| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250521091847.GU365796@horms.kernel.org>
Date: Wed, 21 May 2025 10:18:47 +0100
From: Simon Horman <horms@...nel.org>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: netdev@...r.kernel.org, jiri@...nulli.us, jhs@...atatu.com,
Mingi Cho <mincho@...ori.io>
Subject: Re: [Patch net 1/2] sch_hfsc: Fix qlen accounting bug when using
peek in hfsc_enqueue()
On Sun, May 18, 2025 at 03:20:37PM -0700, Cong Wang wrote:
> When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the
> child qdisc's peek() operation before incrementing sch->q.qlen and
> sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may
> trigger an immediate dequeue and potential packet drop. In such cases,
> qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog
> have not yet been updated, leading to inconsistent queue accounting. This
> can leave an empty HFSC class in the active list, causing further
> consequences like use-after-free.
>
> This patch fixes the bug by moving the increment of sch->q.qlen and
> sch->qstats.backlog before the call to the child qdisc's peek() operation.
> This ensures that queue length and backlog are always accurate when packet
> drops or dequeues are triggered during the peek.
>
> Fixes: 12d0ad3be9c3 ("net/sched/sch_hfsc.c: handle corner cases where head may change invalidating calculated deadline")
> Reported-by: Mingi Cho <mincho@...ori.io>
> Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
Reviewed-by: Simon Horman <horms@...nel.org>
Powered by blists - more mailing lists