mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 02:30:34 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net/sched
History
Victor Nogueira f139f37dcd net_sched: qfq: Fix double list add in class with netem as child qdisc 
As described in Gerrard's report [1], there are use cases where a netem
child qdisc will make the parent qdisc's enqueue callback reentrant.
In the case of qfq, there won't be a UAF, but the code will add the same
classifier to the list twice, which will cause memory corruption.

This patch checks whether the class was already added to the agg->active
list (cl_is_active) before doing the addition to cater for the reentrant
case.

[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

Fixes: 37d9cf1a3c ("sched: Fix detection of empty queues in child qdiscs")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20250425220710.3964791-5-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-04-28 15:55:07 -07:00
..
act_api.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-10-25 09:08:22 +02:00
act_bpf.c
act_connmark.c
act_csum.c
act_ct.c net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
act_ctinfo.c net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
act_gact.c
act_gate.c net/sched: Switch to use hrtimer_setup() 2025-02-18 10:35:44 +01:00
act_ife.c
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c
act_mpls.c net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
act_nat.c
act_pedit.c
act_police.c net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
act_sample.c
act_simple.c
act_skbedit.c
act_skbmod.c
act_tunnel_key.c net: fix geneve_opt length integer overflow 2025-04-03 15:47:35 -07:00
act_vlan.c
cls_api.c tc: Ensure we have enough buffer space when sending filter netlink notifications 2025-04-08 13:57:49 +02:00
cls_basic.c
cls_bpf.c net: sched: refine software bypass handling in tc_run 2025-01-20 09:21:27 +00:00
cls_cgroup.c
cls_flow.c net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute 2025-01-04 08:49:36 -08:00
cls_flower.c net: fix geneve_opt length integer overflow 2025-04-03 15:47:35 -07:00
cls_fw.c
cls_matchall.c net: sched: refine software bypass handling in tc_run 2025-01-20 09:21:27 +00:00
cls_route.c
cls_u32.c net: sched: refine software bypass handling in tc_run 2025-01-20 09:21:27 +00:00
em_canid.c
em_cmp.c
em_ipset.c
em_ipt.c
em_meta.c net: dismiss sk_forward_alloc_get() 2025-02-19 19:05:28 -08:00
em_nbyte.c
em_text.c
em_u32.c
ematch.c
Kconfig lib/crc: remove CONFIG_LIBCRC32C 2025-04-04 11:31:42 -07:00
Makefile
sch_api.c net: move replay logic to tc_modify_qdisc 2025-03-27 10:18:48 -07:00
sch_blackhole.c
sch_cake.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-01-09 16:11:47 -08:00
sch_cbs.c net/sched: cbs: Fix integer overflow in cbs_set_port_rate() 2024-10-15 18:25:47 -07:00
sch_choke.c net: sched: fix ordering of qlen adjustment 2024-12-04 12:54:22 +00:00
sch_codel.c codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() 2025-04-08 10:57:56 +02:00
sch_drr.c net_sched: drr: Fix double list add in class with netem as child qdisc 2025-04-28 15:55:06 -07:00
sch_etf.c
sch_ets.c net_sched: ets: Fix double list add in class with netem as child qdisc 2025-04-28 15:55:06 -07:00
sch_fifo.c pfifo_tail_enqueue: Drop new packet when sch->limit == 0 2025-02-05 18:13:58 -08:00
sch_fq.c net_sched: sch_fq: add three drop_reason 2024-12-05 17:39:04 -08:00
sch_fq_codel.c codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() 2025-04-08 10:57:56 +02:00
sch_fq_pie.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
sch_frag.c
sch_generic.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
sch_gred.c sched: address a potential NULL pointer dereference in the GRED scheduler. 2025-03-06 16:35:14 -08:00
sch_hfsc.c net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc 2025-04-28 15:55:06 -07:00
sch_hhf.c
sch_htb.c sch_htb: make htb_qlen_notify() idempotent 2025-04-08 10:57:49 +02:00
sch_ingress.c
sch_mq.c
sch_mqprio.c
sch_mqprio_lib.c
sch_mqprio_lib.h
sch_multiq.c
sch_netem.c netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() 2025-02-05 18:14:46 -08:00
sch_pie.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
sch_plug.c
sch_prio.c
sch_qfq.c net_sched: qfq: Fix double list add in class with netem as child qdisc 2025-04-28 15:55:07 -07:00
sch_red.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
sch_sfb.c net/sched: Add drop reasons for AQM-based qdiscs 2024-12-17 13:27:29 +01:00
sch_sfq.c Including fixes from netfilter. 2025-04-10 08:52:18 -07:00
sch_skbprio.c net_sched: skbprio: Remove overly strict queue assertions 2025-04-02 16:03:32 -07:00
sch_taprio.c net/sched: Switch to use hrtimer_setup() 2025-02-18 10:35:44 +01:00
sch_tbf.c net/sched: tbf: correct backlog statistic for GSO packets 2024-11-30 13:02:43 -08:00
sch_teql.c