Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[LTS 8.6] net: sched: sch_qfq: Fix UAF in qfq_dequeue() #116

Merged
merged 1 commit into from
Feb 13, 2025
Merged

[LTS 8.6] net: sched: sch_qfq: Fix UAF in qfq_dequeue() #116

merged 1 commit into from
Feb 13, 2025

Conversation

pvts-mat
Copy link

@pvts-mat pvts-mat commented Feb 12, 2025
edited
Loading

CVE-2023-4921
VULN-4126

Problem

https://www.cve.org/CVERecord?id=CVE-2023-4921

A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue()

Solution

A single commit was identified as a fix for this issue: 8fc134fee27f2263988ae38920bc03da416b03d8

kABI check: passed

python3 /mnt/code/kernel-dist-git/SOURCES/check-kabi \
        -k /mnt/code/kernel-dist-git/SOURCES/Module.kabi_$(uname -m) \
        -s /mnt/build_files/kernel-src-tree-ciqlts9_2-CVE-2024-41071.bkp/Module.symvers; echo $?

0

kernel-dist-git state:

On branch el-8.6
Your branch is up to date with 'origin/el-8.6'.

Boot test: passed

See Specific tests for implied boot test passing.

Kselftests

Methodology

A mix of kernel-selftests-internal and source-compiled tests were used:

  • kernel-selftests-internal: bpf tests, except:
    • bpf:test_kmod.sh: takes very long time to finish and always fails anyway,
    • bpf:test_progs: unstable, can crash the machine,
    • bpf:test_progs-no_alu32: unstable, can crash the machine.
  • source-compiled: all the rest.

Coverage (including tests skipped during execution)

android, bpf, breakpoints, capabilities, core, cpu-hotplug, cpufreq, efivarfs, exec, filesystems, firmware, fpu, ftrace, futex, gpio, intel_pstate, ipc, kcmp, kvm, lib, livepatch, membarrier, memfd, memory-hotplug, mount, net, net/forwarding, net/mptcp, netfilter, nsfs, proc, pstore, ptrace, rseq, rtc, sgx, sigaltstack, size, splice, static_keys, sync, sysctl, tc-testing, timens, timers, tpm2, user, vm, x86, zram

Reference ciqlts8_6 (c4ef5eaf926fd30ba312542c06beee9ec929d110)

Five test runs were conducted on the reference kernel.
kselftests–mixed–ciqlts8_6–run1.log
kselftests–mixed–ciqlts8_6–run2.log
kselftests–mixed–ciqlts8_6–run3.log
kselftests–mixed–ciqlts8_6–run4.log
kselftests–mixed–ciqlts8_6–run5.log

Patch

Two test runs were conducted on the patched kernel.
kselftests–mixed–ciqlts8_6-CVE-2023-4921–run1.log
kselftests–mixed–ciqlts8_6-CVE-2023-4921–run2.log

Comparison

Overview of the results, reduced to the differences:

ktests.xsh table --where "Summary = 'diff'" kselftests--*.log

Column    File
--------  ----------------------------------------------------
Status0   kselftests--mixed--ciqlts8_6--run1.log
Status1   kselftests--mixed--ciqlts8_6--run2.log
Status2   kselftests--mixed--ciqlts8_6--run3.log
Status3   kselftests--mixed--ciqlts8_6--run4.log
Status4   kselftests--mixed--ciqlts8_6--run5.log
Status5   kselftests--mixed--ciqlts8_6-CVE-2023-4921--run1.log
Status6   kselftests--mixed--ciqlts8_6-CVE-2023-4921--run2.log

TestCase                 Status0  Status1  Status2  Status3  Status4  Status5  Status6  Summary
bpf:test_xdp_veth.sh     pass     skip     skip     pass     pass              pass     diff
net/mptcp:mptcp_join.sh  pass     pass     pass     pass     fail     pass     pass     diff
net:gro.sh               pass     pass     pass     pass     fail     pass     pass     diff
net:ip_defrag.sh         fail     pass     fail     fail     pass     pass     fail     diff
net:xfrm_policy.sh       pass     fail     fail     pass     pass     pass     pass     diff

No differences in results occured which weren't present in the reference test set already.

New unreliable tests were identified:

  • bpf:test_xdp_veth.sh: for the rpm selftests package.
  • net:ip_defrag.sh: for the source compiled test suite.

Specific tests: passed

Bug replication

The bug can be replicated with the following commands, as mention in the commit's message:

tc qdisc add dev lo root handle 1: qfq
tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512
tc qdisc add dev lo parent 1:1 handle 2: plug
tc filter add dev lo parent 1: basic classid 1:1
ping -c1 127.0.0.1

The tests were performed on the referential and patched kernel.

Prerequisites

The tc commands above require the following kernel options to be enabled: CONFIG_NET_SCHED, CONFIG_NET_SCH_INGRESS, CONFIG_NET_SCH_QFQ, CONFIG_NET_SCH_PLUG, CONFIG_NET_CLS_BASIC.

All of them are enabled by default in the configs/kernel-4.18.0-x86_64.config configuration file for the tested x86_64 platform.

CONFIG_NET_SCHED=y
CONFIG_NET_SCH_INGRESS=m
CONFIG_NET_SCH_QFQ=m
CONFIG_NET_SCH_PLUG=m
CONFIG_NET_CLS_BASIC=m

Reference ciqlts8_6 (c4ef5eaf926fd30ba312542c06beee9ec929d110)

Bug replicated successfully. Kernel crashed and machine automatically rebooted.

[root@ciqlts8_6 pvts]# tc qdisc add dev lo root handle 1: qfq
tc qdisc add dev lo root handle 1: qfq
[root@ciqlts8_6 pvts]# tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512
xpkt 512
[root@ciqlts8_6 pvts]# tc qdisc add dev lo parent 1:1 handle 2: plug
tc qdisc add dev lo parent 1:1 handle 2: plug
[root@ciqlts8_6 pvts]# tc filter add dev lo parent 1: basic classid 1:1
tc filter add dev lo parent 1: basic classid 1:1
[root@ciqlts8_6 pvts]# ping -c1 127.0.0.1
ping -c1 127.0.0.1
PING 127.0.0.1 ([   37.903750] ------------[ cut here ]------------
[   37.907048] kernel BUG at include/linux/skbuff.h:2333!
127.0.[0. 1)  5 6(3847.910332] invalid opcode: 0000 [#1] SMP PTI
[   37.913370] CPU: 9 PID: 1547 Comm: ping Kdump: loaded Not tainted 4.18.0-ciqlts8_6 #3
[   37.916105] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.3-2.el9_5.1 04/01/2014
[   37.918536] RIP: 0010:eth_type_trans+0x115/0x150
[   37.920194] Code: 78 1e 48 8d 44 24 06 66 83 38 ff 75 13 b8 00 01 00 00 eb 84 48 8b 87 e8 00 00 00 48 85 c0 75 e7 b8 00 04 00 00 e9 6e ff ff ff <0f> 0b 0f b6 87 90 00 00 00 83 e0 f8 83 c8 03 88 87 90 00 00 00 e9
[   37.925670] RSP: 0018:ffffaa29833d0e48 EFLAGS: 00010297
[   37.926956] RAX: 00000000a43fcbe5 RBX: ffff9c8258566100 RCX: 17055ba3e1dfffc7
[   37.928745] RDX: ffff9c825a2ae464 RSI: ffff9c899fce3000 RDI: ffff9c8258566100
[   37.930531] RBP: ffff9c899fce3000 R08: ffff9c8254b4c0ac R09: 0000000000000001
[   37.932271] R10: ffff9c825a2ae400 R11: ffffaa2983f0fbb8 R12: ffff9c8258566100
[   37.933848] R13: ffff9c8243975200 R14: 00000000a43fcbf3 R15: ffff9c8254b4c000
[   37.935210] FS:  00007f580c557480(0000) GS:ffff9c899fc80000(0000) knlGS:0000000000000000
[   37.936713] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   37.937778] CR2: 00007fff8af1f000 CR3: 00000001186ca006 CR4: 0000000000370ee0
[   37.939114] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   37.940420] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   37.941702] Call Trace:
[   37.942209]  <IRQ>
)[   3 7b.94261y7]t  leosopbac ko_fx midta+0xtba3./0x130
[   37.943980]  dev_hard_start_xmit+0xd7/0x230
  
 37.944700]  sch_direct_xmit+0x9f/0x360
[   37.945438]  __qdisc_run+0x156/0x570
[   37.946042]  ? ktime_get+0x3e/0xa0
[   37.946605]  net_tx_action+0x14b/0x2b0
[   37.947243]  __do_softirq+0xd7/0x2c8
[   37.947838]  do_softirq_own_stack+0x2a/0x40
[   37.948528]  </IRQ>
[   37.948875]  do_softirq.part.14+0x45/0x50
[   37.949541]  __local_bh_enable_ip+0x4f/0x60
[   37.950228]  ip_finish_output2+0x1a6/0x430
[   37.950896]  ip_output+0x70/0xf0
[   37.951438]  ? __ip_finish_output+0x1d0/0x1d0
[   37.952367]  ip_send_skb+0x15/0x40
[   37.952945]  ping_v4_sendmsg+0x58a/0x7b0
[   37.953659]  ? insert_pfn+0xcf/0x1a0
[   37.954275]  ? sock_has_perm+0x80/0xa0
[   37.954901]  ? release_sock+0x43/0x90
[   37.955542]  ? sock_sendmsg+0x42/0x60
[   37.956174]  sock_sendmsg+0x42/0x60
[   37.956787]  __sys_sendto+0xee/0x160
[   37.957394]  ? handle_mm_fault+0xc1/0x1e0
[   37.958096]  ? syscall_trace_enter+0x1ff/0x2d0
[   37.958827]  ? __audit_syscall_exit+0x24d/0x2b0
[   37.959589]  __x64_sys_sendto+0x24/0x30
[   37.960219]  do_syscall_64+0x5b/0x1b0
[   37.960840]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
[   37.961707] RIP: 0033:0x7f580b1f5b2b
[   37.962316] Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 15 4c 29 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89
[   37.965764] RSP: 002b:00007fff8adfc2e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   37.967136] RAX: ffffffffffffffda RBX: 00005646fd5de700 RCX: 00007f580b1f5b2b
[   37.968445] RDX: 0000000000000040 RSI: 00005646fd5de700 RDI: 0000000000000003
[   37.969642] RBP: 0000000000000040 R08: 00005646fd5db500 R09: 0000000000000010
[   37.970935] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8adfda10
[   37.972245] R13: 00007fff8adfc2f0 R14: 00007fff8adfc3e0 R15: 00005646fd5da0a0
[   37.973447] Modules linked in: cls_basic sch_plug sch_qfq intel_rapl_msr intel_rapl_common isst_if_common nfit libnvdimm kvm_intel kvm irqbypass iTCO_wdt rapl iTCO_vendor_support joydev virtio_gpu pcspkr drm_kms_helper syscopyarea sysfillrect sysimgblt lpc_ich i2c_i801 fb_sys_fops virtio_balloon drm xfs libcrc32c sr_mod cdrom sg ahci crct10dif_pclmul libahci crc32_pclmul crc32c_intel libata serio_raw ghash_clmulni_intel virtio_blk virtio_net virtio_console net_failover failover virtiofs sunrpc dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse
[   37.982079] kvm-guest: disable async PF for cpu 9
[    0.000000] Linux version 4.18.0-ciqlts8_6 (pvts@ciqlts8_6) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-10) (GCC)) #3 SMP Tue Feb 11 03:15:35 UTC 2025
[    0.000000] Command line: elfcorehdr=0x73000000 BOOT_IMAGE=(hd0,msdos1)/boot/vmlinuz-4.18.0-ciqlts8_6 ro console=ttyS0,115200n8 no_timer_check net.ifnames=0 irqpoll nr_cpus=1 reset_devices cgroup_disable=memory mce=off numa=off udev.children-max=2 panic=10 rootflags=nofail acpi_no_memhotplug transparent_hugepage=never nokaslr novmcoredd hest_disable disable_cpu_apicid=0 iTCO_wdt.pretimeout=0
...

Full log:
bug-replication–ciqlts8_6.log

Patch

Patch efficacy verified successfully. Repeating the steps doesn't result in a crash and the machine doesn't reboot.

Full log:
bug-replication–ciqlts8_6-CVE-2023-4921.log

A warning can be observed

qfq_dequeue: non-workconserving leaf

issued at sch_qfq.c. The work-conserving queue discipline is a qdisc which never leaves the outbound interface in idle unless the queue is empty, while non-work-conserving qdiscs may delay packets, for example to shape the traffic1. The plug qdisc, being the leaf in the hierarchical qdiscs configuration used, is non-work-conserving, as it is able to suspend the packet flow. Multiple types of qdiscs are apparently not designed to work with non-work-conserving child qdiscs and issue similar warnings on skb == NULL condition: ets, hfsc, htb, drr. See also the message in b00355db3f88d96810a60011a30cfb2c3469409d

Patrick McHardy <[email protected]> suggested:
> How about making this flag and the warning message (in a out-of-line
> function) globally available? Other qdiscs (f.i. HFSC) can't deal with
> inner non-work-conserving qdiscs as well.

and in 6d25d1dc76bf5943a5c1f4bb74d66d5eac58eb77, which includes qfq to the group above

A helper function for printing non-work-conserving alarms is added in
commit b00355db3f88 ("pkt_sched: sch_hfsc: sch_htb: Add non-work-conserving
 warning handler."). In this commit, use qdisc_warn_nonwc() instead of
WARN_ONCE() to handle the non-work-conserving warning in qfq Qdisc.

The point is: the warning is related to the way the qdisc hierarchy has been defined in the bug replication script and not to the introduced changes.

Footnotes

1 https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.terminology.html

@pvts-mat
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
4d25069 
jira VULN-4126
cve CVE-2023-4921
commit-author valis <[email protected]>
commit 8fc134f

When the plug qdisc is used as a class of the qfq qdisc it could trigger a
UAF. This issue can be reproduced with following commands:

  tc qdisc add dev lo root handle 1: qfq
  tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512
  tc qdisc add dev lo parent 1:1 handle 2: plug
  tc filter add dev lo parent 1: basic classid 1:1
  ping -c1 127.0.0.1

and boom:

[  285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+0xa7/0x7f0
[  285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144
[  285.355903]
[  285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ ctrliq#4
[  285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
[  285.358376] Call Trace:
[  285.358773]  <IRQ>
[  285.359109]  dump_stack_lvl+0x44/0x60
[  285.359708]  print_address_description.constprop.0+0x2c/0x3c0
[  285.360611]  kasan_report+0x10c/0x120
[  285.361195]  ? qfq_dequeue+0xa7/0x7f0
[  285.361780]  qfq_dequeue+0xa7/0x7f0
[  285.362342]  __qdisc_run+0xf1/0x970
[  285.362903]  net_tx_action+0x28e/0x460
[  285.363502]  __do_softirq+0x11b/0x3de
[  285.364097]  do_softirq.part.0+0x72/0x90
[  285.364721]  </IRQ>
[  285.365072]  <TASK>
[  285.365422]  __local_bh_enable_ip+0x77/0x90
[  285.366079]  __dev_queue_xmit+0x95f/0x1550
[  285.366732]  ? __pfx_csum_and_copy_from_iter+0x10/0x10
[  285.367526]  ? __pfx___dev_queue_xmit+0x10/0x10
[  285.368259]  ? __build_skb_around+0x129/0x190
[  285.368960]  ? ip_generic_getfrag+0x12c/0x170
[  285.369653]  ? __pfx_ip_generic_getfrag+0x10/0x10
[  285.370390]  ? csum_partial+0x8/0x20
[  285.370961]  ? raw_getfrag+0xe5/0x140
[  285.371559]  ip_finish_output2+0x539/0xa40
[  285.372222]  ? __pfx_ip_finish_output2+0x10/0x10
[  285.372954]  ip_output+0x113/0x1e0
[  285.373512]  ? __pfx_ip_output+0x10/0x10
[  285.374130]  ? icmp_out_count+0x49/0x60
[  285.374739]  ? __pfx_ip_finish_output+0x10/0x10
[  285.375457]  ip_push_pending_frames+0xf3/0x100
[  285.376173]  raw_sendmsg+0xef5/0x12d0
[  285.376760]  ? do_syscall_64+0x40/0x90
[  285.377359]  ? __static_call_text_end+0x136578/0x136578
[  285.378173]  ? do_syscall_64+0x40/0x90
[  285.378772]  ? kasan_enable_current+0x11/0x20
[  285.379469]  ? __pfx_raw_sendmsg+0x10/0x10
[  285.380137]  ? __sock_create+0x13e/0x270
[  285.380673]  ? __sys_socket+0xf3/0x180
[  285.381174]  ? __x64_sys_socket+0x3d/0x50
[  285.381725]  ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  285.382425]  ? __rcu_read_unlock+0x48/0x70
[  285.382975]  ? ip4_datagram_release_cb+0xd8/0x380
[  285.383608]  ? __pfx_ip4_datagram_release_cb+0x10/0x10
[  285.384295]  ? preempt_count_sub+0x14/0xc0
[  285.384844]  ? __list_del_entry_valid+0x76/0x140
[  285.385467]  ? _raw_spin_lock_bh+0x87/0xe0
[  285.386014]  ? __pfx__raw_spin_lock_bh+0x10/0x10
[  285.386645]  ? release_sock+0xa0/0xd0
[  285.387148]  ? preempt_count_sub+0x14/0xc0
[  285.387712]  ? freeze_secondary_cpus+0x348/0x3c0
[  285.388341]  ? aa_sk_perm+0x177/0x390
[  285.388856]  ? __pfx_aa_sk_perm+0x10/0x10
[  285.389441]  ? check_stack_object+0x22/0x70
[  285.390032]  ? inet_send_prepare+0x2f/0x120
[  285.390603]  ? __pfx_inet_sendmsg+0x10/0x10
[  285.391172]  sock_sendmsg+0xcc/0xe0
[  285.391667]  __sys_sendto+0x190/0x230
[  285.392168]  ? __pfx___sys_sendto+0x10/0x10
[  285.392727]  ? kvm_clock_get_cycles+0x14/0x30
[  285.393328]  ? set_normalized_timespec64+0x57/0x70
[  285.393980]  ? _raw_spin_unlock_irq+0x1b/0x40
[  285.394578]  ? __x64_sys_clock_gettime+0x11c/0x160
[  285.395225]  ? __pfx___x64_sys_clock_gettime+0x10/0x10
[  285.395908]  ? _copy_to_user+0x3e/0x60
[  285.396432]  ? exit_to_user_mode_prepare+0x1a/0x120
[  285.397086]  ? syscall_exit_to_user_mode+0x22/0x50
[  285.397734]  ? do_syscall_64+0x71/0x90
[  285.398258]  __x64_sys_sendto+0x74/0x90
[  285.398786]  do_syscall_64+0x64/0x90
[  285.399273]  ? exit_to_user_mode_prepare+0x1a/0x120
[  285.399949]  ? syscall_exit_to_user_mode+0x22/0x50
[  285.400605]  ? do_syscall_64+0x71/0x90
[  285.401124]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  285.401807] RIP: 0033:0x495726
[  285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09
[  285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[  285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726
[  285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000
[  285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c
