Commit 20e7cac3 authored by Eric Dumazet's avatar Eric Dumazet Committed by Wang Liang
Browse files

net_sched: sch_fifo: implement lockless __fifo_dump() 

mainline inclusion
from mainline-v6.10-rc1
commit 01daf66b791e1ddd1a4aae2a65ea65fa1d4a96ef
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBN6ZL
CVE: CVE-2025-21702

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01daf66b791e1ddd1a4aae2a65ea65fa1d4a96ef



--------------------------------

Instead of relying on RTNL, __fifo_dump() can use READ_ONCE()
annotations, paired with WRITE_ONCE() ones in __fifo_init().

Also add missing READ_ONCE(sh->limit) in bfifo_enqueue(),
pfifo_enqueue() and pfifo_tail_enqueue().

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarWang Liang <wangliang74@huawei.com>
parent 3c67b39e

net/sched/sch_fifo.c

+7 −6
Original line number Diff line number Diff line
@@ -22,7 +22,8 @@ 
static int bfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch,

			 struct sk_buff **to_free)

{

	if (likely(sch->qstats.backlog + qdisc_pkt_len(skb) <= sch->limit))

	if (likely(sch->qstats.backlog + qdisc_pkt_len(skb) <=

		   READ_ONCE(sch->limit)))

		return qdisc_enqueue_tail(skb, sch);



	return qdisc_drop(skb, sch, to_free);
@@ -31,7 +32,7 @@ static int bfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch, 
static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch,

			 struct sk_buff **to_free)

{

	if (likely(sch->q.qlen < sch->limit))

	if (likely(sch->q.qlen < READ_ONCE(sch->limit)))

		return qdisc_enqueue_tail(skb, sch);



	return qdisc_drop(skb, sch, to_free);
@@ -42,7 +43,7 @@ static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc *sch, 
{

	unsigned int prev_backlog;



	if (likely(sch->q.qlen < sch->limit))

	if (likely(sch->q.qlen < READ_ONCE(sch->limit)))

		return qdisc_enqueue_tail(skb, sch);



	prev_backlog = sch->qstats.backlog;
@@ -67,14 +68,14 @@ static int fifo_init(struct Qdisc *sch, struct nlattr *opt, 
		if (is_bfifo)

			limit *= psched_mtu(qdisc_dev(sch));



		sch->limit = limit;

		WRITE_ONCE(sch->limit, limit);

	} else {

		struct tc_fifo_qopt *ctl = nla_data(opt);



		if (nla_len(opt) < sizeof(*ctl))

			return -EINVAL;



		sch->limit = ctl->limit;

		WRITE_ONCE(sch->limit, ctl->limit);

	}



	if (is_bfifo)
@@ -91,7 +92,7 @@ static int fifo_init(struct Qdisc *sch, struct nlattr *opt, 


static int fifo_dump(struct Qdisc *sch, struct sk_buff *skb)

{

	struct tc_fifo_qopt opt = { .limit = sch->limit };

	struct tc_fifo_qopt opt = { .limit = READ_ONCE(sch->limit) };



	if (nla_put(skb, TCA_OPTIONS, sizeof(opt), &opt))

		goto nla_put_failure;