Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any skbs, that is, the flow->head is null. The root cause, as the [2] says, is because that bpf_prog_test_run_skb() run a bpf prog which redirects empty skbs. So we should determine whether the length of the packet modified by bpf prog or others like bpf_prog_test is 0 before forwarding it directly. LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5 LINK: [2] https://www.spinics.net/lists/netdev/msg777503.html Reported-by: syzbot+7a12909485b94426aceb@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Di Zhu <zhudi2@xxxxxxxxxx> --- net/core/filter.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index 5af58eb48587..c7fbfa90898a 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2156,6 +2156,9 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev, static int __bpf_redirect(struct sk_buff *skb, struct net_device *dev, u32 flags) { + if (unlikely(skb->len == 0)) + return -EINVAL; + if (dev_is_mac_header_xmit(dev)) return __bpf_redirect_common(skb, dev, flags); else -- 2.27.0
