In function sfb_dump() at net/sched/sch_sfb.c:542, the call to nla_nest_start() at line 559 may return a NULL pointer, thus variable opts may refer to NULL. So an invalid memory access may be triggered when nla_nest_end() is called at line 561, as there is no checking of variable opts against NULL before pointer dereference in the callee nla_nest_end(). The related code snippets in sfb_dump() and nla_nest_end() are as following. sfb_dump() @@net/sched/sch_sfb.c:559 559 opts = nla_nest_start(skb, TCA_OPTIONS); 560 NLA_PUT(skb, TCA_SFB_PARMS, sizeof(opt), &opt); 561 return nla_nest_end(skb, opts); nla_nest_end() @@include/net/netlink.h:1018 1018 static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start) 1019 { 1020 start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start; 1021 return skb->len; 1022 } Generally, the return value shall be checked against NULL before used. Like the following codes in another function of the same driver. cbq_dump_class() @@net/sched/sch_cbq.c:1589 1589 nest = nla_nest_start(skb, TCA_OPTIONS); 1590 if (nest == NULL) 1591 goto nla_put_failure; 1592 if (cbq_dump_attr(skb, cl) < 0) 1593 goto nla_put_failure; 1594 nla_nest_end(skb, nest);
A patch referencing this bug report has been merged in Linux v3.5: commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d Author: Alan Cox <alan@linux.intel.com> Date: Thu Jul 12 03:39:11 2012 +0000 sch_sfb: Fix missing NULL check