net/sched: codel: Inclusion of patchset

Linux kernel -stable discussions
 help / color / mirror / Atom feed

* net/sched: codel: Inclusion of patchset
@ 2025-05-02  4:49 Tai, Gerrard
  2025-05-05  9:28 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 5+ messages in thread
From: Tai, Gerrard @ 2025-05-02  4:49 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Cong Wang, Simon Horman,
	Jamal Hadi Salim, Paolo Abeni, Sasha Levin

Upstream commits:
01: 5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make
htb_qlen_notify() idempotent")
02: df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make
drr_qlen_notify() idempotent")
03: 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb ("sch_hfsc: make
hfsc_qlen_notify() idempotent")
04: 55f9eca4bfe30a15d8656f915922e8c98b7f0728 ("sch_qfq: make
qfq_qlen_notify() idempotent")
05: a7a15f39c682ac4268624da2abdb9114bdde96d5 ("sch_ets: make
est_qlen_notify() idempotent")
06: 342debc12183b51773b3345ba267e9263bdfaaef ("codel: remove
sch->q.qlen check before qdisc_tree_reduce_backlog()")

These patches are patch 01-06 of the original patchset ([1]) authored by
Cong Wang. I have omitted patches 07-11 which are selftests. This patchset
addresses a UAF vulnerability.

Originally, only the last commit (06) was picked to merge into the latest
round of stable queues 5.15,5.10,5.4. For 6.x stable branches, that sole
commit has already been merged in a previous cycle.

From my understanding, this patch depends on the previous patches to work.
Without patches 01-05 which make various classful qdiscs' qlen_notify()
idempotent, if an fq_codel's dequeue() routine empties the fq_codel qdisc,
it will be doubly deactivated - first in the parent qlen_notify and then
again in the parent dequeue. For instance, in the case of parent drr,
the double deactivation will either cause a fault on an invalid address,
or trigger a splat if list checks are compiled into the kernel. This is
also why the original unpatched code included the qlen check in the first
place.

After discussion with Greg, he has helped to temporarily drop the patch
from the 5.x queues ([2]). My suggestion is to include patches 01-06 of the
patchset, as listed above, for the 5.x queues. For the 6.x queues that have
already merged patch 06, the earlier patches 01-05 should be merged too.

I'm not too familiar with the stable patch process, so I may be completely
mistaken here.

Cheers,
Gerrard

[1]: https://lore.kernel.org/netdev/174410343500.1831514.15019771038334698036.git-patchwork-notify@kernel.org/
[2]: https://lore.kernel.org/stable/2025050131-fragrant-famine-eb32@gregkh/

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: net/sched: codel: Inclusion of patchset
  2025-05-02  4:49 net/sched: codel: Inclusion of patchset Tai, Gerrard
@ 2025-05-05  9:28 ` Greg Kroah-Hartman
  2025-05-07  2:59   ` Tai, Gerrard
  0 siblings, 1 reply; 5+ messages in thread
From: Greg Kroah-Hartman @ 2025-05-05  9:28 UTC (permalink / raw)
  To: Tai, Gerrard
  Cc: stable, patches, Cong Wang, Simon Horman, Jamal Hadi Salim,
	Paolo Abeni, Sasha Levin

On Fri, May 02, 2025 at 12:49:48PM +0800, Tai, Gerrard wrote:
> Upstream commits:
> 01: 5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make
> htb_qlen_notify() idempotent")
> 02: df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make
> drr_qlen_notify() idempotent")
> 03: 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb ("sch_hfsc: make
> hfsc_qlen_notify() idempotent")
> 04: 55f9eca4bfe30a15d8656f915922e8c98b7f0728 ("sch_qfq: make
> qfq_qlen_notify() idempotent")
> 05: a7a15f39c682ac4268624da2abdb9114bdde96d5 ("sch_ets: make
> est_qlen_notify() idempotent")
> 06: 342debc12183b51773b3345ba267e9263bdfaaef ("codel: remove
> sch->q.qlen check before qdisc_tree_reduce_backlog()")
> 
> These patches are patch 01-06 of the original patchset ([1]) authored by
> Cong Wang. I have omitted patches 07-11 which are selftests. This patchset
> addresses a UAF vulnerability.
> 
> Originally, only the last commit (06) was picked to merge into the latest
> round of stable queues 5.15,5.10,5.4. For 6.x stable branches, that sole
> commit has already been merged in a previous cycle.
> 
> >From my understanding, this patch depends on the previous patches to work.
> Without patches 01-05 which make various classful qdiscs' qlen_notify()
> idempotent, if an fq_codel's dequeue() routine empties the fq_codel qdisc,
> it will be doubly deactivated - first in the parent qlen_notify and then
> again in the parent dequeue. For instance, in the case of parent drr,
> the double deactivation will either cause a fault on an invalid address,
> or trigger a splat if list checks are compiled into the kernel. This is
> also why the original unpatched code included the qlen check in the first
> place.
> 
> After discussion with Greg, he has helped to temporarily drop the patch
> from the 5.x queues ([2]). My suggestion is to include patches 01-06 of the
> patchset, as listed above, for the 5.x queues. For the 6.x queues that have
> already merged patch 06, the earlier patches 01-05 should be merged too.
> 
> I'm not too familiar with the stable patch process, so I may be completely
> mistaken here.

I'll be glad to take what is needed, but please list what commits need
to go to what branches and in what exact order please.

Or better yet, send backported patches to us, as patch series emails,
which we can import that way as we know you have tested them properly.

thanks!

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: net/sched: codel: Inclusion of patchset
  2025-05-05  9:28 ` Greg Kroah-Hartman
@ 2025-05-07  2:59   ` Tai, Gerrard
  2025-05-07  4:11     ` Cong Wang
  2025-05-07 14:04     ` Greg Kroah-Hartman
  0 siblings, 2 replies; 5+ messages in thread
From: Tai, Gerrard @ 2025-05-07  2:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: stable, patches, Cong Wang, Simon Horman, Jamal Hadi Salim,
	Paolo Abeni, Sasha Levin

On Mon, May 5, 2025 at 5:28 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Fri, May 02, 2025 at 12:49:48PM +0800, Tai, Gerrard wrote:
> > Upstream commits:
> > 01: 5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make
> > htb_qlen_notify() idempotent")
> > 02: df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make
> > drr_qlen_notify() idempotent")
> > 03: 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb ("sch_hfsc: make
> > hfsc_qlen_notify() idempotent")
> > 04: 55f9eca4bfe30a15d8656f915922e8c98b7f0728 ("sch_qfq: make
> > qfq_qlen_notify() idempotent")
> > 05: a7a15f39c682ac4268624da2abdb9114bdde96d5 ("sch_ets: make
> > est_qlen_notify() idempotent")
> > 06: 342debc12183b51773b3345ba267e9263bdfaaef ("codel: remove
> > sch->q.qlen check before qdisc_tree_reduce_backlog()")
> >
> > These patches are patch 01-06 of the original patchset ([1]) authored by
> > Cong Wang. I have omitted patches 07-11 which are selftests. This patchset
> > addresses a UAF vulnerability.
> >
> > Originally, only the last commit (06) was picked to merge into the latest
> > round of stable queues 5.15,5.10,5.4. For 6.x stable branches, that sole
> > commit has already been merged in a previous cycle.
> >
> > >From my understanding, this patch depends on the previous patches to work.
> > Without patches 01-05 which make various classful qdiscs' qlen_notify()
> > idempotent, if an fq_codel's dequeue() routine empties the fq_codel qdisc,
> > it will be doubly deactivated - first in the parent qlen_notify and then
> > again in the parent dequeue. For instance, in the case of parent drr,
> > the double deactivation will either cause a fault on an invalid address,
> > or trigger a splat if list checks are compiled into the kernel. This is
> > also why the original unpatched code included the qlen check in the first
> > place.
> >
> > After discussion with Greg, he has helped to temporarily drop the patch
> > from the 5.x queues ([2]). My suggestion is to include patches 01-06 of the
> > patchset, as listed above, for the 5.x queues. For the 6.x queues that have
> > already merged patch 06, the earlier patches 01-05 should be merged too.
> >
> > I'm not too familiar with the stable patch process, so I may be completely
> > mistaken here.
>
> I'll be glad to take what is needed, but please list what commits need
> to go to what branches and in what exact order please.

