From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Xiang Mei <xmei5@asu.edu>,
Cong Wang <xiyou.wangcong@gmail.com>,
Paolo Abeni <pabeni@redhat.com>
Subject: [PATCH 6.6 01/32] net/sched: sch_qfq: Fix null-deref in agg_dequeue
Date: Fri, 31 Oct 2025 15:00:55 +0100 [thread overview]
Message-ID: <20251031140042.425168412@linuxfoundation.org> (raw)
In-Reply-To: <20251031140042.387255981@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
commit dd831ac8221e691e9e918585b1003c7071df0379 upstream.
To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)
when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return
value before using it, similar to the existing approach in sch_hfsc.c.
To avoid code duplication, the following changes are made:
1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static
inline function.
2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to
include/net/pkt_sched.h so that sch_qfq can reuse it.
3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://patch.msgid.link/20250705212143.3982664-1-xmei5@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/pkt_sched.h | 25 ++++++++++++++++++++++++-
net/sched/sch_api.c | 10 ----------
net/sched/sch_hfsc.c | 16 ----------------
net/sched/sch_qfq.c | 2 +-
4 files changed, 25 insertions(+), 28 deletions(-)
--- a/include/net/pkt_sched.h
+++ b/include/net/pkt_sched.h
@@ -112,7 +112,6 @@ struct qdisc_rate_table *qdisc_get_rtab(
struct netlink_ext_ack *extack);
void qdisc_put_rtab(struct qdisc_rate_table *tab);
void qdisc_put_stab(struct qdisc_size_table *tab);
-void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc);
bool sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q,
struct net_device *dev, struct netdev_queue *txq,
spinlock_t *root_lock, bool validate);
@@ -306,4 +305,28 @@ static inline bool tc_qdisc_stats_dump(s
return true;
}
+static inline void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc)
+{
+ if (!(qdisc->flags & TCQ_F_WARN_NONWC)) {
+ pr_warn("%s: %s qdisc %X: is non-work-conserving?\n",
+ txt, qdisc->ops->id, qdisc->handle >> 16);
+ qdisc->flags |= TCQ_F_WARN_NONWC;
+ }
+}
+
+static inline unsigned int qdisc_peek_len(struct Qdisc *sch)
+{
+ struct sk_buff *skb;
+ unsigned int len;
+
+ skb = sch->ops->peek(sch);
+ if (unlikely(skb == NULL)) {
+ qdisc_warn_nonwc("qdisc_peek_len", sch);
+ return 0;
+ }
+ len = qdisc_pkt_len(skb);
+
+ return len;
+}
+
#endif
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -599,16 +599,6 @@ out:
qdisc_skb_cb(skb)->pkt_len = pkt_len;
}
-void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc)
-{
- if (!(qdisc->flags & TCQ_F_WARN_NONWC)) {
- pr_warn("%s: %s qdisc %X: is non-work-conserving?\n",
- txt, qdisc->ops->id, qdisc->handle >> 16);
- qdisc->flags |= TCQ_F_WARN_NONWC;
- }
-}
-EXPORT_SYMBOL(qdisc_warn_nonwc);
-
static enum hrtimer_restart qdisc_watchdog(struct hrtimer *timer)
{
struct qdisc_watchdog *wd = container_of(timer, struct qdisc_watchdog,
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -835,22 +835,6 @@ update_vf(struct hfsc_class *cl, unsigne
}
}
-static unsigned int
-qdisc_peek_len(struct Qdisc *sch)
-{
- struct sk_buff *skb;
- unsigned int len;
-
- skb = sch->ops->peek(sch);
- if (unlikely(skb == NULL)) {
- qdisc_warn_nonwc("qdisc_peek_len", sch);
- return 0;
- }
- len = qdisc_pkt_len(skb);
-
- return len;
-}
-
static void
hfsc_adjust_levels(struct hfsc_class *cl)
{
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -1002,7 +1002,7 @@ static struct sk_buff *agg_dequeue(struc
if (cl->qdisc->q.qlen == 0) /* no more packets, remove from list */
list_del_init(&cl->alist);
- else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) {
+ else if (cl->deficit < qdisc_peek_len(cl->qdisc)) {
cl->deficit += agg->lmax;
list_move_tail(&cl->alist, &agg->active);
}
next prev parent reply other threads:[~2025-10-31 14:01 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-31 14:00 [PATCH 6.6 00/32] 6.6.116-rc1 review Greg Kroah-Hartman
2025-10-31 14:00 ` Greg Kroah-Hartman [this message]
2025-10-31 14:00 ` [PATCH 6.6 02/32] audit: record fanotify event regardless of presence of rules Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.6 03/32] perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of current->mm == NULL Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.6 04/32] perf: Have get_perf_callchain() return NULL if crosstask and user are set Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.6 05/32] perf: Skip user unwind if the task is a kernel thread Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 06/32] x86/bugs: Report correct retbleed mitigation status Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 07/32] x86/bugs: Fix reporting of LFENCE retpoline Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 08/32] EDAC/mc_sysfs: Increase legacy channel support to 16 Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 09/32] btrfs: zoned: return error from btrfs_zone_finish_endio() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 10/32] btrfs: zoned: refine extent allocator hint selection Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 11/32] btrfs: scrub: replace max_t()/min_t() with clamp() in scrub_throttle_dev_io() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 12/32] btrfs: always drop log root tree reference in btrfs_replay_log() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 13/32] btrfs: use level argument in log tree walk callback replay_one_buffer() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 14/32] btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 15/32] arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 16/32] mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 17/32] selftests: mptcp: disable add_addr retrans in endpoint_tests Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 18/32] selftests: mptcp: join: mark delete re-add signal as skipped if not supported Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 19/32] serial: sc16is7xx: remove unused to_sc16is7xx_port macro Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 20/32] serial: sc16is7xx: reorder code to remove prototype declarations Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 21/32] serial: sc16is7xx: refactor EFR lock Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 22/32] serial: sc16is7xx: remove useless enable of enhanced features Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 23/32] xhci: dbc: poll at different rate depending on data transfer activity Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 24/32] xhci: dbc: Allow users to modify DbC poll interval via sysfs Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 25/32] xhci: dbc: Improve performance by removing delay in transfer event polling Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 26/32] xhci: dbc: Avoid event polling busyloop if pending rx transfers are inactive Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 27/32] xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races with stall event Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 28/32] bits: add comments and newlines to #if, #else and #endif directives Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 29/32] bits: introduce fixed-type GENMASK_U*() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 30/32] gpio: regmap: Allow to allocate regmap-irq device Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 31/32] gpio: regmap: add the .fixed_direction_output configuration parameter Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.6 32/32] gpio: idio-16: Define fixed direction of the GPIO lines Greg Kroah-Hartman
2025-10-31 15:15 ` [PATCH 6.6 00/32] 6.6.116-rc1 review Peter Schneider
2025-10-31 18:21 ` Florian Fainelli
2025-10-31 19:34 ` Jon Hunter
2025-10-31 22:37 ` Shuah Khan
2025-11-01 9:53 ` Naresh Kamboju
2025-11-01 11:51 ` Ron Economos
2025-11-01 19:32 ` Brett A C Sheffield
2025-11-01 21:02 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251031140042.425168412@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.