net/sched: netem: check for negative latency and jitter

Reject requests with negative latency or jitter.
A negative value added to current timestamp (u64) wraps
to an enormous time_to_send, disabling dequeue.
The original UAPI used u32 for these values; the conversion to 64-bit
time values via TCA_NETEM_LATENCY64 and TCA_NETEM_JITTER64
allowed signed values to reach the kernel without validation.

Jitter is already silently clamped by an abs() in netem_change();
that abs() can be removed in a follow-up once this rejection is in
place.

Fixes: 99803171ef04 ("netem: add uapi to express delay and jitter in nanoseconds")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-7-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 475c14b3dbdbff2ace5636ba01e7cf7560335b62..bc18e1976b6e07f81f975ceeb35c8b1a5125e8df 100644 (file)
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -826,6 +826,16 @@ static int get_dist_table(struct disttable **tbl, const struct nlattr *attr)
        return 0;
 }
 
+static int validate_time(const struct nlattr *attr, const char *name,
+                        struct netlink_ext_ack *extack)
+{
+       if (nla_get_s64(attr) < 0) {
+               NL_SET_ERR_MSG_ATTR_FMT(extack, attr, "negative %s", name);
+               return -EINVAL;
+       }
+       return 0;
+}
+
 static int validate_slot(const struct nlattr *attr, struct netlink_ext_ack *extack)
 {
        const struct tc_netem_slot *c = nla_data(attr);
@@ -1068,6 +1078,18 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
                        goto table_free;
        }
 
+       if (tb[TCA_NETEM_LATENCY64]) {
+               ret = validate_time(tb[TCA_NETEM_LATENCY64], "latency", extack);
+               if (ret)
+                       goto table_free;
+       }
+
+       if (tb[TCA_NETEM_JITTER64]) {
+               ret = validate_time(tb[TCA_NETEM_JITTER64], "jitter", extack);
+               if (ret)
+                       goto table_free;
+       }
+
        sch_tree_lock(sch);
        /* backup q->clg and q->loss_model */
        old_clg = q->clg;