Re: [External] : Re: [REPORT] Null pointer deref in net/core/dev.c on PowerPC
From: ALOK TIWARI
Date: Wed Dec 17 2025 - 11:08:52 EST
On 12/17/2025 8:52 PM, Eric Dumazet wrote:
I will send the following fix, thanks.
diff --git a/net/core/dev.c b/net/core/dev.c
index 9094c0fb8c68..36dc5199037e 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4241,9 +4241,11 @@ static inline int __dev_xmit_skb(struct sk_buff
*skb, struct Qdisc *q,
int count = 0;
llist_for_each_entry_safe(skb, next, ll_list, ll_node) {
- prefetch(next);
- prefetch(&next->priority);
- skb_mark_not_on_list(skb);
+ if (next) {
+ prefetch(next);
+ prefetch(&next->priority);
+ skb_mark_not_on_list(skb);
+ }
rc = dev_qdisc_enqueue(skb, q, &to_free, txq);
count++;
}
why not only ?
if (likely(next)) {
prefetch(next);
prefetch(&next->priority);
}
Because we also can avoid clearing skb->next, we know it is already NULL.
Since we pay the price of a conditional, let's amortize its cost :/
Thanks a lot for the explanation, I understand the goal of amortizing
the cost and avoiding unnecessary writes to skb->next.
Would it make sense to add if (likely(next)) around the prefetch?
Thanks,
Alok