net_sched: tbf: fix a race in tbf_change() - kernel

diff options

author	Eric Dumazet <[email protected]>	2025-06-11 11:15:13 +0000
committer	Jakub Kicinski <[email protected]>	2025-06-12 15:05:50 +0000
commit	43eb466041216d25dedaef1c383ad7bd89929cbc (patch)
tree	23e2b2fa7716bbc39e9f19585d2143f489b6a73f /net/lapb/lapb_timer.c
parent	net_sched: red: fix a race in __red_change() (diff)
download	kernel-43eb466041216d25dedaef1c383ad7bd89929cbc.tar.gz kernel-43eb466041216d25dedaef1c383ad7bd89929cbc.zip

net_sched: tbf: fix a race in tbf_change()

Gerrard Tai reported a race condition in TBF, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. Fixes: b05972f01e7d ("net: sched: tbf: don't call qdisc_put() while holding tree lock") Reported-by: Gerrard Tai <[email protected]> Suggested-by: Gerrard Tai <[email protected]> Signed-off-by: Eric Dumazet <[email protected]> Cc: Zhengchao Shao <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]>

Diffstat (limited to 'net/lapb/lapb_timer.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: