From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED26034DCC9; Tue, 26 Aug 2025 14:21:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756218099; cv=none; b=C0QvNSOaLXeZvDZmOsTnt2enkBinipMlWPvdtEogub26p914h4GmRlN0dtLZRbynl1xEuoHaUPvMcdO7bkh3hQKXZxpxcTzjKnVV6ELxBnZy9AiugZPRAeQ9ETQFGPEbhTkUkhX0UGQ1dT850WYYHeP0MQUW3yGXUzm2Pe9fyzc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756218099; c=relaxed/simple; bh=0p0RlrsNX8+GFwraUg5XN82EjZWkzyk3luyerQhHa34=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r4LkRXd6l5/Sf+tavH1n7HRU2sL6YwA6dczNutJzUX0CxLaZs77R2+Pm+Sp0EPbLVUYXsTZtuzbZ/QGSWcgK3edrn5K812mXT6haHZFsLXSOCSfQAIzcIpIJuzhZ+GbQTdHG1mKYTWts7+B9vmdzk/mXh1h3qvRSXmNH0+SMs1g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=r9j12VJw; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="r9j12VJw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 613BFC4CEF1; Tue, 26 Aug 2025 14:21:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1756218095; bh=0p0RlrsNX8+GFwraUg5XN82EjZWkzyk3luyerQhHa34=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=r9j12VJwKfLelP0wWdfoAzBKQbLhN5ilNKuUyMVhggkyDp5zVye2nCSbEQ8KdVoLO zqAot7EMlMXrEnQ3syZNIOtbShotnwzdFttmJ+ncLOnw652DRVp0mwYuZzfAzNQcXK up3s2OVHJklduAj5wVDleo6GfZ48/Dlo3w7Kbgj8= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, "Alan J. Wylie" , Cong Wang , Jakub Kicinski , Siddh Raman Pant Subject: [PATCH 5.10 391/523] sch_htb: make htb_deactivate() idempotent Date: Tue, 26 Aug 2025 13:10:01 +0200 Message-ID: <20250826110934.104886137@linuxfoundation.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250826110924.562212281@linuxfoundation.org> References: <20250826110924.562212281@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Cong Wang commit 3769478610135e82b262640252d90f6efb05be71 upstream. Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent. It turns out in the following case it introduced some regression: htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_backlog() |-> htb_qlen_notify() |-> htb_deactivate() |-> htb_next_rb_node() |-> htb_deactivate() For htb_next_rb_node(), after calling the 1st htb_deactivate(), the clprio[prio]->ptr could be already set to NULL, which means htb_next_rb_node() is vulnerable here. For htb_deactivate(), although we checked qlen before calling it, in case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again which triggers the warning inside. To fix the issues here, we need to: 1) Make htb_deactivate() idempotent, that is, simply return if we already call it before. 2) Make htb_next_rb_node() safe against ptr==NULL. Many thanks to Alan for testing and for the reproducer. Fixes: 5ba8b837b522 ("sch_htb: make htb_qlen_notify() idempotent") Reported-by: Alan J. Wylie Signed-off-by: Cong Wang Link: https://patch.msgid.link/20250428232955.1740419-2-xiyou.wangcong@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Siddh Raman Pant Signed-off-by: Greg Kroah-Hartman --- net/sched/sch_htb.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -331,7 +331,8 @@ static void htb_add_to_wait_tree(struct */ static inline void htb_next_rb_node(struct rb_node **n) { - *n = rb_next(*n); + if (*n) + *n = rb_next(*n); } /** @@ -573,8 +574,8 @@ static inline void htb_activate(struct h */ static inline void htb_deactivate(struct htb_sched *q, struct htb_class *cl) { - WARN_ON(!cl->prio_activity); - + if (!cl->prio_activity) + return; htb_deactivate_prios(q, cl); cl->prio_activity = 0; } @@ -1173,8 +1174,6 @@ static void htb_qlen_notify(struct Qdisc { struct htb_class *cl = (struct htb_class *)arg; - if (!cl->prio_activity) - return; htb_deactivate(qdisc_priv(sch), cl); } @@ -1282,8 +1281,7 @@ static int htb_delete(struct Qdisc *sch, if (cl->parent) cl->parent->children--; - if (cl->prio_activity) - htb_deactivate(q, cl); + htb_deactivate(q, cl); if (cl->cmode != HTB_CAN_SEND) htb_safe_rb_erase(&cl->pq_node, @@ -1408,8 +1406,7 @@ static int htb_change_class(struct Qdisc /* turn parent into inner node */ qdisc_purge_queue(parent->leaf.q); parent_qdisc = parent->leaf.q; - if (parent->prio_activity) - htb_deactivate(q, parent); + htb_deactivate(q, parent); /* remove from evt list because of level change */ if (parent->cmode != HTB_CAN_SEND) {