From patchwork Fri Oct 13 15:10:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pedro Tammela X-Patchwork-Id: 13420995 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C98418E20 for ; Fri, 13 Oct 2023 15:11:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b="yS7967Ci" Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 543F4CA for ; Fri, 13 Oct 2023 08:11:14 -0700 (PDT) Received: by mail-ot1-x32f.google.com with SMTP id 46e09a7af769-6c4f1f0774dso1459627a34.2 for ; Fri, 13 Oct 2023 08:11:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20230601.gappssmtp.com; s=20230601; t=1697209873; x=1697814673; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=b73NidNwA2qI/73YayEw70kSAtJX/7MJfo52+MbiIWc=; b=yS7967CiJHDz/5UyamgQ20hp+1oOfjGfsUF7mzUDzYL8bBWJq1wkyv+fJsIVl4L8OZ Dj53YSxvn3HeKTZvf3VAKhgV49wEUx+j1ScAms+KXTgy/M6/6Bv+6NhblIL5J7nhCbwv zZtWwcS1ixEyFrzcAW01GwLGYy6/9ZrR1M0tntro8mc0d0F4kzkX/LAs665jSbIfUc5H FCusBQQFjL0EeY9azNxBiGalSVzfw78vr5WIgz9vpvQSCkgee2+L34NRb5mRLlMewRDf PzdJBdNsPyT/UHnwqJ887/ajBWPnTWeaKNIl32OaE57lz+S1JdhcxxDHnblwrQIUo1eS Se7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697209873; x=1697814673; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=b73NidNwA2qI/73YayEw70kSAtJX/7MJfo52+MbiIWc=; b=tM9DNXO/5Ao7dhQ3cj0JjW+iXvtRpmmWWWASPmn7vy7RSmoAP6b1TF0vAdcYbfYhjx a7aLjOwDY+boIu2Zj/om5kiywO5+bjv/EoyhA/CXctMyP+kK/K97LiILBzsNkQNwU9Tx /mt3Now85rWMf+ZThSLQpBQlhsatSdeJYDsN63NbaixP7S2cl6ZZmjY5DvVg7vwxXMrQ Bv/rp2kUPnPmKDtsL4gQG/DoIHw9udBQiA2GJ5DQd2U2uGVfhSe4QLgZRmVSnoFpipb9 eGh4NhhSinl3EZgqBZ+Qkoxt5UCfhnDWfJG3au0zDCaDNxqwav2WKrnZfsAvN3bkFqCw j8uw== X-Gm-Message-State: AOJu0YwCVDWQBhe5Hi7UmxJxOL9tE5qp/awFLjRDNWbQVNNCG2m5zPKi 5FOvgKvUn/sIe7macJKO+x6r88cekexGpH/xGrrZhg== X-Google-Smtp-Source: AGHT+IEnbvRCpWnsLkIG3snCS0hWRijI5iVVKoIoOwIMddzqwXI4HGIgMSiuG748HBsv7g5/uX0D+A== X-Received: by 2002:a9d:6c04:0:b0:6bd:bb7e:3dfe with SMTP id f4-20020a9d6c04000000b006bdbb7e3dfemr28266941otq.6.1697209873599; Fri, 13 Oct 2023 08:11:13 -0700 (PDT) Received: from rogue-one.tail33bf8.ts.net ([2804:14d:5c5e:44fb:aa18:90b1:177c:3fd3]) by smtp.gmail.com with ESMTPSA id w18-20020aa78592000000b0064f76992905sm13716881pfn.202.2023.10.13.08.11.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Oct 2023 08:11:13 -0700 (PDT) From: Pedro Tammela To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, Pedro Tammela Subject: [PATCH net 1/2] Revert "net/sched: sch_hfsc: Ensure inner classes have fsc curve" Date: Fri, 13 Oct 2023 12:10:56 -0300 Message-Id: <20231013151057.2611860-2-pctammela@mojatatu.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231013151057.2611860-1-pctammela@mojatatu.com> References: <20231013151057.2611860-1-pctammela@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org This reverts commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f. Signed-off-by: Pedro Tammela --- net/sched/sch_hfsc.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c index 3554085bc2be..98805303218d 100644 --- a/net/sched/sch_hfsc.c +++ b/net/sched/sch_hfsc.c @@ -1011,10 +1011,6 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid, if (parent == NULL) return -ENOENT; } - if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) { - NL_SET_ERR_MSG(extack, "Invalid parent - parent class must have FSC"); - return -EINVAL; - } if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0) return -EINVAL; From patchwork Fri Oct 13 15:10:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pedro Tammela X-Patchwork-Id: 13420996 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B219119BDC for ; Fri, 13 Oct 2023 15:11:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b="1g6efEz1" Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB46DBD for ; Fri, 13 Oct 2023 08:11:17 -0700 (PDT) Received: by mail-pf1-x42f.google.com with SMTP id d2e1a72fcca58-6b36e1fcea0so513862b3a.1 for ; Fri, 13 Oct 2023 08:11:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20230601.gappssmtp.com; s=20230601; t=1697209877; x=1697814677; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Et4aQ4p14to5tbANw/8rnLA31aavpP5b9TAwFBI5Rk4=; b=1g6efEz1hjku4NBTuuKyNk3OgamORJsEE9/75kAGESPL/8qRteUO4UoZRPq2dbiJwI eWVRDA8rq791hV2oyX/wdfkltgPQNV9fsMkco+6lU+2HN6ZgAXlmMww/+NpcNZheUtFk eWmNbXY00dSq5B4XYaliQQpws3iOEtNiFTd9UcIOtNJ6ymey0kGdSW8yp2tswdHhfqTx ZgWQ8/409dOhltkcgDV/5fR5XSPMoxjT3gP8CtII7ZpLZibY9KCVVXcWvPOyHHTp23Mr J22bebsTvnYZ6pUoOarM5cb1A735wnGFtoi6cmwOmeOHpIHh6p2uPK8HWMHlcTZ6dKAN 0DEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697209877; x=1697814677; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Et4aQ4p14to5tbANw/8rnLA31aavpP5b9TAwFBI5Rk4=; b=QfANB81YG1/gG1cf+BaFiS+kogAPSGXJk4dTIothBQ93SvsGB9ag78p14OZjHJC5h3 upgcuYFnXIa45UCDlHfrT6Gh+ImtvdHY6jhV5gwwm3mnPULKlG7kACDZWn1cqtP5BjUN Gs27hllIy3U8fjK65d0vPfH8Rgb5Ph/lAO6LdJdi1a7fDDiUrsF6ve8ilcNc3Ih3XnYc ukkxMoQu68MNlUAxy25Iy4CSgkiPvMu5SXpzIhEqiUTNNTBKeNbMexKBNWE/CyAE+NmF VQ2PdVkXf+9/ykhEcN89K2wUleCxDI59yJe56cwHTKOmk+goKyGzloDV3lg0ghgGRsg1 aqpw== X-Gm-Message-State: AOJu0Yx8IUSx6j4hNFAoWijdLUkgIWYFneWN8acle9q7H/vmal4LDP6/ lTsMFXVHa13mq8UMTPgSnovLIJaXgMeEzUmDmWt3GA== X-Google-Smtp-Source: AGHT+IFN7XyFUEsQydS2g5aTMvIPjnewPo6Jo54CHn8bGaTdItcYrl7KG5qx3SYWZGu6kW3gWqdp0Q== X-Received: by 2002:a05:6a00:1389:b0:6b2:baa0:6d4c with SMTP id t9-20020a056a00138900b006b2baa06d4cmr2224729pfg.33.1697209876878; Fri, 13 Oct 2023 08:11:16 -0700 (PDT) Received: from rogue-one.tail33bf8.ts.net ([2804:14d:5c5e:44fb:aa18:90b1:177c:3fd3]) by smtp.gmail.com with ESMTPSA id w18-20020aa78592000000b0064f76992905sm13716881pfn.202.2023.10.13.08.11.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Oct 2023 08:11:16 -0700 (PDT) From: Pedro Tammela To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, Pedro Tammela , Christian Theune , Budimir Markovic Subject: [PATCH net 2/2] net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve Date: Fri, 13 Oct 2023 12:10:57 -0300 Message-Id: <20231013151057.2611860-3-pctammela@mojatatu.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231013151057.2611860-1-pctammela@mojatatu.com> References: <20231013151057.2611860-1-pctammela@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org Christian Theune says: I upgraded from 6.1.38 to 6.1.55 this morning and it broke my traffic shaping script, leaving me with a non-functional uplink on a remote router. A 'rt' curve cannot be used as a inner curve (parent class), but we were allowing such configurations since the qdisc was introduced. Such configurations would trigger a UAF as Budimir explains: The parent will have vttree_insert() called on it in init_vf(), but will not have vttree_remove() called on it in update_vf() because it does not have the HFSC_FSC flag set. The qdisc always assumes that inner classes have the HFSC_FSC flag set. This is by design as it doesn't make sense 'qdisc wise' for an 'rt' curve to be an inner curve. Budimir's original patch disallows users to add classes with a 'rt' parent, but this is too strict as it breaks users that have been using 'rt' as a inner class. Another approach, taken by this patch, is to upgrade the inner 'rt' into a 'sc', warning the user in the process. It avoids the UAF reported by Budimir while also being more permissive to bad scripts/users/code using 'rt' as a inner class. Users checking the `tc class ls [...]` or `tc class get [...]` dumps would observe the curve change and are potentially breaking with this change. Cc: Christian Theune Cc: Budimir Markovic Fixes: 0c9570eeed69 ("net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve") Signed-off-by: Pedro Tammela --- net/sched/sch_hfsc.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c index 98805303218d..880c5f16b29c 100644 --- a/net/sched/sch_hfsc.c +++ b/net/sched/sch_hfsc.c @@ -902,6 +902,14 @@ hfsc_change_usc(struct hfsc_class *cl, struct tc_service_curve *usc, cl->cl_flags |= HFSC_USC; } +static void +hfsc_upgrade_rt(struct hfsc_class *cl) +{ + cl->cl_fsc = cl->cl_rsc; + rtsc_init(&cl->cl_virtual, &cl->cl_fsc, cl->cl_vt, cl->cl_total); + cl->cl_flags |= HFSC_FSC; +} + static const struct nla_policy hfsc_policy[TCA_HFSC_MAX + 1] = { [TCA_HFSC_RSC] = { .len = sizeof(struct tc_service_curve) }, [TCA_HFSC_FSC] = { .len = sizeof(struct tc_service_curve) }, @@ -1061,6 +1069,12 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid, cl->cf_tree = RB_ROOT; sch_tree_lock(sch); + /* Check if the inner class is a misconfigured 'rt' */ + if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) { + NL_SET_ERR_MSG(extack, + "Forced curve change on parent 'rt' to 'sc'"); + hfsc_upgrade_rt(parent); + } qdisc_class_hash_insert(&q->clhash, &cl->cl_common); list_add_tail(&cl->siblings, &parent->children); if (parent->level == 0)