From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Xiang Mei <xmei5@asu.edu>,
Cong Wang <xiyou.wangcong@gmail.com>,
Paolo Abeni <pabeni@redhat.com>
Subject: [PATCH 6.12 01/40] net/sched: sch_qfq: Fix null-deref in agg_dequeue
Date: Fri, 31 Oct 2025 15:00:54 +0100 [thread overview]
Message-ID: <20251031140043.977260604@linuxfoundation.org> (raw)
In-Reply-To: <20251031140043.939381518@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
commit dd831ac8221e691e9e918585b1003c7071df0379 upstream.
To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)
when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return
value before using it, similar to the existing approach in sch_hfsc.c.
To avoid code duplication, the following changes are made:
1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static
inline function.
2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to
include/net/pkt_sched.h so that sch_qfq can reuse it.
3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://patch.msgid.link/20250705212143.3982664-1-xmei5@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/pkt_sched.h | 25 ++++++++++++++++++++++++-
net/sched/sch_api.c | 10 ----------
net/sched/sch_hfsc.c | 16 ----------------
net/sched/sch_qfq.c | 2 +-
4 files changed, 25 insertions(+), 28 deletions(-)
--- a/include/net/pkt_sched.h
+++ b/include/net/pkt_sched.h
@@ -114,7 +114,6 @@ struct qdisc_rate_table *qdisc_get_rtab(
struct netlink_ext_ack *extack);
void qdisc_put_rtab(struct qdisc_rate_table *tab);
void qdisc_put_stab(struct qdisc_size_table *tab);
-void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc);
bool sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q,
struct net_device *dev, struct netdev_queue *txq,
spinlock_t *root_lock, bool validate);
@@ -290,4 +289,28 @@ static inline bool tc_qdisc_stats_dump(s
return true;
}
+static inline void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc)
+{
+ if (!(qdisc->flags & TCQ_F_WARN_NONWC)) {
+ pr_warn("%s: %s qdisc %X: is non-work-conserving?\n",
+ txt, qdisc->ops->id, qdisc->handle >> 16);
+ qdisc->flags |= TCQ_F_WARN_NONWC;
+ }
+}
+
+static inline unsigned int qdisc_peek_len(struct Qdisc *sch)
+{
+ struct sk_buff *skb;
+ unsigned int len;
+
+ skb = sch->ops->peek(sch);
+ if (unlikely(skb == NULL)) {
+ qdisc_warn_nonwc("qdisc_peek_len", sch);
+ return 0;
+ }
+ len = qdisc_pkt_len(skb);
+
+ return len;
+}
+
#endif
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -599,16 +599,6 @@ out:
qdisc_skb_cb(skb)->pkt_len = pkt_len;
}
-void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc)
-{
- if (!(qdisc->flags & TCQ_F_WARN_NONWC)) {
- pr_warn("%s: %s qdisc %X: is non-work-conserving?\n",
- txt, qdisc->ops->id, qdisc->handle >> 16);
- qdisc->flags |= TCQ_F_WARN_NONWC;
- }
-}
-EXPORT_SYMBOL(qdisc_warn_nonwc);
-
static enum hrtimer_restart qdisc_watchdog(struct hrtimer *timer)
{
struct qdisc_watchdog *wd = container_of(timer, struct qdisc_watchdog,
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -835,22 +835,6 @@ update_vf(struct hfsc_class *cl, unsigne
}
}
-static unsigned int
-qdisc_peek_len(struct Qdisc *sch)
-{
- struct sk_buff *skb;
- unsigned int len;
-
- skb = sch->ops->peek(sch);
- if (unlikely(skb == NULL)) {
- qdisc_warn_nonwc("qdisc_peek_len", sch);
- return 0;
- }
- len = qdisc_pkt_len(skb);
-
- return len;
-}
-
static void
hfsc_adjust_levels(struct hfsc_class *cl)
{
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -1002,7 +1002,7 @@ static struct sk_buff *agg_dequeue(struc
if (cl->qdisc->q.qlen == 0) /* no more packets, remove from list */
list_del_init(&cl->alist);
- else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) {
+ else if (cl->deficit < qdisc_peek_len(cl->qdisc)) {
cl->deficit += agg->lmax;
list_move_tail(&cl->alist, &agg->active);
}
next prev parent reply other threads:[~2025-10-31 14:03 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-31 14:00 [PATCH 6.12 00/40] 6.12.57-rc1 review Greg Kroah-Hartman
2025-10-31 14:00 ` Greg Kroah-Hartman [this message]
