From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Budimir Markovic <markovicbudimir@gmail.com>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Victor Nogueira <victor@mojatatu.com>,
Pedro Tammela <pctammela@mojatatu.com>,
Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 073/110] net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
Date: Wed, 6 Nov 2024 13:04:39 +0100 [thread overview]
Message-ID: <20241106120305.203608693@linuxfoundation.org> (raw)
In-Reply-To: <20241106120303.135636370@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Tammela <pctammela@mojatatu.com>
[ Upstream commit 2e95c4384438adeaa772caa560244b1a2efef816 ]
In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
to be either root or ingress. This assumption is bogus since it's valid
to create egress qdiscs with major handle ffff:
Budimir Markovic found that for qdiscs like DRR that maintain an active
class list, it will cause a UAF with a dangling class pointer.
In 066a3b5b2346, the concern was to avoid iterating over the ingress
qdisc since its parent is itself. The proper fix is to stop when parent
TC_H_ROOT is reached because the only way to retrieve ingress is when a
hierarchy which does not contain a ffff: major handle call into
qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
In the scenario where major ffff: is an egress qdisc in any of the tree
levels, the updates will also propagate to TC_H_ROOT, which then the
iteration must stop.
Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
net/sched/sch_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20241024165547.418570-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index d0e4845ea7018..b4e405676600f 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -780,7 +780,7 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
drops = max_t(int, n, 0);
rcu_read_lock();
while ((parentid = sch->parent)) {
- if (TC_H_MAJ(parentid) == TC_H_MAJ(TC_H_INGRESS))
+ if (parentid == TC_H_ROOT)
break;
if (sch->flags & TCQ_F_NOPARENT)
--
2.43.0
next prev parent reply other threads:[~2024-11-06 12:41 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 12:03 [PATCH 5.10 000/110] 5.10.229-rc1 review Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 001/110] RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 002/110] RDMA/bnxt_re: Add a check for memory allocation Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 003/110] ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 004/110] RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 005/110] ipv4: give an IPv4 dev to blackhole_netdev Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 006/110] RDMA/bnxt_re: Return more meaningful error Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 007/110] RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 008/110] drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 009/110] macsec: dont increment counters for an unrelated SA Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 010/110] net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 011/110] net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 012/110] net: systemport: fix potential memory leak in bcm_sysport_xmit() Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 013/110] genetlink: hold RCU in genlmsg_mcast() Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 014/110] scsi: target: core: Fix null-ptr-deref in target_alloc_device() Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 015/110] smb: client: fix OOBs when building SMB2_IOCTL request Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 016/110] usb: typec: altmode should keep reference to parent Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 017/110] s390: Initialize psw mask in perf_arch_fetch_caller_regs() Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 018/110] Bluetooth: bnep: fix wild-memory-access in proto_unregister Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 019/110] arm64:uprobe fix the uprobe SWBP_INSN in big-endian Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 020/110] arm64: probes: Fix uprobes for big-endian kernels Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 021/110] KVM: s390: gaccess: Refactor gpa and length calculation Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 022/110] KVM: s390: gaccess: Refactor access address range check Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 023/110] KVM: s390: gaccess: Cleanup access to guest pages Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 024/110] KVM: s390: gaccess: Check if guest address is in memslot Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 025/110] block, bfq: fix procress reference leakage for bfqq in merge chain Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 026/110] exec: dont WARN for racy path_noexec check Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 027/110] iomap: update ki_pos a little later in iomap_dio_complete Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 028/110] drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 029/110] ASoC: fsl_sai: Enable FIFO continue on error FCONT bit Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 030/110] arm64: Force position-independent veneers Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 031/110] jfs: Fix sanity check in dbMount Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 032/110] tracing: Consider the NULL character when validating the event length Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 033/110] xfrm: extract dst lookup parameters into a struct Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 034/110] xfrm: respect ip protocols rules criteria when performing dst lookups Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 035/110] net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 036/110] be2net: fix potential memory leak in be_xmit() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 037/110] net: usb: usbnet: fix name regression Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 038/110] net: sched: fix use-after-free in taprio_change() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 039/110] r8169: avoid unsolicited interrupts Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 040/110] posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 041/110] ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 042/110] ALSA: hda/realtek: Update default depop procedure Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 043/110] drm/amd: Guard against bad data for ATIF ACPI method Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 044/110] ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 045/110] ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 046/110] nilfs2: fix kernel bug due to missing clearing of buffer delay flag Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 