archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 03:04:51 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'net_sched-fix-uaf-vulnerability-in-hfsc-qdisc'

Browse source 
Cong Wang says:

====================
net_sched: Fix UAF vulnerability in HFSC qdisc

This patchset contains two bug fixes and a selftest for the first one
which we have a reliable reproducer, please check each patch
description for details.
====================

Link: https://patch.msgid.link/20250417184732.943057-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski 2025-04-23 17:16:52 -07:00
commit fa44042a42
2 changed files with 56 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

23
net/sched/sch_hfsc.c
View file

@ -961,6 +961,7 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
if (cl != NULL) {
int old_flags;
int len = 0;
if (parentid) {
if (cl->cl_parent &&
@ -991,9 +992,13 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
if (usc != NULL)
hfsc_change_usc(cl, usc, cur_time);
if (cl->qdisc->q.qlen != 0)
len = qdisc_peek_len(cl->qdisc);
/* Check queue length again since some qdisc implementations
* (e.g., netem/codel) might empty the queue during the peek
* operation.
*/
if (cl->qdisc->q.qlen != 0) {
int len = qdisc_peek_len(cl->qdisc);
if (cl->cl_flags & HFSC_RSC) {
if (old_flags & HFSC_RSC)
update_ed(cl, len);
@ -1636,10 +1641,16 @@ hfsc_dequeue(struct Qdisc *sch)
if (cl->qdisc->q.qlen != 0) {
/* update ed */
next_len = qdisc_peek_len(cl->qdisc);
if (realtime)
update_ed(cl, next_len);
else
update_d(cl, next_len);
/* Check queue length again since some qdisc implementations
* (e.g., netem/codel) might empty the queue during the peek
* operation.
*/
if (cl->qdisc->q.qlen != 0) {
if (realtime)
update_ed(cl, next_len);
else
update_d(cl, next_len);
}
} else {
/* the class becomes passive */
eltree_remove(cl);

39
tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json
View file

@ -313,5 +313,44 @@
"$TC qdisc del dev $DUMMY handle 1: root",
"$IP addr del 10.10.10.10/24 dev $DUMMY || true"
]
},
{
"id": "a4c3",
"name": "Test HFSC with netem/blackhole - queue emptying during peek operation",
"category": [
"qdisc",
"hfsc",
"netem",
"blackhole"
],
"plugins": {
"requires": "nsPlugin"
},
"setup": [
"$IP link set dev $DUMMY up || true",
"$IP addr add 10.10.10.10/24 dev $DUMMY || true",
"$TC qdisc add dev $DUMMY handle 1:0 root drr",
"$TC class add dev $DUMMY parent 1:0 classid 1:1 drr",
"$TC class add dev $DUMMY parent 1:0 classid 1:2 drr",
"$TC qdisc add dev $DUMMY parent 1:1 handle 2:0 plug limit 1024",
"$TC qdisc add dev $DUMMY parent 1:2 handle 3:0 hfsc default 1",
"$TC class add dev $DUMMY parent 3:0 classid 3:1 hfsc rt m1 5Mbit d 10ms m2 10Mbit",
"$TC qdisc add dev $DUMMY parent 3:1 handle 4:0 netem delay 1ms",
"$TC qdisc add dev $DUMMY parent 4:1 handle 5:0 blackhole",
"ping -c 3 -W 0.01 -i 0.001 -s 1 10.10.10.10 -I $DUMMY > /dev/null 2>&1 || true",
"$TC class change dev $DUMMY parent 3:0 classid 3:1 hfsc sc m1 5Mbit d 10ms m2 10Mbit",
"$TC class del dev $DUMMY parent 3:0 classid 3:1",
"$TC class add dev $DUMMY parent 3:0 classid 3:1 hfsc rt m1 5Mbit d 10ms m2 10Mbit",
"ping -c 3 -W 0.01 -i 0.001 -s 1 10.10.10.10 -I $DUMMY > /dev/null 2>&1 || true"
],
"cmdUnderTest": "$TC class change dev $DUMMY parent 3:0 classid 3:1 hfsc sc m1 5Mbit d 10ms m2 10Mbit",
"expExitCode": "0",
"verifyCmd": "$TC -s qdisc show dev $DUMMY",
"matchPattern": "qdisc hfsc 3:.*parent 1:2.*default 1",
"matchCount": "1",
"teardown": [
"$TC qdisc del dev $DUMMY handle 1:0 root",
"$IP addr del 10.10.10.10/24 dev $DUMMY || true"
]
}
]