From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, "Alan J. Wylie" <alan@wylie.me.uk>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 08/92] sch_htb: make htb_deactivate() idempotent
Date: Mon, 12 May 2025 19:44:43 +0200 [thread overview]
Message-ID: <20250512172023.470427848@linuxfoundation.org> (raw)
In-Reply-To: <20250512172023.126467649@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 3769478610135e82b262640252d90f6efb05be71 ]
Alan reported a NULL pointer dereference in htb_next_rb_node()
after we made htb_qlen_notify() idempotent.
It turns out in the following case it introduced some regression:
htb_dequeue_tree():
|-> fq_codel_dequeue()
|-> qdisc_tree_reduce_backlog()
|-> htb_qlen_notify()
|-> htb_deactivate()
|-> htb_next_rb_node()
|-> htb_deactivate()
For htb_next_rb_node(), after calling the 1st htb_deactivate(), the
clprio[prio]->ptr could be already set to NULL, which means
htb_next_rb_node() is vulnerable here.
For htb_deactivate(), although we checked qlen before calling it, in
case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again
which triggers the warning inside.
To fix the issues here, we need to:
1) Make htb_deactivate() idempotent, that is, simply return if we
already call it before.
2) Make htb_next_rb_node() safe against ptr==NULL.
Many thanks to Alan for testing and for the reproducer.
Fixes: 5ba8b837b522 ("sch_htb: make htb_qlen_notify() idempotent")
Reported-by: Alan J. Wylie <alan@wylie.me.uk>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://patch.msgid.link/20250428232955.1740419-2-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_htb.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index fb0fb8825574c..29f394fe39987 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -345,7 +345,8 @@ static void htb_add_to_wait_tree(struct htb_sched *q,
*/
static inline void htb_next_rb_node(struct rb_node **n)
{
- *n = rb_next(*n);
+ if (*n)
+ *n = rb_next(*n);
}
/**
@@ -606,8 +607,8 @@ static inline void htb_activate(struct htb_sched *q, struct htb_class *cl)
*/
static inline void htb_deactivate(struct htb_sched *q, struct htb_class *cl)
{
- WARN_ON(!cl->prio_activity);
-
+ if (!cl->prio_activity)
+ return;
htb_deactivate_prios(q, cl);
cl->prio_activity = 0;
}
@@ -1482,8 +1483,6 @@ static void htb_qlen_notify(struct Qdisc *sch, unsigned long arg)
{
struct htb_class *cl = (struct htb_class *)arg;
- if (!cl->prio_activity)
- return;
htb_deactivate(qdisc_priv(sch), cl);
}
@@ -1735,8 +1734,7 @@ static int htb_delete(struct Qdisc *sch, unsigned long arg,
if (cl->parent)
cl->parent->children--;
- if (cl->prio_activity)
- htb_deactivate(q, cl);
+ htb_deactivate(q, cl);
if (cl->cmode != HTB_CAN_SEND)
htb_safe_rb_erase(&cl->pq_node,
@@ -1948,8 +1946,7 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
/* turn parent into inner node */
qdisc_purge_queue(parent->leaf.q);
parent_qdisc = parent->leaf.q;
- if (parent->prio_activity)
- htb_deactivate(q, parent);
+ htb_deactivate(q, parent);
/* remove from evt list because of level change */
if (parent->cmode != HTB_CAN_SEND) {
--
2.39.5
next prev parent reply other threads:[~2025-05-12 17:53 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-12 17:44 [PATCH 6.1 00/92] 6.1.139-rc1 review Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 01/92] dm: add missing unlock on in dm_keyslot_evict() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 02/92] arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 03/92] can: mcan: m_can_class_unregister(): fix order of unregistration calls Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 04/92] can: mcp251xfd: mcp251xfd_remove(): " Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 05/92] ksmbd: prevent out-of-bounds stream writes by validating *pos Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 06/92] openvswitch: Fix unsafe attribute parsing in output_userspace() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 07/92] ksmbd: fix memory leak in parse_lease_state() Greg Kroah-Hartman
2025-05-12 17:44 ` Greg Kroah-Hartman [this message]
2025-05-12 17:44 ` [PATCH 6.1 09/92] gre: Fix again IPv6 link-local address generation Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 10/92] can: mcp251xfd: fix TDC setting for low data bit rates Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 11/92] rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 12/92] can: gw: fix RCU/BH usage in cgw_create_job() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 13/92] ipv4: Drop tos parameter from flowi4_update_output() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 14/92] ipvs: fix uninit-value for saddr in do_output_route4 Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 15/92] netfilter: ipset: fix region locking in hash types Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 16/92] bpf: Scrub packet on bpf_redirect_peer Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 17/92] net: dsa: b53: allow leaky reserved multicast Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 18/92] net: dsa: b53: fix clearing PVID of a port Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 19/92] net: dsa: b53: fix flushing old pvid VLAN on pvid change Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 20/92] net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 21/92] net: dsa: b53: always rejoin default untagged VLAN " Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 22/92] net: dsa: b53: fix learning on VLAN unaware bridges Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 23/92] Input: mtk-pmic-keys - fix possible null pointer dereference Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 24/92] Input: synaptics - enable InterTouch on Dynabook Portege X30-D Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 25/92] Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 26/92] Input: synaptics - enable InterTouch on Dell Precision M3800 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 27/92] Input: synaptics - enable SMBus for HP Elitebook 850 G1 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 28/92] Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 29/92] staging: iio: adc: ad7816: Correct conditional logic for store mode Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 30/92] staging: axis-fifo: Remove hardware resets for user errors Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 31/92] staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 32/92] x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 33/92] drm/amd/display: Shift DMUB AUX reply command if necessary Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 