In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_api: fix error handling causing NULL dereference
tcfextsmisscookiebasealloc() calls xaalloccyclic() which can return 1 if the allocation succeeded after wrapping. This was treated as an error, with value 1 returned to caller tcfextsinitex() which sets exts->actions to NULL and returns 1 to caller fl_change().
flchange() treats err == 1 as success, calling tcfextsvalidateex() which calls tcfactioninit() with exts->actions as argument, where it is dereferenced.
Example trace:
BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el95.x8664 #1 RIP: 0010:tcfactioninit+0x1f8/0x2c0 Call Trace: tcfactioninit+0x1f8/0x2c0 tcfextsvalidateex+0x175/0x190 flchange+0x537/0x1120 [cls_flower]