From: Paolo Abeni Date: Tue, 8 Apr 2025 08:58:16 +0000 (+0200) Subject: Merge branch 'net_sched-make-qlen_notify-idempotent' X-Git-Tag: v6.15-rc2~22^2~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd23e77e6568abfac6354dd3f69d5b154e60e342;p=thirdparty%2Fkernel%2Flinux.git Merge branch 'net_sched-make-qlen_notify-idempotent' Cong Wang says: ==================== net_sched: make ->qlen_notify() idempotent Gerrard reported a vulnerability exists in fq_codel where manipulating the MTU can cause codel_dequeue() to drop all packets. The parent qdisc's sch->q.qlen is only updated via ->qlen_notify() if the fq_codel queue remains non-empty after the drops. This discrepancy in qlen between fq_codel and its parent can lead to a use-after-free condition. Let's fix this by making all existing ->qlen_notify() idempotent so that the sch->q.qlen check will be no longer necessary. Patch 1~5 make all existing ->qlen_notify() idempotent to prepare for patch 6 which removes the sch->q.qlen check. They are followed by 5 selftests for each type of Qdisc's we touch here. All existing and new Qdisc selftests pass after this patchset. Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM") Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM") Acked-by: Jamal Hadi Salim ==================== Link: https://patch.msgid.link/20250403211033.166059-1-xiyou.wangcong@gmail.com Signed-off-by: Paolo Abeni --- cd23e77e6568abfac6354dd3f69d5b154e60e342