047/110] openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 048/110] KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 049/110] ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 050/110] hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 051/110] selinux: improve error checking in sel_write_load() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 052/110] serial: protect uart_port_dtr_rts() in uart_shutdown() too Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 053/110] net: phy: dp83822: Fix reset pin definitions Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 054/110] ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 055/110] arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 056/110] xfrm: validate new SAs prefixlen using SA family when sel.family is unset Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 057/110] selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 058/110] cgroup: Fix potential overflow issue when checking max_depth Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 059/110] mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 060/110] wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 061/110] wifi: brcm80211: BRCM_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 062/110] RDMA/cxgb4: Dump vendor specific QP details Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 063/110] RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 064/110] RDMA/bnxt_re: synchronize the qp-handle table array Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 065/110] mac80211: do drv_reconfig_complete() before restarting all Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 066/110] mac80211: Add support to trigger sta disconnect on hardware restart Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 067/110] wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 068/110] wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 069/110] ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 070/110] igb: Disable threaded IRQ for igb_msix_other Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 071/110] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 072/110] gtp: allow -1 to be specified as file description from userspace Greg Kroah-Hartman
2024-11-06 12:04 ` Greg Kroah-Hartman [this message]
2024-11-06 12:04 ` [PATCH 5.10 074/110] bpf: Fix out-of-bounds write in trie_get_next_key() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 075/110] net: support ip generic csum processing in skb_csum_hwoffload_help Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 076/110] net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 077/110] netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 078/110] compiler-gcc: be consistent with underscores use for `no_sanitize` Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 079/110] compiler-gcc: remove attribute support check for `__no_sanitize_address__` Greg Kroah-Hartman
2024-11-06 18:59 ` Miguel Ojeda
2024-11-06 12:04 ` [PATCH 5.10 080/110] kasan: Fix Software Tag-Based KASAN with GCC Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 081/110] firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 082/110] net: amd: mvme147: Fix probe banner message Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 083/110] NFS: remove revoked delegation from servers delegation list Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 084/110] misc: sgi-gru: Dont disable preemption in GRU driver Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 085/110] usbip: tools: Fix detach_port() invalid port error path Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 086/110] usb: phy: Fix API devm_usb_put_phy() can not release the phy Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 087/110] xhci: Fix Link TRB DMA in command ring stopped completion event Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 088/110] xhci: Use pm_runtime_get to prevent RPM on unsupported systems Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 089/110] Revert "driver core: Fix uevent_show() vs driver detach race" Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 090/110] wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 091/110] wifi: ath10k: Fix memory leak in management tx Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 092/110] wifi: iwlegacy: Clear stale interrupts before resuming device Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 093/110] staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 094/110] iio: light: veml6030: fix microlux value calculation Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 095/110] nilfs2: fix potential deadlock with newly created symlinks Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 096/110] mm: add remap_pfn_range_notrack Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 097/110] mm: avoid leaving partial pfn mappings around in error case Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 098/110] riscv: vdso: Prevent the compiler from inserting calls to memset() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 099/110] riscv: efi: Set NX compat flag in PE/COFF header Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 100/110] riscv: Use %u to format the output of cpu Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 101/110] riscv: Remove unused GENERATING_ASM_OFFSETS Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 102/110] riscv: Remove duplicated GET_RM Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 103/110] ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 104/110] x86/bugs: Use code segment selector for VERW operand Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 105/110] nilfs2: fix kernel bug due to missing clearing of checked flag Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 106/110] mm: shmem: fix data-race in shmem_getattr() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 107/110] Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 108/110] drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 109/110] vt: prevent kernel-infoleak in con_font_get() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 110/110] mac80211: always have ieee80211_sta_restart() Greg Kroah-Hartman
2024-11-06 17:29 ` [PATCH 5.10 000/110] 5.10.229-rc1 review Pavel Machek
2024-11-07 13:42 ` Jon Hunter
2024-11-07 19:10 ` Florian Fainelli
2024-11-08 9:09 ` Naresh Kamboju
2024-11-08 15:47 ` Mark Brown
2024-11-28 17:51 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241106120305.203608693@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=horms@kernel.org \
--cc=jhs@mojatatu.com \
--cc=kuba@kernel.org \
--cc=markovicbudimir@gmail.com \
--cc=patches@lists.linux.dev \
--cc=pctammela@mojatatu.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=victor@mojatatu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox