[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: 737d4d91d35b5f7fa5bb442651472277318b0bfd
WARNING: Author mismatch between patch and upstream commit: Backport author: Hagar Hemdanhagarhem@amazon.com Commit author: Toke Høiland-Jørgensentoke@redhat.com
Status in newer kernel trees: 6.13.y | Present (exact SHA1) 6.12.y | Present (different SHA1: 91bb18950b88) 6.6.y | Present (different SHA1: 27202e2e8721) 6.1.y | Present (different SHA1: a777e06dfc72)
Note: The patch differs from the upstream commit: --- 1: 737d4d91d35b5 ! 1: d4fd1676a9039 sched: sch_cake: add bounds checks to host bulk flow fairness counts @@ Metadata ## Commit message ## sched: sch_cake: add bounds checks to host bulk flow fairness counts
+ [ Upstream commit 737d4d91d35b5f7fa5bb442651472277318b0bfd ] + Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the per-host bulk flow counters, leading to an out of bounds memory access. @@ Commit message Acked-by: Dave Taht dave.taht@gmail.com Link: https://patch.msgid.link/20250107120105.70685-1-toke@redhat.com Signed-off-by: Jakub Kicinski kuba@kernel.org + [Hagar: needed contextual fixes due to missing commit 7e3cf0843fe5] + Signed-off-by: Hagar Hemdan hagarhem@amazon.com
## net/sched/sch_cake.c ## @@ net/sched/sch_cake.c: static bool cake_ddst(int flow_mode) @@ net/sched/sch_cake.c: static bool cake_ddst(int flow_mode) + host_load = max(host_load, + q->hosts[flow->dsthost].dsthost_bulk_flow_count); + -+ /* The get_random_u16() is a way to apply dithering to avoid ++ /* The shifted prandom_u32() is a way to apply dithering to avoid + * accumulating roundoff errors + */ + return (q->flow_quantum * quantum_div[host_load] + -+ get_random_u16()) >> 16; ++ (prandom_u32() >> 16)) >> 16; +} + static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb, @@ net/sched/sch_cake.c: static struct sk_buff *cake_dequeue(struct Qdisc *sch) - - WARN_ON(host_load > CAKE_QUEUES); - -- /* The get_random_u16() is a way to apply dithering to avoid -- * accumulating roundoff errors +- /* The shifted prandom_u32() is a way to apply dithering to +- * avoid accumulating roundoff errors - */ - flow->deficit += (b->flow_quantum * quantum_div[host_load] + -- get_random_u16()) >> 16; +- (prandom_u32() >> 16)) >> 16; + flow->deficit += cake_get_flow_quantum(b, flow, q->flow_mode); list_move_tail(&flow->flowchain, &b->old_flows);
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.4.y | Success | Success |