Here's the list of commits. The order should be the sequence as listed
below.

6.14, 6.13, 6.12, 6.6, 6.1: (all 6.* branches)
5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make
htb_qlen_notify() idempotent")
df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make
drr_qlen_notify() idempotent")
51eb3b65544c9efd6a1026889ee5fb5aa62da3bb ("sch_hfsc: make
hfsc_qlen_notify() idempotent")
55f9eca4bfe30a15d8656f915922e8c98b7f0728 ("sch_qfq: make
qfq_qlen_notify() idempotent")
a7a15f39c682ac4268624da2abdb9114bdde96d5 ("sch_ets: make
est_qlen_notify() idempotent")

5.15, 5.10, 5.4: (all 5.* branches)
5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make
htb_qlen_notify() idempotent")
df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make
drr_qlen_notify() idempotent")
51eb3b65544c9efd6a1026889ee5fb5aa62da3bb ("sch_hfsc: make
hfsc_qlen_notify() idempotent")
55f9eca4bfe30a15d8656f915922e8c98b7f0728 ("sch_qfq: make
qfq_qlen_notify() idempotent")
a7a15f39c682ac4268624da2abdb9114bdde96d5 ("sch_ets: make
est_qlen_notify() idempotent")
342debc12183b51773b3345ba267e9263bdfaaef ("codel: remove
sch->q.qlen check before qdisc_tree_reduce_backlog()")

Cheers,
Gerrard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: net/sched: codel: Inclusion of patchset
  2025-05-07  2:59   ` Tai, Gerrard
@ 2025-05-07  4:11     ` Cong Wang
  2025-05-07 14:04     ` Greg Kroah-Hartman
  1 sibling, 0 replies; 5+ messages in thread
From: Cong Wang @ 2025-05-07  4:11 UTC (permalink / raw)
  To: Tai, Gerrard
  Cc: Greg Kroah-Hartman, stable, patches, Simon Horman,
	Jamal Hadi Salim, Paolo Abeni, Sasha Levin

On Tue, May 6, 2025 at 8:00 PM Tai, Gerrard <gerrard.tai@starlabs.sg> wrote:
> Here's the list of commits. The order should be the sequence as listed
> below.
>
> 6.14, 6.13, 6.12, 6.6, 6.1: (all 6.* branches)
> 5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make
> htb_qlen_notify() idempotent")
> df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make
> drr_qlen_notify() idempotent")
> 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb ("sch_hfsc: make
> hfsc_qlen_notify() idempotent")
> 55f9eca4bfe30a15d8656f915922e8c98b7f0728 ("sch_qfq: make
> qfq_qlen_notify() idempotent")
> a7a15f39c682ac4268624da2abdb9114bdde96d5 ("sch_ets: make
> est_qlen_notify() idempotent")

Plus:
376947861013 ("sch_htb: make htb_deactivate() idempotent")

>
> 5.15, 5.10, 5.4: (all 5.* branches)
> 5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make
> htb_qlen_notify() idempotent")
> df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make
> drr_qlen_notify() idempotent")
> 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb ("sch_hfsc: make
> hfsc_qlen_notify() idempotent")
> 55f9eca4bfe30a15d8656f915922e8c98b7f0728 ("sch_qfq: make
> qfq_qlen_notify() idempotent")
> a7a15f39c682ac4268624da2abdb9114bdde96d5 ("sch_ets: make
> est_qlen_notify() idempotent")
> 342debc12183b51773b3345ba267e9263bdfaaef ("codel: remove
> sch->q.qlen check before qdisc_tree_reduce_backlog()")

Ditto.

Thanks!

