Merge branch 'net-sched-teql-enforce-hierarchy-placement'

kuba-moo · kuba-moo · commit 58bae918d73e · 2026-01-19T12:06:45.000-08:00
Jamal Hadi Salim says: ==================== net/sched: teql: Enforce hierarchy placement GangMin Kim <km.kim1503@gmail.com> managed to create a UAF on qfq by inserting teql as a child qdisc and exploiting a qlen sync issue. teql is not intended to be used as a child qdisc. Lets enforce that rule in patch #1. Although patch #1 fixes the issue, we prevent another potential qlen exploit in qfq in patch #2 by enforcing the child's active status is not determined by inspecting the qlen. In patch #3 we add a tdc test case. ==================== Link: https://patch.msgid.link/20260114160243.913069-1-jhs@mojatatu.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
@@ -373,7 +373,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
 /* Deschedule class and remove it from its parent aggregate. */
 static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
 {
-	if (cl->qdisc->q.qlen > 0) /* class is active */
+	if (cl_is_active(cl)) /* class is active */
 		qfq_deactivate_class(q, cl);
 
 	qfq_rm_from_agg(q, cl);
diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt,
 	if (m->dev == dev)
 		return -ELOOP;
 
+	if (sch->parent != TC_H_ROOT) {
+		NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root");
+		return -EOPNOTSUPP;
+	}
+
 	q->m = m;
 
 	skb_queue_head_init(&q->q);
diff --git a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/teql.json b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/teql.json
@@ -81,5 +81,30 @@
             "$TC qdisc del dev $DUMMY handle 1: root",
             "$IP link del dev $DUMMY"
         ]
+    },
+    {
+        "id": "124e",
+        "name": "Try to add teql as a child qdisc",
+        "category": [
+            "qdisc",
+            "ets",
+            "tbf"
+        ],
+        "plugins": {
+            "requires": [
+                "nsPlugin"
+            ]
+        },
+        "setup": [
+            "$TC qdisc add dev $DUMMY root handle 1: qfq",
+            "$TC class add dev $DUMMY parent 1: classid 1:1 qfq weight 15 maxpkt 16384"
+        ],
+        "cmdUnderTest": "$TC qdisc add dev $DUMMY parent 1:1 handle 2:1 teql0",
+        "expExitCode": "2",
+        "verifyCmd": "$TC -s -j qdisc ls dev $DUMMY parent 1:1",
+        "matchJSON": [],
+        "teardown": [
+            "$TC qdisc del dev $DUMMY root handle 1:"
+        ]
     }
 ]

Original file line number	Diff line number	Diff line change
`@@ -373,7 +373,7 @@ static void qfq_rm_from_agg(struct qfq_sched q, struct qfq_class cl)`
`373`	`373`	`/* Deschedule class and remove it from its parent aggregate. */`
`374`	`374`	`static void qfq_deact_rm_from_agg(struct qfq_sched q, struct qfq_class cl)`
`375`	`375`	`{`
`376`		`- if (cl->qdisc->q.qlen > 0) /* class is active */`
	`376`	`+ if (cl_is_active(cl)) /* class is active */`
`377`	`377`	`qfq_deactivate_class(q, cl);`
`378`	`378`
`379`	`379`	`qfq_rm_from_agg(q, cl);`