From c6338c2d82898c4e1b1b04599bb2be90f60ddeb5 Mon Sep 17 00:00:00 2001 From: Cong Wang Date: Mon, 25 Aug 2025 17:35:31 +0800 Subject: [PATCH] net_sched: Prevent creation of classes with TC_H_ROOT mainline inclusion from mainline-v6.14-rc7 commit 0c3057a5a04d07120b3d0ec9c79568fceb9c921e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBY42P CVE: CVE-2025-21971 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0c3057a5a04d07120b3d0ec9c79568fceb9c921e ------------------------------------------------- The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal. Reported-by: Mingi Cho Signed-off-by: Cong Wang Reviewed-by: Simon Horman Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop") Link: https://patch.msgid.link/20250306232355.93864-2-xiyou.wangcong@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Zhang Changzhong --- net/sched/sch_api.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 7156f64a2004..46a8939e2477 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -2161,6 +2161,12 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, return -EOPNOTSUPP; } + /* Prevent creation of traffic classes with classid TC_H_ROOT */ + if (clid == TC_H_ROOT) { + NL_SET_ERR_MSG(extack, "Cannot create traffic class with classid TC_H_ROOT"); + return -EINVAL; + } + new_cl = cl; err = -EOPNOTSUPP; if (cops->change) -- Gitee