2025-10-31 14:00 ` [PATCH 6.12 02/40] audit: record fanotify event regardless of presence of rules Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.12 03/40] perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.12 04/40] perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of current->mm == NULL Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.12 05/40] perf: Have get_perf_callchain() return NULL if crosstask and user are set Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.12 06/40] perf: Skip user unwind if the task is a kernel thread Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 07/40] seccomp: passthrough uprobe systemcall without filtering Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 08/40] x86/bugs: Report correct retbleed mitigation status Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 09/40] x86/bugs: Fix reporting of LFENCE retpoline Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 10/40] EDAC/mc_sysfs: Increase legacy channel support to 16 Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 11/40] cpuset: Use new excpus for nocpu error check when enabling root partition Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 12/40] btrfs: abort transaction on specific error places when walking log tree Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 13/40] btrfs: abort transaction in the process_one_buffer() log tree walk callback Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 14/40] btrfs: zoned: return error from btrfs_zone_finish_endio() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 15/40] btrfs: zoned: refine extent allocator hint selection Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 16/40] btrfs: scrub: replace max_t()/min_t() with clamp() in scrub_throttle_dev_io() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 17/40] btrfs: always drop log root tree reference in btrfs_replay_log() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 18/40] btrfs: use level argument in log tree walk callback replay_one_buffer() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 19/40] btrfs: abort transaction if we fail to update inode in log replay dir fixup Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 20/40] btrfs: tree-checker: add inode extref checks Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 21/40] btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 22/40] sched_ext: Make qmap dump operation non-destructive Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 23/40] arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 24/40] docs: kdoc: handle the obsolescensce of docutils.ErrorString() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 25/40] selftests: mptcp: disable add_addr retrans in endpoint_tests Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 26/40] selftests: mptcp: join: mark delete re-add signal as skipped if not supported Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 27/40] mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 28/40] f2fs: fix to avoid panic once fallocation fails for pinfile Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 29/40] wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 30/40] bonding: return detailed error when loading native XDP fails Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 31/40] bonding: check xdp prog when set bond mode Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 32/40] bits: add comments and newlines to #if, #else and #endif directives Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 33/40] bits: introduce fixed-type GENMASK_U*() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 34/40] gpio: regmap: Allow to allocate regmap-irq device Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 35/40] gpio: regmap: add the .fixed_direction_output configuration parameter Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 36/40] gpio: idio-16: Define fixed direction of the GPIO lines Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 37/40] iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 38/40] wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 39/40] udmabuf: fix a buf size overflow issue during udmabuf creation Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 40/40] sfc: fix NULL dereferences in ef100_process_design_param() Greg Kroah-Hartman
2025-10-31 15:57 ` [PATCH 6.12 00/40] 6.12.57-rc1 review Peter Schneider
2025-11-01 5:10 ` Dileep malepu
2025-10-31 19:11 ` Brett Mastbergen
2025-10-31 19:34 ` Jon Hunter
2025-10-31 20:39 ` Pavel Machek
2025-10-31 22:35 ` Shuah Khan
2025-11-01 9:51 ` Naresh Kamboju
2025-11-01 11:44 ` Ron Economos
2025-11-01 19:31 ` Brett A C Sheffield
2025-11-01 21:09 ` Miguel Ojeda
2025-11-03 16:50 ` Florian Fainelli
2025-11-13 3:02 ` Guenter Roeck
2025-11-13 20:32 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251031140043.977260604@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).