sch_htb: Fix select_queue for non-offload mode

htb_select_queue assumes it's always the offload mode, and it ends up in
calling ndo_setup_tc without any checks. It may lead to a NULL pointer
dereference if ndo_setup_tc is not implemented, or to an error returned
from the driver, which will prevent attaching qdiscs to HTB classes in
the non-offload mode.

This commit fixes the bug by adding the missing check to
htb_select_queue. In the non-offload mode it will return sch->dev_queue,
mimicking tc_modify_qdisc's behavior for the case where select_queue is
not implemented.

Reported-by: syzbot+b53a709f04722ca12a3c@syzkaller.appspotmail.com
Fixes: d03b195b5aa0 ("sch_htb: Hierarchical QoS hardware offload")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index dff3adf..b232031 100644 (file)
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -1340,8 +1340,12 @@ htb_select_queue(struct Qdisc *sch, struct tcmsg *tcm)
 {
        struct net_device *dev = qdisc_dev(sch);
        struct tc_htb_qopt_offload offload_opt;
+       struct htb_sched *q = qdisc_priv(sch);
        int err;
 
+       if (!q->offload)
+               return sch->dev_queue;
+
        offload_opt = (struct tc_htb_qopt_offload) {
                .command = TC_HTB_LEAF_QUERY_QUEUE,
                .classid = TC_H_MIN(tcm->tcm_parent),