34/92] iio: adc: ad7606: fix serial register access Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 35/92] iio: adis16201: Correct inclinometer channel resolution Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 36/92] iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 37/92] iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 38/92] drm/v3d: Add job to pending list if the reset was skipped Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 39/92] drm/amd/display: Fix the checking condition in dmub aux handling Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 40/92] drm/amd/display: Remove incorrect checking in dmub aux handler Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 41/92] drm/amd/display: Fix wrong handling for AUX_DEFER case Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 42/92] drm/amd/display: Copy AUX read reply data whenever length > 0 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 43/92] drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 44/92] usb: uhci-platform: Make the clock really optional Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 45/92] xenbus: Use kref to track req lifetime Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 46/92] module: ensure that kobject_put() is safe for module type kobjects Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 47/92] ocfs2: switch osb->disable_recovery to enum Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 48/92] ocfs2: implement handshaking with ocfs2 recovery thread Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 49/92] ocfs2: stop quota recovery before disabling quotas Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 50/92] usb: cdnsp: Fix issue with resuming from L1 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 51/92] usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 52/92] usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 53/92] usb: host: tegra: Prevent host controller crash when OTG port is used Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 54/92] usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 55/92] usb: typec: ucsi: displayport: Fix NULL pointer access Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 56/92] USB: usbtmc: use interruptible sleep in usbtmc_read Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 57/92] usb: usbtmc: Fix erroneous get_stb ioctl error returns Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 58/92] usb: usbtmc: Fix erroneous wait_srq ioctl return Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 59/92] usb: usbtmc: Fix erroneous generic_read " Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 60/92] iio: accel: adxl367: fix setting odr for activity time update Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 61/92] iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 62/92] types: Complement the aligned types with signed 64-bit one Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 63/92] iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 64/92] iio: adc: dln2: Use aligned_s64 for timestamp Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 65/92] MIPS: Fix MAX_REG_OFFSET Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 66/92] drm/panel: simple: Update timings for AUO G101EVN010 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 67/92] nvme: unblock ctrl state transition for firmware update Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 68/92] do_umount(): add missing barrier before refcount checks in sync case Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 69/92] io_uring: always arm linked timeouts prior to issue Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 70/92] io_uring: ensure deferred completions are posted for multishot Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 71/92] Revert "net: phy: microchip: force IRQ polling mode for lan88xx" Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 72/92] arm64: insn: Add support for encoding DSB Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 73/92] arm64: proton-pack: Expose whether the platform is mitigated by firmware Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 74/92] arm64: proton-pack: Expose whether the branchy loop k value Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 75/92] arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 76/92] arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 77/92] arm64: proton-pack: Add new CPUs k values for branch mitigation Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 78/92] x86/bpf: Call branch history clearing sequence on exit Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 79/92] x86/bpf: Add IBHF call at end of classic BPF Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 80/92] x86/bhi: Do not set BHI_DIS_S in 32-bit mode Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 81/92] x86/speculation: Simplify and make CALL_NOSPEC consistent Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 82/92] x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 83/92] x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 84/92] Documentation: x86/bugs/its: Add ITS documentation Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 85/92] x86/its: Enumerate Indirect Target Selection (ITS) bug Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 86/92] x86/its: Add support for ITS-safe indirect thunk Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 87/92] x86/its: Add support for ITS-safe return thunk Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 88/92] x86/its: Enable Indirect Target Selection mitigation Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 89/92] x86/its: Add "vmexit" option to skip mitigation on some CPUs Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 90/92] x86/its: Align RETs in BHB clear sequence to avoid thunking Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 91/92] x86/ibt: Keep IBT disabled during alternative patching Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 92/92] x86/its: Use dynamic thunks for indirect branches Greg Kroah-Hartman
2025-05-12 20:56 ` [PATCH 6.1 00/92] 6.1.139-rc1 review Jon Hunter
2025-05-13 6:45 ` Pavel Machek
2025-05-13 9:43 ` Florian Fainelli
2025-05-13 9:48 ` Mark Brown
2025-05-13 10:04 ` Ron Economos
2025-05-13 11:39 ` Peter Schneider
2025-05-13 17:19 ` Naresh Kamboju
2025-05-13 17:32 ` Shuah Khan
2025-05-14 17:11 ` Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250512172023.470427848@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alan@wylie.me.uk \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox