diff options
| author | Victor Nogueira <[email protected]> | 2025-07-07 21:08:01 +0000 |
|---|---|---|
| committer | Jakub Kicinski <[email protected]> | 2025-07-10 02:23:25 +0000 |
| commit | ffdde7bf5a439aaa1955ebd581f5c64ab1533963 (patch) | |
| tree | 1ff9594c68caa6fa0868f04513410083fa542c24 /net/ipv4/tcp_input.c | |
| parent | net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_... (diff) | |
| download | kernel-ffdde7bf5a439aaa1955ebd581f5c64ab1533963.tar.gz kernel-ffdde7bf5a439aaa1955ebd581f5c64ab1533963.zip | |
net/sched: Abort __tc_modify_qdisc if parent class does not exist
Lion's patch [1] revealed an ancient bug in the qdisc API.
Whenever a user creates/modifies a qdisc specifying as a parent another
qdisc, the qdisc API will, during grafting, detect that the user is
not trying to attach to a class and reject. However grafting is
performed after qdisc_create (and thus the qdiscs' init callback) is
executed. In qdiscs that eventually call qdisc_tree_reduce_backlog
during init or change (such as fq, hhf, choke, etc), an issue
arises. For example, executing the following commands:
sudo tc qdisc add dev lo root handle a: htb default 2
sudo tc qdisc add dev lo parent a: handle beef fq
Qdiscs such as fq, hhf, choke, etc unconditionally invoke
qdisc_tree_reduce_backlog() in their control path init() or change() which
then causes a failure to find the child class; however, that does not stop
the unconditional invocation of the assumed child qdisc's qlen_notify with
a null class. All these qdiscs make the assumption that class is non-null.
The solution is ensure that qdisc_leaf() which looks up the parent
class, and is invoked prior to qdisc_create(), should return failure on
not finding the class.
In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the
parentid doesn't correspond to a class, so that we can detect it
earlier on and abort before qdisc_create is called.
[1] https://lore.kernel.org/netdev/[email protected]/
Fixes: 5e50da01d0ce ("[NET_SCHED]: Fix endless loops (part 2): "simple" qdiscs")
Reported-by: [email protected]
Closes: https://lore.kernel.org/netdev/[email protected]/
Reported-by: [email protected]
Closes: https://lore.kernel.org/netdev/[email protected]/
Reported-by: [email protected]
Closes: https://lore.kernel.org/netdev/[email protected]/
Reported-by: [email protected]
Closes: https://lore.kernel.org/netdev/[email protected]/
Reported-by: [email protected]
Closes: https://lore.kernel.org/netdev/[email protected]/
Acked-by: Jamal Hadi Salim <[email protected]>
Reviewed-by: Cong Wang <[email protected]>
Signed-off-by: Victor Nogueira <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Diffstat (limited to 'net/ipv4/tcp_input.c')
0 files changed, 0 insertions, 0 deletions