Netdev List
 help / color / mirror / Atom feed
* [PATCH] net/sched: cake: reject overhead values that underflow length
@ 2026-06-09  0:00 Samuel Moelius
  2026-06-09  1:07 ` Eric Dumazet
  0 siblings, 1 reply; 4+ messages in thread
From: Samuel Moelius @ 2026-06-09  0:00 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen
  Cc: Samuel Moelius, Jamal Hadi Salim, Jiri Pirko, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
	moderated list:CAKE QDISC, open list:TC subsystem, open list

CAKE accepts overhead values that can make adjusted packet length
arithmetic underflow.  A negative effective length can wrap through
unsigned arithmetic and become a large value.

Such configurations make rate accounting depend on integer wraparound
rather than on the packet size userspace intended to model.

Validate overhead settings before using them in adjusted length
calculations.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
 net/sched/sch_cake.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 5862933be8d7..03972e5525b5 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -2308,12 +2308,18 @@ static void cake_reset(struct Qdisc *sch)
 		cake_clear_tin(sch, c);
 }
 
+static const struct netlink_range_validation_signed cake_overhead_range = {
+	.min = -64,
+	.max = 256,
+};
+
 static const struct nla_policy cake_policy[TCA_CAKE_MAX + 1] = {
 	[TCA_CAKE_BASE_RATE64]   = { .type = NLA_U64 },
 	[TCA_CAKE_DIFFSERV_MODE] = { .type = NLA_U32 },
 	[TCA_CAKE_ATM]		 = { .type = NLA_U32 },
 	[TCA_CAKE_FLOW_MODE]     = { .type = NLA_U32 },
-	[TCA_CAKE_OVERHEAD]      = { .type = NLA_S32 },
+	[TCA_CAKE_OVERHEAD]      =
+		NLA_POLICY_FULL_RANGE_SIGNED(NLA_S32, &cake_overhead_range),
 	[TCA_CAKE_RTT]		 = { .type = NLA_U32 },
 	[TCA_CAKE_TARGET]	 = { .type = NLA_U32 },
 	[TCA_CAKE_AUTORATE]      = { .type = NLA_U32 },
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] net/sched: cake: reject overhead values that underflow length
  2026-06-09  0:00 Samuel Moelius
@ 2026-06-09  1:07 ` Eric Dumazet
  0 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2026-06-09  1:07 UTC (permalink / raw)
  To: Samuel Moelius
  Cc: Toke Høiland-Jørgensen, Jamal Hadi Salim, Jiri Pirko,
	David S. Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
	moderated list:CAKE QDISC, open list:TC subsystem, open list

On Mon, Jun 8, 2026 at 5:06 PM Samuel Moelius
<sam.moelius@trailofbits.com> wrote:
>
> CAKE accepts overhead values that can make adjusted packet length
> arithmetic underflow.  A negative effective length can wrap through
> unsigned arithmetic and become a large value.
>
> Such configurations make rate accounting depend on integer wraparound
> rather than on the packet size userspace intended to model.
>
> Validate overhead settings before using them in adjusted length
> calculations.
>
> Assisted-by: Codex:gpt-5.5-cyber-preview
> Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
> ---

We need a Fixes: tag

pw-bot: cr

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] net/sched: cake: reject overhead values that underflow length
@ 2026-07-01 23:56 Samuel Moelius
  2026-07-02  7:52 ` Jagielski, Jedrzej
  0 siblings, 1 reply; 4+ messages in thread
From: Samuel Moelius @ 2026-07-01 23:56 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen
  Cc: Samuel Moelius, Jamal Hadi Salim, Jiri Pirko, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
	moderated list:CAKE QDISC, open list:TC subsystem, open list

CAKE accepts signed overhead values and stores them in an s16, but the
adjusted packet length calculation uses unsigned arithmetic.  A negative
effective length can therefore wrap to a large value.

Such configurations make rate accounting depend on integer wraparound
rather than on the packet size userspace intended to model.  A static
netlink lower bound is not enough because packets reaching CAKE can be
smaller than any reasonable manual-overhead allowance.

Fold the signed overhead adjustment into the existing datapath MPU clamp
so negative adjusted lengths are clamped before link-layer framing
adjustments.

Fixes: a729b7f0bd5b ("sch_cake: Add overhead compensation support to the rate shaper")
Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
Changes in v3:
  - Adjust how check is performed
Changes in v2:
  - Add fixes tag

 net/sched/sch_cake.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index a3c185505afc..f78f8e950776 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1389,10 +1389,7 @@ static u32 cake_calc_overhead(struct cake_sched_data *qd, u32 len, u32 off)
 	if (qd->min_netlen > len)
 		WRITE_ONCE(qd->min_netlen, len);
 
-	len += q->rate_overhead;
-
-	if (len < q->rate_mpu)
-		len = q->rate_mpu;
+	len = max((s32)len + q->rate_overhead, (s32)q->rate_mpu);
 
 	if (q->atm_mode == CAKE_ATM_ATM) {
 		len += 47;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: [PATCH] net/sched: cake: reject overhead values that underflow length
  2026-07-01 23:56 [PATCH] net/sched: cake: reject overhead values that underflow length Samuel Moelius
@ 2026-07-02  7:52 ` Jagielski, Jedrzej
  0 siblings, 0 replies; 4+ messages in thread
From: Jagielski, Jedrzej @ 2026-07-02  7:52 UTC (permalink / raw)
  To: Samuel Moelius, Toke Høiland-Jørgensen
  Cc: Hadi Salim, Jamal, Jiri Pirko, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Simon Horman,
	moderated list:CAKE QDISC, open list:TC subsystem, open list

From: Samuel Moelius <sam.moelius@trailofbits.com> 
Sent: Thursday, July 2, 2026 1:57 AM

>CAKE accepts signed overhead values and stores them in an s16, but the
>adjusted packet length calculation uses unsigned arithmetic.  A negative
>effective length can therefore wrap to a large value.
>
>Such configurations make rate accounting depend on integer wraparound
>rather than on the packet size userspace intended to model.  A static
>netlink lower bound is not enough because packets reaching CAKE can be
>smaller than any reasonable manual-overhead allowance.
>
>Fold the signed overhead adjustment into the existing datapath MPU clamp
>so negative adjusted lengths are clamped before link-layer framing
>adjustments.
>
>Fixes: a729b7f0bd5b ("sch_cake: Add overhead compensation support to the rate shaper")
>Assisted-by: Codex:gpt-5.5-cyber-preview
>Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
>---
>Changes in v3:
>  - Adjust how check is performed
>Changes in v2:
>  - Add fixes tag

Hi,

just for the future - please mention the revision number in the
mail subject



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-02  7:52 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01 23:56 [PATCH] net/sched: cake: reject overhead values that underflow length Samuel Moelius
2026-07-02  7:52 ` Jagielski, Jedrzej
  -- strict thread matches above, loose matches on Subject: below --
2026-06-09  0:00 Samuel Moelius
2026-06-09  1:07 ` Eric Dumazet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox