[SRU][O/N/J/F][PATCH 0/1] CVE-2024-56770

Tim Whisonant tim.whisonant at canonical.com
Fri Jan 24 20:55:06 UTC 2025 

[Impact]

In general, 'qlen' of any classful qdisc should keep track of the
number of packets that the qdisc itself and all of its children holds.
In case of netem, 'qlen' only accounts for the packets in its internal
tfifo. When netem is used with a child qdisc, the child qdisc can use
'qdisc_tree_reduce_backlog' to inform its parent, netem, about created
or dropped SKBs. This function updates 'qlen' and the backlog statistics
of netem, but netem does not account for changes made by a child qdisc.
'qlen' then indicates the wrong number of packets in the tfifo.
If a child qdisc creates new SKBs during enqueue and informs its parent
about this, netem's 'qlen' value is increased. When netem dequeues the
newly created SKBs from the child, the 'qlen' in netem is not updated.
If 'qlen' reaches the configured sch->limit, the enqueue function stops
working, even though the tfifo is not full.

This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is
only decreased when a packet is returned by its dequeue function, and not
during enqueuing into the child qdisc. External updates to 'qlen' are thus
accounted for and only the behavior of the backlog statistics changes. As
in other qdiscs, 'qlen' then keeps track of  how many packets are held in
netem and all of its children. As before, sch->limit remains as the
maximum number of packets in the tfifo. The same applies to netem's
backlog statistics.

[Cherry Pick]

The changes were cherry-picked cleanly from upstream:
4eb35be67e63e26beeb3004a89bc1199baee2e6e
"net/sched: netem: account for backlog updates from child qdisc"

[Fix]

Oracular:	cherry pick
Noble:		cherry pick
Jammy:		cherry pick
Focal:		cherry pick
Bionic:		fix sent to ESM ML
Xenial:		fix sent to ESM ML
Trusty:		won't fix

[Test Case]

Compile and boot tested.

[Where problems could occur]

This fix affects those who use a classful queueing discipline with the
network emulator (NETEM) module. An issue with this fix would be visible
to the user as unexpected networking behavior which could lead to the
packet queue locking up.

Martin Ottens (1):
  net/sched: netem: account for backlog updates from child qdisc

 net/sched/sch_netem.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

-- 
2.43.0

More information about the kernel-team mailing list