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: net/sched: codel: Inclusion of patchset
  2025-05-07  2:59   ` Tai, Gerrard
  2025-05-07  4:11     ` Cong Wang
@ 2025-05-07 14:04     ` Greg Kroah-Hartman
  1 sibling, 0 replies; 5+ messages in thread
From: Greg Kroah-Hartman @ 2025-05-07 14:04 UTC (permalink / raw)
  To: Tai, Gerrard
  Cc: stable, patches, Cong Wang, Simon Horman, Jamal Hadi Salim,
	Paolo Abeni, Sasha Levin

On Wed, May 07, 2025 at 10:59:53AM +0800, Tai, Gerrard wrote:
> On Mon, May 5, 2025 at 5:28 PM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Fri, May 02, 2025 at 12:49:48PM +0800, Tai, Gerrard wrote:
> > > Upstream commits:
> > > 01: 5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make
> > > htb_qlen_notify() idempotent")
> > > 02: df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make
> > > drr_qlen_notify() idempotent")
> > > 03: 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb ("sch_hfsc: make
> > > hfsc_qlen_notify() idempotent")
> > > 04: 55f9eca4bfe30a15d8656f915922e8c98b7f0728 ("sch_qfq: make
> > > qfq_qlen_notify() idempotent")
> > > 05: a7a15f39c682ac4268624da2abdb9114bdde96d5 ("sch_ets: make
> > > est_qlen_notify() idempotent")
> > > 06: 342debc12183b51773b3345ba267e9263bdfaaef ("codel: remove
> > > sch->q.qlen check before qdisc_tree_reduce_backlog()")
> > >
> > > These patches are patch 01-06 of the original patchset ([1]) authored by
> > > Cong Wang. I have omitted patches 07-11 which are selftests. This patchset
> > > addresses a UAF vulnerability.
> > >
> > > Originally, only the last commit (06) was picked to merge into the latest
> > > round of stable queues 5.15,5.10,5.4. For 6.x stable branches, that sole
> > > commit has already been merged in a previous cycle.
> > >
> > > >From my understanding, this patch depends on the previous patches to work.
> > > Without patches 01-05 which make various classful qdiscs' qlen_notify()
> > > idempotent, if an fq_codel's dequeue() routine empties the fq_codel qdisc,
> > > it will be doubly deactivated - first in the parent qlen_notify and then
> > > again in the parent dequeue. For instance, in the case of parent drr,
> > > the double deactivation will either cause a fault on an invalid address,
> > > or trigger a splat if list checks are compiled into the kernel. This is
> > > also why the original unpatched code included the qlen check in the first
> > > place.
> > >
> > > After discussion with Greg, he has helped to temporarily drop the patch
> > > from the 5.x queues ([2]). My suggestion is to include patches 01-06 of the
> > > patchset, as listed above, for the 5.x queues. For the 6.x queues that have
> > > already merged patch 06, the earlier patches 01-05 should be merged too.
> > >
> > > I'm not too familiar with the stable patch process, so I may be completely
> > > mistaken here.
> >
> > I'll be glad to take what is needed, but please list what commits need
> > to go to what branches and in what exact order please.
> 
> Here's the list of commits. The order should be the sequence as listed
> below.
> 
> 6.14, 6.13, 6.12, 6.6, 6.1: (all 6.* branches)
> 5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make
> htb_qlen_notify() idempotent")
> df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make
> drr_qlen_notify() idempotent")
> 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb ("sch_hfsc: make
> hfsc_qlen_notify() idempotent")
> 55f9eca4bfe30a15d8656f915922e8c98b7f0728 ("sch_qfq: make
> qfq_qlen_notify() idempotent")
> a7a15f39c682ac4268624da2abdb9114bdde96d5 ("sch_ets: make
> est_qlen_notify() idempotent")
> 
> 5.15, 5.10, 5.4: (all 5.* branches)
> 5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make
> htb_qlen_notify() idempotent")
> df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make
> drr_qlen_notify() idempotent")

This commit did not apply to 5.15.y and older, sorry.

Please provide working, and TESTED backports of patches for us to
be able to include them in the stable trees.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-05-07 14:04 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-02  4:49 net/sched: codel: Inclusion of patchset Tai, Gerrard
2025-05-05  9:28 ` Greg Kroah-Hartman
2025-05-07  2:59   ` Tai, Gerrard
2025-05-07  4:11     ` Cong Wang
2025-05-07 14:04     ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox