Evolution-X-Devices/kernel_oneplus_sm8250
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c76506d440f94de2c148cccf3c36f58d4071c3f6
kernel_oneplus_sm8250/net
History
Victor Nogueira 145fe6d33c net/sched: Abort __tc_modify_qdisc if parent class does not exist 
[ Upstream commit ffdde7bf5a439aaa1955ebd581f5c64ab1533963 ]

Lion's patch [1] revealed an ancient bug in the qdisc API.
Whenever a user creates/modifies a qdisc specifying as a parent another
qdisc, the qdisc API will, during grafting, detect that the user is
not trying to attach to a class and reject. However grafting is
performed after qdisc_create (and thus the qdiscs' init callback) is
executed. In qdiscs that eventually call qdisc_tree_reduce_backlog
during init or change (such as fq, hhf, choke, etc), an issue
arises. For example, executing the following commands:

sudo tc qdisc add dev lo root handle a: htb default 2
sudo tc qdisc add dev lo parent a: handle beef fq

Qdiscs such as fq, hhf, choke, etc unconditionally invoke
qdisc_tree_reduce_backlog() in their control path init() or change() which
then causes a failure to find the child class; however, that does not stop
the unconditional invocation of the assumed child qdisc's qlen_notify with
a null class. All these qdiscs make the assumption that class is non-null.

The solution is ensure that qdisc_leaf() which looks up the parent
class, and is invoked prior to qdisc_create(), should return failure on
not finding the class.
In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the
parentid doesn't correspond to a class, so that we can detect it
earlier on and abort before qdisc_create is called.

[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/

Fixes: 5e50da01d0 ("[NET_SCHED]: Fix endless loops (part 2): "simple" qdiscs")
Reported-by: syzbot+d8b58d7b0ad89a678a16@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68663c93.a70a0220.5d25f.0857.GAE@google.com/
Reported-by: syzbot+5eccb463fa89309d8bdc@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68663c94.a70a0220.5d25f.0858.GAE@google.com/
Reported-by: syzbot+1261670bbdefc5485a06@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0013.GAE@google.com/
Reported-by: syzbot+15b96fc3aac35468fe77@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0014.GAE@google.com/
Reported-by: syzbot+4dadc5aecf80324d5a51@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68679e81.a70a0220.29cf51.0016.GAE@google.com/
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20250707210801.372995-1-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[uli: backport to 4.19]
Signed-off-by: Ulrich Hecht <uli@kernel.org>
2025-08-18 09:18:13 +02:00
..
6lowpan
6lowpan: Off by one handling ->nexthdr
2020-01-27 14:50:41 +01:00
9p
9p/xen: fix release of IRQ
2024-12-05 10:59:42 +01:00
802
net: 802: LLC+SNAP OID:PID lookup on start of skb data
2025-03-11 08:34:57 +01:00
8021q
net: vlan: don't propagate flags on open
2025-06-04 11:49:01 +02:00
appletalk
net: appletalk: Fix device refcount leak in atrtr_create()
2025-08-13 09:44:39 +02:00
atm
atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
2025-08-13 09:44:38 +02:00
ax25
ax25: Fix UAF bugs in ax25 timers
2022-04-27 13:39:46 +02:00
batman-adv
batman-adv: Ignore own maximum aggregation size during RX
2025-05-08 11:55:41 +02:00
bluetooth
Bluetooth: L2CAP: Fix L2CAP MTU negotiation
2025-08-13 09:44:36 +02:00
bpf
bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()
2022-11-25 17:40:29 +01:00
bpfilter
signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig
2020-01-27 14:50:51 +01:00
bridge
bridge: netfilter: Fix forwarding of fragmented packets
2025-07-17 10:10:40 +02:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:31:44 +01:00
can
can: bcm: add missing rcu read protection for procfs content
2025-07-17 10:07:58 +02:00
ceph
libceph: fix race between delayed_work() and ceph_monc_stop()
2024-07-18 11:39:38 +02:00
core
sock: Correct error checking condition for (assign|release)_proto_idx()
2025-07-17 10:08:04 +02:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:04:10 +01:00
dccp
net: fix data-races around sk->sk_forward_alloc
2025-03-11 08:35:00 +01:00
decnet
Remove DECnet support from kernel
2023-06-21 15:39:57 +02:00
dns_resolver
KEYS: Don't write out to userspace while holding key semaphore
2020-04-23 10:30:24 +02:00
dsa
bridge: switchdev: Allow clearing FDB entry offload indication
2024-09-12 11:02:52 +02:00
ethernet
ethernet: Add helper for assigning packet type when dest address does not match device address
2024-05-17 11:42:37 +02:00
hsr
hsr: Handle failures in module init
2024-03-26 18:22:42 -04:00
ieee802154
net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()
2025-02-07 03:34:23 +01:00
ife
net: sched: ife: fix potential use-after-free
2024-01-08 11:27:34 +01:00
ipv4
ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT
2025-07-17 10:08:04 +02:00
ipv6
net: ipv6: Discard next-hop MTU less than minimum link MTU
2025-08-13 09:44:39 +02:00
iucv
s390/iucv: fix receive buffer virtual vs physical address confusion
2024-09-04 13:13:03 +02:00
kcm
kcm: Serialise kcm_sendmsg() for the same socket.
2024-09-04 13:13:05 +02:00
key
net: af_key: fix sadb_x_filter validation
2023-08-30 16:31:48 +02:00
l2tp
net l2tp: drop flow hash on forward
2024-05-17 11:42:38 +02:00
l3mdev
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:21:06 +01:00
llc
llc: fix data loss when reading from a socket in llc_ui_recvmsg()
2025-07-17 10:07:58 +02:00
mac80211
wifi: mac80211: drop invalid source address OCB frames
2025-08-13 09:44:37 +02:00
mac802154
mac802154: check local interfaces before deleting sdata list
2025-03-11 08:34:59 +01:00
mpls
mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().
2025-07-17 10:08:05 +02:00
ncsi
net: ncsi: Fix GCPS 64-bit member variables
2025-07-17 10:08:00 +02:00
netfilter
netfilter: nft_socket: fix sk refcount leaks
2025-07-17 10:07:59 +02:00
netlabel
calipso: unlock rcu before returning -EAFNOSUPPORT
2025-07-17 10:08:02 +02:00
netlink
netlink: Fix rmem check in netlink_broadcast_deliver().
2025-08-13 09:44:39 +02:00
netrom
netrom: check buffer length before accessing it
2025-02-07 03:34:27 +01:00
nfc
NFC: nci: uart: Set tty->disc_data only in success path
2025-07-17 10:08:02 +02:00
nsh
nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
2024-05-17 11:42:38 +02:00
openvswitch
openvswitch: Fix unsafe attribute parsing in output_userspace()
2025-07-17 10:07:55 +02:00
packet
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
2025-02-07 03:34:27 +01:00
phonet
phonet: fix rtm_phonet_notify() skb allocation
2024-05-17 11:42:42 +02:00
psample
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
2023-12-13 17:42:20 +01:00
qrtr
net: qrtr: Update packets cloning when broadcasting
2024-11-08 16:19:08 +01:00
rds
net:rds: Fix possible deadlock in rds_message_put
2024-09-04 13:13:08 +02:00
rfkill
net: rfkill: gpio: Add check for clk_enable()
2024-12-05 10:59:33 +01:00
rose
rose: fix dangling neighbour pointers in rose_rt_device_down()
2025-08-13 09:44:37 +02:00
rxrpc
rxrpc: Fix oops due to non-existence of prealloc backlog struct
2025-08-13 09:44:38 +02:00
sched
net/sched: Abort __tc_modify_qdisc if parent class does not exist
2025-08-18 09:18:13 +02:00
sctp
sctp: Do not wake readers in __sctp_write_space()
2025-07-17 10:08:04 +02:00
smc
net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll
2025-02-07 03:34:25 +01:00
strparser
sunrpc
sunrpc: update nextcheck time when adding new cache entries
2025-07-17 10:08:03 +02:00
switchdev
tipc
tipc: Fix use-after-free in tipc_conn_close().
2025-08-13 09:44:38 +02:00
tls
net/tls: Fix race in TLS device down flow
2022-07-29 17:10:32 +02:00
unix
af_unix: Remove put_pid()/put_cred() in copy_peercred().
2024-09-12 11:02:51 +02:00
vmw_vsock
vsock/vmci: Clear the vmci transport packet properly when initializing it
2025-08-13 09:44:36 +02:00
wimax
wireless
wifi: nl80211: reject cooked mode if it is set along with other flags
2025-04-04 11:11:29 +02:00
x25
net/x25: fix incorrect parameter validation in the x25_getsockopt() function
2024-03-26 18:22:37 -04:00
xdp
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
2024-07-05 09:00:23 +02:00
xfrm
xfrm_output: Force software GSO only in tunnel mode
2025-05-08 11:55:40 +02:00
compat.c
net: Return the correct errno code
2021-06-30 08:48:13 -04:00
Kconfig
Remove DECnet support from kernel
2023-06-21 15:39:57 +02:00
Makefile
Remove DECnet support from kernel
2023-06-21 15:39:57 +02:00
socket.c
net: Save and restore msg_namelen in sock_sendmsg
2024-01-15 18:23:42 +01:00
sysctl_net.c