dflt(), if .init fails, .destroy will be called. As a
> result, the destroy epilogue could call qdisc_watchdog_cancel() with an
> uninitialized timer, causing null-pointer deference in hrtimer_cancel().
>
> Fixes: Fixes: c8240344956e ("bpf: net_sched: Support implementation of Qdisc_ops in bpf")
nit: One "Fixes: " is enough.
> Signed-off-by: Amery Hung <ameryhung@xxxxxxxxx>
...
