From: Jamal Hadi Salim <jhs@mojatatu.com>
To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, andrew+netdev@lunn.ch
Cc: netdev@vger.kernel.org, xiyou.wangcong@gmail.com,
jiri@resnulli.us, victor@mojatatu.com, km.kim1503@gmail.com,
security@kernel.org, Jamal Hadi Salim <jhs@mojatatu.com>
Subject: [PATCH net 0/3] net/sched: teql: Enforce hierarchy placement
Date: Wed, 14 Jan 2026 11:02:40 -0500 [thread overview]
Message-ID: <20260114160243.913069-1-jhs@mojatatu.com> (raw)
GangMin Kim <km.kim1503@gmail.com> managed to create a UAF on qfq by inserting
teql as a child qdisc and exploiting a qlen sync issue.
teql is not intended to be used as a child qdisc. Lets enforce that rule in
patch #1. Although patch #1 fixes the issue, we prevent another potential qlen
exploit in qfq in patch #2 by enforcing the child's active status is not
determined by inspecting the qlen. In patch #3 we add a tdc test case.
Jamal Hadi Salim (2):
net/sched: Enforce that teql can only be used as root qdisc
net/sched: qfq: Use cl_is_active to determine whether class is active
in qfq_rm_from_ag
Victor Nogueira (1):
selftests/tc-testing: Try to add teql as a child qdisc
net/sched/sch_qfq.c | 2 +-
net/sched/sch_teql.c | 5 ++++
.../tc-testing/tc-tests/qdiscs/teql.json | 25 +++++++++++++++++++
3 files changed, 31 insertions(+), 1 deletion(-)
--
2.34.1
next reply other threads:[~2026-01-14 16:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-14 16:02 Jamal Hadi Salim [this message]
2026-01-14 16:02 ` [PATCH net 1/3] net/sched: Enforce that teql can only be used as root qdisc Jamal Hadi Salim
2026-01-14 16:02 ` [PATCH net 2/3] net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag Jamal Hadi Salim
2026-01-14 16:02 ` [PATCH net 3/3] selftests/tc-testing: Try to add teql as a child qdisc Jamal Hadi Salim
2026-01-15 19:16 ` [PATCH net 0/3] net/sched: teql: Enforce hierarchy placement Cong Wang
2026-01-16 14:46 ` Jamal Hadi Salim
2026-01-19 20:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260114160243.913069-1-jhs@mojatatu.com \
--to=jhs@mojatatu.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jiri@resnulli.us \
--cc=km.kim1503@gmail.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=security@kernel.org \
--cc=victor@mojatatu.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox