diff mbox series

[net,1/1] net_sched: sch_fq: Fix out of range band computation

Message ID 20231213165741.93528-1-jhs@mojatatu.com (mailing list archive)
State Rejected
Delegated to: Netdev Maintainers
Headers show
Series [net,1/1] net_sched: sch_fq: Fix out of range band computation | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success SINGLE THREAD; Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1115 this patch: 1115
netdev/cc_maintainers fail 3 blamed authors not CCed: dave.taht@gmail.com willemb@google.com toke@redhat.com; 3 maintainers not CCed: dave.taht@gmail.com willemb@google.com toke@redhat.com
netdev/build_clang success Errors and warnings before: 1142 this patch: 1142
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1142 this patch: 1142
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Jamal Hadi Salim Dec. 13, 2023, 4:57 p.m. UTC 
It is possible to compute a band of 3. Doing so will overrun array
q->band_pkt_count[0-2] boundaries.

Fixes: 29f834aa326e ("net_sched: sch_fq: add 3 bands and WRR scheduling")
Reported-by: Coverity Scan <scan-admin@coverity.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
---
 net/sched/sch_fq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Eric Dumazet Dec. 13, 2023, 5:29 p.m. UTC | #1 
On Wed, Dec 13, 2023 at 5:57 PM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>
> It is possible to compute a band of 3. Doing so will overrun array
> q->band_pkt_count[0-2] boundaries.
>
> Fixes: 29f834aa326e ("net_sched: sch_fq: add 3 bands and WRR scheduling")
> Reported-by: Coverity Scan <scan-admin@coverity.com>
> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
> ---
>  net/sched/sch_fq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
> index 3a31c47fea9b..217c430343df 100644
> --- a/net/sched/sch_fq.c
> +++ b/net/sched/sch_fq.c
> @@ -159,7 +159,7 @@ struct fq_sched_data {
>  /* return the i-th 2-bit value ("crumb") */
>  static u8 fq_prio2band(const u8 *prio2band, unsigned int prio)
>  {
> -       return (prio2band[prio / 4] >> (2 * (prio & 0x3))) & 0x3;
> +       return (prio2band[prio / 4] >> (2 * (prio & 0x3))) % 0x3;
>  }
>

Are you sure this is needed ?

fq_load_priomap() makes sure this can not happen...
Jamal Hadi Salim Dec. 13, 2023, 5:42 p.m. UTC | #2 
On Wed, Dec 13, 2023 at 12:30 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Wed, Dec 13, 2023 at 5:57 PM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
> >
> > It is possible to compute a band of 3. Doing so will overrun array
> > q->band_pkt_count[0-2] boundaries.
> >
> > Fixes: 29f834aa326e ("net_sched: sch_fq: add 3 bands and WRR scheduling")
> > Reported-by: Coverity Scan <scan-admin@coverity.com>
> > Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
> > ---
> >  net/sched/sch_fq.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
> > index 3a31c47fea9b..217c430343df 100644
> > --- a/net/sched/sch_fq.c
> > +++ b/net/sched/sch_fq.c
> > @@ -159,7 +159,7 @@ struct fq_sched_data {
> >  /* return the i-th 2-bit value ("crumb") */
> >  static u8 fq_prio2band(const u8 *prio2band, unsigned int prio)
> >  {
> > -       return (prio2band[prio / 4] >> (2 * (prio & 0x3))) & 0x3;
> > +       return (prio2band[prio / 4] >> (2 * (prio & 0x3))) % 0x3;
> >  }
> >
>
> Are you sure this is needed ?
>

According to coverity static analysis.

> fq_load_priomap() makes sure this can not happen...

True. Sounds like a false positive because coverity sees the masking
with &0x3 and assumes we could get a result of 3.

cheers,
jamal
Eric Dumazet Dec. 13, 2023, 5:42 p.m. UTC | #3 
On Wed, Dec 13, 2023 at 6:29 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Wed, Dec 13, 2023 at 5:57 PM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
> >
> > It is possible to compute a band of 3. Doing so will overrun array
> > q->band_pkt_count[0-2] boundaries.
> >
> > Fixes: 29f834aa326e ("net_sched: sch_fq: add 3 bands and WRR scheduling")
> > Reported-by: Coverity Scan <scan-admin@coverity.com>
> > Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
> > ---
> >  net/sched/sch_fq.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
> > index 3a31c47fea9b..217c430343df 100644
> > --- a/net/sched/sch_fq.c
> > +++ b/net/sched/sch_fq.c
> > @@ -159,7 +159,7 @@ struct fq_sched_data {
> >  /* return the i-th 2-bit value ("crumb") */
> >  static u8 fq_prio2band(const u8 *prio2band, unsigned int prio)
> >  {
> > -       return (prio2band[prio / 4] >> (2 * (prio & 0x3))) & 0x3;
> > +       return (prio2band[prio / 4] >> (2 * (prio & 0x3))) % 0x3;
> >  }
> >
>
> Are you sure this is needed ?
>
> fq_load_priomap() makes sure this can not happen...

