* [PATCH net] net_sched: sch_sfq: reject invalid perturb period
@ 2025-06-11 8:35 Eric Dumazet
2025-06-12 15:10 ` patchwork-bot+netdevbpf
2025-06-12 20:11 ` Cong Wang
0 siblings, 2 replies; 3+ messages in thread
From: Eric Dumazet @ 2025-06-11 8:35 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Jamal Hadi Salim, Cong Wang, Jiri Pirko, netdev,
eric.dumazet, Eric Dumazet, Gerrard Tai, stable
Gerrard Tai reported that SFQ perturb_period has no range check yet,
and this can be used to trigger a race condition fixed in a separate patch.
We want to make sure ctl->perturb_period * HZ will not overflow
and is positive.
Tested:
tc qd add dev lo root sfq perturb -10 # negative value : error
Error: sch_sfq: invalid perturb period.
tc qd add dev lo root sfq perturb 1000000000 # too big : error
Error: sch_sfq: invalid perturb period.
tc qd add dev lo root sfq perturb 2000000 # acceptable value
tc -s -d qd sh dev lo
qdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: stable@vger.kernel.org
---
net/sched/sch_sfq.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 77fa02f2bfcd56a36815199aa2e7987943ea226f..a8cca549b5a2eb2407949560c2b6b658fb7a581f 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -656,6 +656,14 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt,
NL_SET_ERR_MSG_MOD(extack, "invalid quantum");
return -EINVAL;
}
+
+ if (ctl->perturb_period < 0 ||
+ ctl->perturb_period > INT_MAX / HZ) {
+ NL_SET_ERR_MSG_MOD(extack, "invalid perturb period");
+ return -EINVAL;
+ }
+ perturb_period = ctl->perturb_period * HZ;
+
if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
ctl_v1->Wlog, ctl_v1->Scell_log, NULL))
return -EINVAL;
@@ -672,14 +680,12 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt,
headdrop = q->headdrop;
maxdepth = q->maxdepth;
maxflows = q->maxflows;
- perturb_period = q->perturb_period;
quantum = q->quantum;
flags = q->flags;
/* update and validate configuration */
if (ctl->quantum)
quantum = ctl->quantum;
- perturb_period = ctl->perturb_period * HZ;
if (ctl->flows)
maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS);
if (ctl->divisor) {
--
2.50.0.rc0.642.g800a2b2222-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH net] net_sched: sch_sfq: reject invalid perturb period
2025-06-11 8:35 [PATCH net] net_sched: sch_sfq: reject invalid perturb period Eric Dumazet
@ 2025-06-12 15:10 ` patchwork-bot+netdevbpf
2025-06-12 20:11 ` Cong Wang
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-06-12 15:10 UTC (permalink / raw)
To: Eric Dumazet
Cc: davem, kuba, pabeni, horms, jhs, xiyou.wangcong, jiri, netdev,
eric.dumazet, gerrard.tai, stable
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Wed, 11 Jun 2025 08:35:01 +0000 you wrote:
> Gerrard Tai reported that SFQ perturb_period has no range check yet,
> and this can be used to trigger a race condition fixed in a separate patch.
>
> We want to make sure ctl->perturb_period * HZ will not overflow
> and is positive.
>
> Tested:
>
> [...]
Here is the summary with links:
- [net] net_sched: sch_sfq: reject invalid perturb period
https://git.kernel.org/netdev/net/c/7ca52541c05c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH net] net_sched: sch_sfq: reject invalid perturb period
2025-06-11 8:35 [PATCH net] net_sched: sch_sfq: reject invalid perturb period Eric Dumazet
2025-06-12 15:10 ` patchwork-bot+netdevbpf
@ 2025-06-12 20:11 ` Cong Wang
1 sibling, 0 replies; 3+ messages in thread
From: Cong Wang @ 2025-06-12 20:11 UTC (permalink / raw)
To: Eric Dumazet
Cc: David S . Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
Jamal Hadi Salim, Jiri Pirko, netdev, eric.dumazet, Gerrard Tai,
stable
On Wed, Jun 11, 2025 at 08:35:01AM +0000, Eric Dumazet wrote:
> Gerrard Tai reported that SFQ perturb_period has no range check yet,
> and this can be used to trigger a race condition fixed in a separate patch.
>
> We want to make sure ctl->perturb_period * HZ will not overflow
> and is positive.
>
> Tested:
>
> tc qd add dev lo root sfq perturb -10 # negative value : error
> Error: sch_sfq: invalid perturb period.
>
> tc qd add dev lo root sfq perturb 1000000000 # too big : error
> Error: sch_sfq: invalid perturb period.
>
> tc qd add dev lo root sfq perturb 2000000 # acceptable value
> tc -s -d qd sh dev lo
> qdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec
> Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
Please kindly provide a selftest (as a separate patch) since it looks
fairly easy to reproduce. With AI copilot today, this becomes much
easier, so hopefully it won't bring you much burden. :)
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-06-12 20:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-11 8:35 [PATCH net] net_sched: sch_sfq: reject invalid perturb period Eric Dumazet
2025-06-12 15:10 ` patchwork-bot+netdevbpf
2025-06-12 20:11 ` Cong Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox