diff mbox series

[net] net/sched: sch_fq: fix integer overflow of "credit"

Message ID a5288a1f4b69eb2da3e704d0e1ff082489432d25.1681728988.git.dcaratti@redhat.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net] net/sched: sch_fq: fix integer overflow of "credit" | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 18 this patch: 18
netdev/cc_maintainers fail 1 blamed authors not CCed: davem@davemloft.net; 7 maintainers not CCed: shaozhengchao@huawei.com davem@davemloft.net pabeni@redhat.com shuah@kernel.org victor@mojatatu.com kuba@kernel.org linux-kselftest@vger.kernel.org
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 18 this patch: 18
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 46 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Davide Caratti April 17, 2023, 11:02 a.m. UTC 
if sch_fq is configured with "initial quantum" having values greater than
INT_MAX, the first assignment of "credit" does signed integer overflow to
a very negative value.
In this situation, the syzkaller script provided by Cristoph triggers the
CPU soft-lockup warning even with few sockets. It's not an infinite loop,
but "credit" wasn't probably meant to be minus 2Gb for each new flow.
Capping "initial quantum" to INT_MAX proved to fix the issue.

Reported-by: Christoph Paasch <cpaasch@apple.com>
Link: https://github.com/multipath-tcp/mptcp_net-next/issues/377
Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
 net/sched/sch_fq.c                            | 12 ++++++++--
 .../tc-testing/tc-tests/qdiscs/fq.json        | 22 +++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

Comments

Eric Dumazet April 17, 2023, 11:16 a.m. UTC | #1 
On Mon, Apr 17, 2023 at 1:02 PM Davide Caratti <dcaratti@redhat.com> wrote:
>
> if sch_fq is configured with "initial quantum" having values greater than
> INT_MAX, the first assignment of "credit" does signed integer overflow to
> a very negative value.
> In this situation, the syzkaller script provided by Cristoph triggers the
> CPU soft-lockup warning even with few sockets. It's not an infinite loop,
> but "credit" wasn't probably meant to be minus 2Gb for each new flow.
> Capping "initial quantum" to INT_MAX proved to fix the issue.
>
> Reported-by: Christoph Paasch <cpaasch@apple.com>
> Link: https://github.com/multipath-tcp/mptcp_net-next/issues/377
> Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler")
> Signed-off-by: Davide Caratti <dcaratti@redhat.com>
> ---

Reviewed-by: Eric Dumazet <edumazet@google.com>
Thanks.
Jakub Kicinski April 18, 2023, 2:30 a.m. UTC | #2 
On Mon, 17 Apr 2023 13:02:40 +0200 Davide Caratti wrote:
> +		u32 initial_quantum = nla_get_u32(tb[TCA_FQ_INITIAL_QUANTUM]);
> +
> +		if (initial_quantum <= INT_MAX) {
> +			q->initial_quantum = initial_quantum;
> +		} else {
> +			NL_SET_ERR_MSG_MOD(extack, "invalid initial quantum");
> +			err = -EINVAL;
> +		}

Please set the right policy in fq_policy[] instead.
Eric Dumazet April 18, 2023, 10:26 a.m. UTC | #3 
On Tue, Apr 18, 2023 at 4:30 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Mon, 17 Apr 2023 13:02:40 +0200 Davide Caratti wrote:
> > +             u32 initial_quantum = nla_get_u32(tb[TCA_FQ_INITIAL_QUANTUM]);
> > +
> > +             if (initial_quantum <= INT_MAX) {
> > +                     q->initial_quantum = initial_quantum;
> > +             } else {
> > +                     NL_SET_ERR_MSG_MOD(extack, "invalid initial quantum");
> > +                     err = -EINVAL;
> > +             }
>
> Please set the right policy in fq_policy[] instead.

Not sure these policies are available for old kernels (sch_fq was
added in linux-3.12) ?

Or have we backported all this infra already on stable kernels ?

commit d06a09b94c618c96ced584dd4611a888c8856b8d
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Thu Apr 30 22:13:08 2020 +0200

    netlink: extend policy range validation
Jakub Kicinski April 18, 2023, 2:43 p.m. UTC | #4 
On Tue, 18 Apr 2023 12:26:13 +0200 Eric Dumazet wrote:
> > Please set the right policy in fq_policy[] instead.  
> 
> Not sure these policies are available for old kernels (sch_fq was
> added in linux-3.12) ?
> 
> Or have we backported all this infra already on stable kernels ?
> 
> commit d06a09b94c618c96ced584dd4611a888c8856b8d
> Author: Johannes Berg <johannes.berg@intel.com>
> Date:   Thu Apr 30 22:13:08 2020 +0200
> 
>     netlink: extend policy range validation

Good point, Davide, once the policy based fix hits the trees please
send this version of the fix to stable@ for 5.4 and older stable trees.
Davide Caratti April 18, 2023, 3:03 p.m. UTC | #5 
hello,

On Tue, Apr 18, 2023 at 4:43 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Tue, 18 Apr 2023 12:26:13 +0200 Eric Dumazet wrote:
> > > Please set the right policy in fq_policy[] instead.
> >
> > Not sure these policies are available for old kernels (sch_fq was
> > added in linux-3.12) ?

[...]

> Good point, Davide, once the policy based fix hits the trees please
> send this version of the fix to stable@ for 5.4 and older stable trees.

Sure, I will do that. And thanks for the review! :)
--
davide
diff mbox series

Patch

diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
index 48d14fb90ba0..12efbcfc2938 100644
--- a/net/sched/sch_fq.c
+++ b/net/sched/sch_fq.c
@@ -842,8 +842,16 @@  static int fq_change(struct Qdisc *sch, struct nlattr *opt,
 		}
 	}
 
-	if (tb[TCA_FQ_INITIAL_QUANTUM])
-		q->initial_quantum = nla_get_u32(tb[TCA_FQ_INITIAL_QUANTUM]);
+	if (tb[TCA_FQ_INITIAL_QUANTUM]) {
+		u32 initial_quantum = nla_get_u32(tb[TCA_FQ_INITIAL_QUANTUM]);
+
+		if (initial_quantum <= INT_MAX) {
+			q->initial_quantum = initial_quantum;
+		} else {
+			NL_SET_ERR_MSG_MOD(extack, "invalid initial quantum");
+			err = -EINVAL;
+		}
+	}
 
 	if (tb[TCA_FQ_FLOW_DEFAULT_RATE])
 		pr_warn_ratelimited("sch_fq: defrate %u ignored.\n",
diff --git a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq.json b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq.json
index 8acb904d1419..3593fb8f79ad 100644
--- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq.json
+++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq.json
@@ -114,6 +114,28 @@ 
             "$IP link del dev $DUMMY type dummy"
         ]
     },
+    {
+        "id": "10f7",
+        "name": "Create FQ with invalid initial_quantum setting",
+        "category": [
+            "qdisc",
+            "fq"
+        ],
+        "plugins": {
+            "requires": "nsPlugin"
+        },
+        "setup": [
+            "$IP link add dev $DUMMY type dummy || /bin/true"
+        ],
+        "cmdUnderTest": "$TC qdisc add dev $DUMMY handle 1: root fq initial_quantum 0x80000000",
+        "expExitCode": "2",
+        "verifyCmd": "$TC qdisc show dev $DUMMY",
+        "matchPattern": "qdisc fq 1: root.*initial_quantum 2048Mb",
+        "matchCount": "0",
+        "teardown": [
+            "$IP link del dev $DUMMY type dummy"
+        ]
+    },
     {
         "id": "9398",
         "name": "Create FQ with maxrate setting",