[  285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634
[  285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000
[  285.410403]  </TASK>
[  285.410704]
[  285.410929] Allocated by task 144:
[  285.411402]  kasan_save_stack+0x1e/0x40
[  285.411926]  kasan_set_track+0x21/0x30
[  285.412442]  __kasan_slab_alloc+0x55/0x70
[  285.412973]  kmem_cache_alloc_node+0x187/0x3d0
[  285.413567]  __alloc_skb+0x1b4/0x230
[  285.414060]  __ip_append_data+0x17f7/0x1b60
[  285.414633]  ip_append_data+0x97/0xf0
[  285.415144]  raw_sendmsg+0x5a8/0x12d0
[  285.415640]  sock_sendmsg+0xcc/0xe0
[  285.416117]  __sys_sendto+0x190/0x230
[  285.416626]  __x64_sys_sendto+0x74/0x90
[  285.417145]  do_syscall_64+0x64/0x90
[  285.417624]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  285.418306]
[  285.418531] Freed by task 144:
[  285.418960]  kasan_save_stack+0x1e/0x40
[  285.419469]  kasan_set_track+0x21/0x30
[  285.419988]  kasan_save_free_info+0x27/0x40
[  285.420556]  ____kasan_slab_free+0x109/0x1a0
[  285.421146]  kmem_cache_free+0x1c2/0x450
[  285.421680]  __netif_receive_skb_core+0x2ce/0x1870
[  285.422333]  __netif_receive_skb_one_core+0x97/0x140
[  285.423003]  process_backlog+0x100/0x2f0
[  285.423537]  __napi_poll+0x5c/0x2d0
[  285.424023]  net_rx_action+0x2be/0x560
[  285.424510]  __do_softirq+0x11b/0x3de
[  285.425034]
[  285.425254] The buggy address belongs to the object at ffff8880bad31280
[  285.425254]  which belongs to the cache skbuff_head_cache of size 224
[  285.426993] The buggy address is located 40 bytes inside of
[  285.426993]  freed 224-byte region [ffff8880bad31280, ffff8880bad31360)
[  285.428572]
[  285.428798] The buggy address belongs to the physical page:
[  285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbad31
[  285.430758] flags: 0x100000000000200(slab|node=0|zone=1)
[  285.431447] page_type: 0xffffffff()
[  285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000
[  285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[  285.433562] page dumped because: kasan: bad access detected
[  285.434144]
[  285.434320] Memory state around the buggy address:
[  285.434828]  ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  285.435580]  ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  285.436777]                                   ^
[  285.437106]  ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[  285.437616]  ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  285.438126] ==================================================================
[  285.438662] Disabling lock debugging due to kernel taint

Fix this by:
1. Changing sch_plug's .peek handler to qdisc_peek_dequeued(), a
function compatible with non-work-conserving qdiscs
2. Checking the return value of qdisc_dequeue_peeked() in sch_qfq.

Fixes: 462dbc9 ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
	Reported-by: valis <[email protected]>
	Signed-off-by: valis <[email protected]>
	Signed-off-by: Jamal Hadi Salim <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Paolo Abeni <[email protected]>
(cherry picked from commit 8fc134f)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat pvts-mat marked this pull request as draft February 12, 2025 03:00
@pvts-mat pvts-mat marked this pull request as ready for review February 12, 2025 17:11
@PlaidCat
Copy link
Collaborator

This is an excellent PR Thank you, approving builder checks
:shipit:

gvrose8192
gvrose8192 approved these changes Feb 12, 2025
View reviewed changes
Copy link
Collaborator

@gvrose8192 gvrose8192 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - Thanks!

bmastbergen
bmastbergen approved these changes Feb 13, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@PlaidCat PlaidCat merged commit 9db5d0c into ctrliq:ciqlts8_6 Feb 13, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gvrose8192 gvrose8192 gvrose8192 approved these changes

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pvts-mat @PlaidCat @gvrose8192 @bmastbergen