2021-04-07 21:38:10

by Colin King

[permalink] [raw]
Subject: [PATCH] net: sched: Fix potential infinite loop

From: Colin Ian King <[email protected]>

The for-loop iterates with a u16 loop counter idx and compares this
with the loop upper limit of q->flows_cnt that is a u32 type.
There is a potential infinite loop if q->flows_cnt is larger than
the u8 loop counter. Fix this by making the loop counter the same
type as q->flows_cnt.

Addresses-Coverity: ("Infinite loop")
Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
Signed-off-by: Colin Ian King <[email protected]>
---
net/sched/sch_fq_pie.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c
index 949163fe68af..00563e137ecb 100644
--- a/net/sched/sch_fq_pie.c
+++ b/net/sched/sch_fq_pie.c
@@ -367,7 +367,7 @@ static void fq_pie_timer(struct timer_list *t)
struct fq_pie_sched_data *q = from_timer(q, t, adapt_timer);
struct Qdisc *sch = q->sch;
spinlock_t *root_lock; /* to lock qdisc for probability calculations */
- u16 idx;
+ u32 idx;

root_lock = qdisc_lock(qdisc_root_sleeping(sch));
spin_lock(root_lock);
--
2.30.2


2021-04-07 22:02:13

by Davide Caratti

[permalink] [raw]
Subject: Re: [PATCH] net: sched: Fix potential infinite loop

hello Colin, and thanks for your patch!

On Wed, 2021-04-07 at 17:38 +0100, Colin King wrote:
> From: Colin Ian King <[email protected]>
>
> The for-loop iterates with a u16 loop counter idx and compares this
> with the loop upper limit of q->flows_cnt that is a u32 type.

the value of 'flows_cnt' has 65535 as an upper bound in the ->init()
function, so it should be safe to use an u16 for 'idx'. (BTW, the
infinite loop loop was a real thing, see [1] :) ).

> There is a potential infinite loop if q->flows_cnt is larger than
> the u8 loop counter.

(u16 loop counter, IIUC)

> Fix this by making the loop counter the same
> type as q->flows_cnt.

the same 'for' loop is in fq_pie_init() and fq_pie_reset(): so, in my
opinion just changing fq_pie_timer() to fix an infinite loop is not very
useful: 'idx' is also used as an index for q->flows[], that's allocated
in [2]. Maybe (but I might be wrong) just allowing bigger values might
potentially cause other covscan warnings. WDYT?

> Addresses-Coverity: ("Infinite loop")
> Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
> Signed-off-by: Colin Ian King <[email protected]>

thanks!
--
davide


[1] https://lore.kernel.org/netdev/416eb03a8ca70b5dfb5e882e2752b7fc13c42f92.1590537338.git.dcaratti@redhat.com/
[2] https://elixir.bootlin.com/linux/latest/source/net/sched/sch_fq_pie.c#L417