From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Jamal Hadi Salim <jhs@mojatatu.com>,
Victor Nogueira <victor@mojatatu.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 25/55] net_sched: ets: Fix double list add in class with netem as child qdisc
Date: Wed, 7 May 2025 20:39:26 +0200 [thread overview]
Message-ID: <20250507183800.054481205@linuxfoundation.org> (raw)
In-Reply-To: <20250507183759.048732653@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueira <victor@mojatatu.com>
[ Upstream commit 1a6d0c00fa07972384b0c308c72db091d49988b6 ]
As described in Gerrard's report [1], there are use cases where a netem
child qdisc will make the parent qdisc's enqueue callback reentrant.
In the case of ets, there won't be a UAF, but the code will add the same
classifier to the list twice, which will cause memory corruption.
In addition to checking for qlen being zero, this patch checks whether
the class was already added to the active_list (cl_is_active) before
doing the addition to cater for the reentrant case.
[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
Fixes: 37d9cf1a3ce3 ("sched: Fix detection of empty queues in child qdiscs")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20250425220710.3964791-4-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_ets.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
index d686ea7e8db49..07fae45f58732 100644
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -74,6 +74,11 @@ static const struct nla_policy ets_class_policy[TCA_ETS_MAX + 1] = {
[TCA_ETS_QUANTA_BAND] = { .type = NLA_U32 },
};
+static bool cl_is_active(struct ets_class *cl)
+{
+ return !list_empty(&cl->alist);
+}
+
static int ets_quantum_parse(struct Qdisc *sch, const struct nlattr *attr,
unsigned int *quantum,
struct netlink_ext_ack *extack)
@@ -424,7 +429,6 @@ static int ets_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
struct ets_sched *q = qdisc_priv(sch);
struct ets_class *cl;
int err = 0;
- bool first;
cl = ets_classify(skb, sch, &err);
if (!cl) {
@@ -434,7 +438,6 @@ static int ets_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
return err;
}
- first = !cl->qdisc->q.qlen;
err = qdisc_enqueue(skb, cl->qdisc, to_free);
if (unlikely(err != NET_XMIT_SUCCESS)) {
if (net_xmit_drop_count(err)) {
@@ -444,7 +447,7 @@ static int ets_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
return err;
}
- if (first && !ets_class_is_strict(q, cl)) {
+ if (!cl_is_active(cl) && !ets_class_is_strict(q, cl)) {
list_add_tail(&cl->alist, &q->active);
cl->deficit = cl->quantum;
}
--
2.39.5
next prev parent reply other threads:[~2025-05-07 18:42 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-07 18:39 [PATCH 5.15 00/55] 5.15.182-rc1 review Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 01/55] ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 02/55] drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 03/55] EDAC/altera: Test the correct error reg offset Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 04/55] EDAC/altera: Set DDR and SDMMC interrupt mask before registration Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 05/55] i2c: imx-lpi2c: Fix clock count when probe defers Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 06/55] arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 07/55] parisc: Fix double SIGFPE crash Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 08/55] amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 09/55] mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 10/55] wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 11/55] dm-integrity: fix a warning on invalid table line Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 12/55] dm: always update the array size in realloc_argv on success Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 13/55] iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 14/55] iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 15/55] tracing: Fix oob write in trace_seq_to_buffer() Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 16/55] KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 17/55] net/sched: act_mirred: dont override retval if we already lost the skb Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 18/55] net/mlx5: E-Switch, Initialize MAC Address for Default GID Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 19/55] net/mlx5: E-switch, Fix error handling for enabling roce Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 20/55] net: ethernet: mtk-star-emac: separate tx/rx handling with two NAPIs Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 21/55] net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 22/55] net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 23/55] net_sched: drr: Fix double list add in class with netem as child qdisc Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 24/55] net_sched: hfsc: Fix a UAF vulnerability " Greg Kroah-Hartman
2025-05-07 18:39 ` Greg Kroah-Hartman [this message]
2025-05-07 18:39 ` [PATCH 5.15 26/55] net_sched: qfq: Fix double list add " Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 27/55] ice: Refactor promiscuous functions Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 28/55] ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 29/55] net: dlink: Correct endianness handling of led_mode Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 30/55] net: ipv6: fix UDPv6 GSO segmentation with NAT Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 31/55] bnxt_en: Fix coredump logic to free allocated buffer Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 32/55] bnxt_en: Fix out-of-bound memcpy() during ethtool -w Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 33/55] bnxt_en: Fix ethtool -d byte order for 32-bit values Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 34/55] nvme-tcp: fix premature queue removal and I/O failover Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 35/55] net: lan743x: Fix memleak issue when GSO enabled Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 36/55] net: fec: ERR007885 Workaround for conventional TX Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 37/55] net: hns3: store rx VLAN tag offload state for VF Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 38/55] net: hns3: add support for external loopback test Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 39/55] net: hns3: fix an interrupt residual problem Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 40/55] net: hns3: fixed debugfs tm_qset size Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 41/55] net: hns3: defer calling ptp_clock_register() Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 42/55] PCI: imx6: Skip controller_id generation logic for i.MX7D Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 43/55] of: module: add buffer overflow check in of_modalias() Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 44/55] net: hns3: fix deadlock issue when externel_lb and reset are executed together Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 45/55] firmware: arm_scmi: Balance device refcount when destroying devices Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 46/55] ARM: dts: opos6ul: add ksz8081 phy properties Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 47/55] net: phy: microchip: force IRQ polling mode for lan88xx Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 48/55] Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 49/55] irqchip/gic-v2m: Add const to of_device_id Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 50/55] irqchip/gic-v2m: Mark a few functions __init Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 51/55] irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 52/55] serial: msm: Configure correct working mode before starting earlycon Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 53/55] riscv: uprobes: Add missing fence.i after building the XOL buffer Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 54/55] iommu/arm-smmu-v3: Use the new rb tree helpers Greg Kroah-Hartman
2025-05-07 18:39 ` [PATCH 5.15 55/55] iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Greg Kroah-Hartman
2025-05-08 9:23 ` [PATCH 5.15 00/55] 5.15.182-rc1 review Pavel Machek
2025-05-08 9:44 ` Jon Hunter
2025-05-08 11:23 ` Greg Kroah-Hartman
2025-05-08 12:22 ` Jon Hunter
2025-05-08 11:05 ` Florian Fainelli
2025-05-08 15:01 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250507183800.054481205@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jhs@mojatatu.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=victor@mojatatu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox