Commit 90be9fed authored Apr 17, 2026 by Stephen Hemminger Committed by Jakub Kicinski Apr 27, 2026

net/sched: netem: check for negative latency and jitter



Reject requests with negative latency or jitter.
A negative value added to current timestamp (u64) wraps
to an enormous time_to_send, disabling dequeue.
The original UAPI used u32 for these values; the conversion to 64-bit
time values via TCA_NETEM_LATENCY64 and TCA_NETEM_JITTER64
allowed signed values to reach the kernel without validation.

Jitter is already silently clamped by an abs() in netem_change();
that abs() can be removed in a follow-up once this rejection is in
place.

Fixes: 99803171 ("netem: add uapi to express delay and jitter in nanoseconds")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-7-stephen@networkplumber.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 51e94e1e

net/sched/sch_netem.c

+22 −0

Original line number	Diff line number	Diff line
		@@ -826,6 +826,16 @@ static int get_dist_table(struct disttable *tbl, const struct nlattr attr)
		return 0;
		}

		static int validate_time(const struct nlattr attr, const char name,
		struct netlink_ext_ack *extack)
		{
		if (nla_get_s64(attr) < 0) {
		NL_SET_ERR_MSG_ATTR_FMT(extack, attr, "negative %s", name);
		return -EINVAL;
		}
		return 0;
		}

		static int validate_slot(const struct nlattr attr, struct netlink_ext_ack extack)
		{
		const struct tc_netem_slot *c = nla_data(attr);
		@@ -1068,6 +1078,18 @@ static int netem_change(struct Qdisc sch, struct nlattr opt,
		goto table_free;
		}

		if (tb[TCA_NETEM_LATENCY64]) {
		ret = validate_time(tb[TCA_NETEM_LATENCY64], "latency", extack);
		if (ret)
		goto table_free;
		}

		if (tb[TCA_NETEM_JITTER64]) {
		ret = validate_time(tb[TCA_NETEM_JITTER64], "jitter", extack);
		if (ret)
		goto table_free;
		}

		sch_tree_lock(sch);
		/* backup q->clg and q->loss_model */
		old_clg = q->clg;