Yeah, I am pretty sure this patch is incorrect, we need to mask to get
only two bits.
Jamal Hadi Salim Dec. 13, 2023, 5:53 p.m. UTC | #4 
On Wed, Dec 13, 2023 at 12:42 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Wed, Dec 13, 2023 at 6:29 PM Eric Dumazet <edumazet@google.com> wrote:
> >
> > On Wed, Dec 13, 2023 at 5:57 PM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
> > >
> > > It is possible to compute a band of 3. Doing so will overrun array
> > > q->band_pkt_count[0-2] boundaries.
> > >
> > > Fixes: 29f834aa326e ("net_sched: sch_fq: add 3 bands and WRR scheduling")
> > > Reported-by: Coverity Scan <scan-admin@coverity.com>
> > > Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
> > > ---
> > >  net/sched/sch_fq.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
> > > index 3a31c47fea9b..217c430343df 100644
> > > --- a/net/sched/sch_fq.c
> > > +++ b/net/sched/sch_fq.c
> > > @@ -159,7 +159,7 @@ struct fq_sched_data {
> > >  /* return the i-th 2-bit value ("crumb") */
> > >  static u8 fq_prio2band(const u8 *prio2band, unsigned int prio)
> > >  {
> > > -       return (prio2band[prio / 4] >> (2 * (prio & 0x3))) & 0x3;
> > > +       return (prio2band[prio / 4] >> (2 * (prio & 0x3))) % 0x3;
> > >  }
> > >
> >
> > Are you sure this is needed ?
> >
> > fq_load_priomap() makes sure this can not happen...
>
> Yeah, I am pretty sure this patch is incorrect, we need to mask to get
> only two bits.

The check in fq_load_priomap() is what makes it moot. Masking with
b'11 could result in b'11. Definitely the modulo will guarantee
whatever results can only be in the range 0..2. But it is not needed.

cheers,
jamal
Eric Dumazet Dec. 13, 2023, 6:04 p.m. UTC | #5 
On Wed, Dec 13, 2023 at 6:53 PM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>
> On Wed, Dec 13, 2023 at 12:42 PM Eric Dumazet <edumazet@google.com> wrote:
> >
> > On Wed, Dec 13, 2023 at 6:29 PM Eric Dumazet <edumazet@google.com> wrote:
> > >
> > > On Wed, Dec 13, 2023 at 5:57 PM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
> > > >
> > > > It is possible to compute a band of 3. Doing so will overrun array
> > > > q->band_pkt_count[0-2] boundaries.
> > > >
> > > > Fixes: 29f834aa326e ("net_sched: sch_fq: add 3 bands and WRR scheduling")
> > > > Reported-by: Coverity Scan <scan-admin@coverity.com>
> > > > Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
> > > > ---
> > > >  net/sched/sch_fq.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
> > > > index 3a31c47fea9b..217c430343df 100644
> > > > --- a/net/sched/sch_fq.c
> > > > +++ b/net/sched/sch_fq.c
> > > > @@ -159,7 +159,7 @@ struct fq_sched_data {
> > > >  /* return the i-th 2-bit value ("crumb") */
> > > >  static u8 fq_prio2band(const u8 *prio2band, unsigned int prio)
> > > >  {
> > > > -       return (prio2band[prio / 4] >> (2 * (prio & 0x3))) & 0x3;
> > > > +       return (prio2band[prio / 4] >> (2 * (prio & 0x3))) % 0x3;
> > > >  }
> > > >
> > >
> > > Are you sure this is needed ?
> > >
> > > fq_load_priomap() makes sure this can not happen...
> >
> > Yeah, I am pretty sure this patch is incorrect, we need to mask to get
> > only two bits.
>
> The check in fq_load_priomap() is what makes it moot. Masking with
> b'11 could result in b'11. Definitely the modulo will guarantee
> whatever results can only be in the range 0..2. But it is not needed.
>
>


Modulo would be incorrect, since it would use high order bits.

(0x22 % 3) is different than (0x22 & 3)

Had you written:

return ((prio2band[prio / 4] >> (2 * (prio & 0x3))) & 0x3) % 3)

Then yes, the last % 3 would be "not needed"
diff mbox series

Patch

diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
index 3a31c47fea9b..217c430343df 100644
--- a/net/sched/sch_fq.c
+++ b/net/sched/sch_fq.c
@@ -159,7 +159,7 @@  struct fq_sched_data {
 /* return the i-th 2-bit value ("crumb") */
 static u8 fq_prio2band(const u8 *prio2band, unsigned int prio)
 {
-	return (prio2band[prio / 4] >> (2 * (prio & 0x3))) & 0x3;
+	return (prio2band[prio / 4] >> (2 * (prio & 0x3))) % 0x3;
 }
 
 /*