flow_change() calls tcf_block_q() and immediately dereferences the
returned qdisc pointer to resolve a zero-major baseclass handle.
On shared blocks, tcf_block_q() returns NULL because no qdisc owns
the block, causing a NULL pointer dereference.

Check for NULL before dereferencing and return -EOPNOTSUPP, since
shared blocks have no qdisc handle to derive the major number from.

Triggered by creating a cls_flow filter on a shared block without
a non-zero-major TCA_FLOW_BASECLASS:

  Kernel panic - not syncing: kernel: panic_on_warn set ...
  Call Trace:
   <TASK>
   check_panic_on_warn+0x5d/0x80
   __warn+0xe7/0x300
   flow_change+0x1422/0x1900
   report_bug+0x9a/0x1e0
   handle_bug+0x14c/0x360
   exc_invalid_op+0x13/0x40
   asm_exc_invalid_op+0x16/0x20
  RIP: 0010:flow_change+0x1422/0x1900
   tc_new_tfilter+0x92b/0x2060
   rtnetlink_rcv_msg+0x758/0xab0
   netlink_rcv_skb+0x120/0x350
   netlink_unicast+0x755/0xaa0
   netlink_sendmsg+0x787/0xc30
   ____sys_sendmsg+0x8b6/0xb00
   ___sys_sendmsg+0xed/0x170
   __sys_sendmsg+0x107/0x1a0
   do_syscall_64+0xe0/0x1290
   entry_SYSCALL_64_after_hwframe+0x76/0x7e

Fixes: 1abf272022cf ("net: sched: tcindex, fw, flow: use tcf_block_q helper to get struct Qdisc")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
---
 net/sched/cls_flow.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
index 339c664beff6..ad8b4c375d1c 100644
--- a/net/sched/cls_flow.c
+++ b/net/sched/cls_flow.c
@@ -505,6 +505,10 @@ static int flow_change(struct net *net, struct sk_buff *in_skb,
 		if (TC_H_MAJ(baseclass) == 0) {
 			struct Qdisc *q = tcf_block_q(tp->chain->block);
 
+			if (!q) {
+				err = -EOPNOTSUPP;
+				goto err2;
+			}
 			baseclass = TC_H_MAKE(q->handle, baseclass);
 		}
 		if (TC_H_MIN(baseclass) == 0)
-- 
2.43.0