Re: [PATCH 5.15] sched: sch_cake: add bounds checks to host bulk flow fairness counts

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 6 Mar 2025 14:11:36 -0500

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues:
ℹ️ Patch is missing in 6.13.y (ignore if backport was sent)
⚠️ Commit missing in all newer stable branches

The upstream commit SHA1 provided is correct: 737d4d91d35b5f7fa5bb442651472277318b0bfd

WARNING: Author mismatch between patch and upstream commit:
Backport author: Hagar Hemdan<hagarhem@xxxxxxxxxx>
Commit author: Toke Høiland-Jørgensen<toke@xxxxxxxxxx>

Status in newer kernel trees:
6.13.y | Present (exact SHA1)
6.12.y | Present (different SHA1: 91bb18950b88)
6.6.y | Present (different SHA1: 27202e2e8721)
6.1.y | Present (different SHA1: a777e06dfc72)
5.4.y | Not found

Note: The patch differs from the upstream commit:
---
1:  737d4d91d35b5 ! 1:  a165fe282a0a4 sched: sch_cake: add bounds checks to host bulk flow fairness counts
    @@ Metadata
      ## Commit message ##
         sched: sch_cake: add bounds checks to host bulk flow fairness counts

    +    [ Upstream commit 737d4d91d35b5f7fa5bb442651472277318b0bfd ]
    +
         Even though we fixed a logic error in the commit cited below, syzbot
         still managed to trigger an underflow of the per-host bulk flow
         counters, leading to an out of bounds memory access.
    @@ Commit message
         Acked-by: Dave Taht <dave.taht@xxxxxxxxx>
         Link: https://patch.msgid.link/20250107120105.70685-1-toke@xxxxxxxxxx
         Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    +    [Hagar: needed contextual fixes due to missing commit 7e3cf0843fe5]
    +    Signed-off-by: Hagar Hemdan <hagarhem@xxxxxxxxxx>

      ## net/sched/sch_cake.c ##
     @@ net/sched/sch_cake.c: static bool cake_ddst(int flow_mode)
    @@ net/sched/sch_cake.c: static bool cake_ddst(int flow_mode)
     +		host_load = max(host_load,
     +				q->hosts[flow->dsthost].dsthost_bulk_flow_count);
     +
    -+	/* The get_random_u16() is a way to apply dithering to avoid
    ++	/* The shifted prandom_u32() is a way to apply dithering to avoid
     +	 * accumulating roundoff errors
     +	 */
     +	return (q->flow_quantum * quantum_div[host_load] +
    -+		get_random_u16()) >> 16;
    ++		(prandom_u32() >> 16)) >> 16;
     +}
     +
      static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb,
    @@ net/sched/sch_cake.c: static struct sk_buff *cake_dequeue(struct Qdisc *sch)
     -
     -		WARN_ON(host_load > CAKE_QUEUES);
     -
    --		/* The get_random_u16() is a way to apply dithering to avoid
    --		 * accumulating roundoff errors
    +-		/* The shifted prandom_u32() is a way to apply dithering to
    +-		 * avoid accumulating roundoff errors
     -		 */
     -		flow->deficit += (b->flow_quantum * quantum_div[host_load] +
    --				  get_random_u16()) >> 16;
    +-				  (prandom_u32() >> 16)) >> 16;
     +		flow->deficit += cake_get_flow_quantum(b, flow, q->flow_mode);
      		list_move_tail(&flow->flowchain, &b->old_flows);

---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y       |  Success    |  Success   |