Commit 6bafcac3 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

sch_qfq: fix overflow in qfq_update_start()

grp->slot_shift is between 22 and 41, so using 32bit wide variables is
probably a typo.

This could explain QFQ hangs Dave reported to me, after 2^23 packets ?

(23 = 64 - 41)
Reported-by: default avatarDave Taht <dave.taht@gmail.com>
Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
CC: Stephen Hemminger <shemminger@vyatta.com>
CC: Dave Taht <dave.taht@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 115e8e70
...@@ -817,11 +817,11 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch) ...@@ -817,11 +817,11 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch)
static void qfq_update_start(struct qfq_sched *q, struct qfq_class *cl) static void qfq_update_start(struct qfq_sched *q, struct qfq_class *cl)
{ {
unsigned long mask; unsigned long mask;
uint32_t limit, roundedF; u64 limit, roundedF;
int slot_shift = cl->grp->slot_shift; int slot_shift = cl->grp->slot_shift;
roundedF = qfq_round_down(cl->F, slot_shift); roundedF = qfq_round_down(cl->F, slot_shift);
limit = qfq_round_down(q->V, slot_shift) + (1UL << slot_shift); limit = qfq_round_down(q->V, slot_shift) + (1ULL << slot_shift);
if (!qfq_gt(cl->F, q->V) || qfq_gt(roundedF, limit)) { if (!qfq_gt(cl->F, q->V) || qfq_gt(roundedF, limit)) {
/* timestamp was stale */ /* timestamp was stale */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment