On 5/9/25 11:47 PM, [email protected] wrote:
> +struct dualpi2_sched_data {
> + struct Qdisc *l_queue; /* The L4S Low latency queue (L-queue) */
> + struct Qdisc *sch; /* The Classic queue (C-queue) */
> +
> + /* Registered tc filters */
> + struct tcf_proto __rcu *tcf_filters;
> + struct tcf_block *tcf_block;
> +
> + /* PI2 parameters */
> + u64 pi2_target; /* Target delay in nanoseconds */
> + u32 pi2_tupdate; /* Timer frequency in nanoseconds */
AFAICS this can be written from user-space, without any upper bound,
causing an integer overflow after converting the frequency from seconds
to nsec.
> +static enum hrtimer_restart dualpi2_timer(struct hrtimer *timer)
> +{
> + struct dualpi2_sched_data *q = from_timer(q, timer, pi2_timer);
> +
> + WRITE_ONCE(q->pi2_prob, calculate_probability(q->sch));
This runs without acquiring the qdisc_lock(). The state accessed by
calculate_probability() could be inconsistent. You likely need to
acquire the qdisc_lock here.
/P
