| commit | ce82277fb90444ebd8f51afe173ed2e839223d10 | [log] [tgz] |
|---|---|---|
| author | Cong Wang <[email protected]> | Thu Mar 06 15:23:54 2025 -0800 |
| committer | Michael Kochera <[email protected]> | Thu Apr 10 13:46:07 2025 -0700 |
| tree | 6d44aeef736ae7c43062f1fb22d77df04e1b7ebb | |
| parent | 922fdb5f4e6beff05c7dafdfc124a547f8f60d41 [diff] |
net_sched: Prevent creation of classes with TC_H_ROOT [ Upstream commit 0c3057a5a04d07120b3d0ec9c79568fceb9c921e ] The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal. BUG=b/403930957 TEST=presubmit RELEASE_NOTE=Fixed KCTF-0c3057a in the Linux kernel. cos-patch: security-high Reported-by: Mingi Cho <[email protected]> Change-Id: I676f148c8c24f1ff3f1c9eabbe7051b1717a0193 Signed-off-by: Cong Wang <[email protected]> Reviewed-by: Simon Horman <[email protected]> Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop") Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Kernel CVE Triage Automation <[email protected]> Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/98381 Reviewed-by: Michael Kochera <[email protected]> Reviewed-by: Arnav Kansal <[email protected]> Tested-by: Cusky Presubmit Bot <[email protected]>