[ 3.5.y.z extended stable ] Patch "htb: fix sign extension bug" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Fri Sep 20 19:33:40 UTC 2013

This is a note to let you know that I have just added a patch titled

    htb: fix sign extension bug

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:


If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



>From 768105325128f1993ab1105225005c552ec834f0 Mon Sep 17 00:00:00 2001
From: stephen hemminger <stephen at networkplumber.org>
Date: Thu, 1 Aug 2013 22:32:07 -0700
Subject: [PATCH] htb: fix sign extension bug

commit cbd375567f7e4811b1c721f75ec519828ac6583f upstream.

When userspace passes a large priority value
the assignment of the unsigned value hopt->prio
to  signed int cl->prio causes cl->prio to become negative and the
comparison is with TC_HTB_NUMPRIO is always false.

The result is that HTB crashes by referencing outside
the array when processing packets. With this patch the large value
wraps around like other values outside the normal range.

See: https://bugzilla.kernel.org/show_bug.cgi?id=60669

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
Acked-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
 net/sched/sch_htb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index e9ea2f3..6f15bd1 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -86,7 +86,7 @@ struct htb_class {
 	unsigned int children;
 	struct htb_class *parent;	/* parent class */

-	int prio;		/* these two are used only by leaves... */
+	u32 prio;		/* these two are used only by leaves... */
 	int quantum;		/* but stored for parent-to-leaf return */

 	union {

More information about the kernel-team mailing list