Re: [PATCH net v4 5/8] net/sched: netem: batch-transfer ready packets to avoid child re-entrancy

Next message: Simon Horman: "Re: [PATCH net v4 4/8] net/sched: netem: refactor dequeue into helper functions"
Previous message: Jiayuan Chen: "[PATCH net v6 2/2] selftests/bpf: add test for xdp_master_redirect with bond not up"
In reply to: Simon Horman: "Re: [PATCH net v4 5/8] net/sched: netem: batch-transfer ready packets to avoid child re-entrancy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Fri Apr 10 2026 - 07:46:08 EST

On Mon, Apr 06, 2026 at 10:25:13AM -0700, Stephen Hemminger wrote:
> netem_dequeue_child() previously transferred one packet from the tfifo
> to the child qdisc per dequeue call. Parents like HFSC that track
> class active/inactive state on qlen transitions could see an enqueue
> during dequeue, causing double-insertion into the eltree
> (CVE-2025-37890, CVE-2025-38001). Non-work-conserving children like
> TBF could also refuse to return a just-enqueued packet, making netem
> return NULL despite having backlog, which causes parents like DRR to
> incorrectly deactivate the class.
>
> Move all time-ready packets into the child before calling its dequeue.
> This separates the enqueue and dequeue phases so the parent sees
> consistent qlen transitions.
>
> Fixes: 50612537e9ab ("netem: fix classful handling")
>

nit: no blank line here

> Signed-off-by: Stephen Hemminger <stephen@xxxxxxxxxxxxxxxxxx>

I forwarded an AI generated review separately.
Because I couldn't convince myself it wasn't valid.

...