From patchwork Sun Jan 26 04:12:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 13950564 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63A5C17CA1B for ; Sun, 26 Jan 2025 04:13:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737864800; cv=none; b=Unqp2lSosbRn/d0pov/QXsULQa5qUcLQxu9BeSCvsMjmG1BpyAUaikvzM6GlyE0mHTsdy0JEVdg0FKwsPRADbmks0234wzZ+xdGBsslBaMRY1K7tBaSR5IajyRBI3VctmVzaG190bCquDCe4n9865tG9gw9H2iE7VueyW2AT3yQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737864800; c=relaxed/simple; bh=kKExknpKUSpHOQXmjE6PHW0uDzcJddoE+bLc3C1eGXE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=XGLDXh0S0yihXZpjhRVv7o0OEMPh82Br0Axkc4GVSEB/T3zO/Fug8H/1OpXxjDllgGiNTo9WD23U0nTbRdDADCMGwRarwrKm7dnXiOnIM+OQUht8Rf+LPP881qbvM8TCrMiqhWMl0ZVwlA+2wErpRQBimVkwU/di8lfEwTXt1uc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SXCYV3Q+; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SXCYV3Q+" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-21628b3fe7dso58172055ad.3 for ; Sat, 25 Jan 2025 20:13:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737864798; x=1738469598; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2mW9dlWOXLHMk8cSa/H+tTbb9VUo0G58kgm/102TLrE=; b=SXCYV3Q+huzrSrV/MVJotssu9GgenKNto2vPD0M+ibdnG+64ilMqbeU+3ZNW0tuzg9 0jOXBXw3EB78toSxfd+FX/94W/KTWHDJbIfRIuy+2RyOo1aBSe1LGW26Rf+gQT+bF48H xduF8psoggGM7pVTgO1bgDgV2VSrs/cLGy59jzGcrmMjq0JLGb0GY6D5J39ovIAvw0FI eEmBudxL0RGQlpLmAlUic/D7pUYL3Hx1JKJY09zaETRhG5O1kQomDlf0r8FNb/EmygEq ChZRlGLUQ2bEdwoGwbroFU6bd6HAmT5y2qZWMyH0fRRersa6+WLkpi7a0nRH6PngZfmA bNNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737864798; x=1738469598; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2mW9dlWOXLHMk8cSa/H+tTbb9VUo0G58kgm/102TLrE=; b=QlS5cz601V/3Gtcq/3RAmfgO/icd215hdS7p7MLFuMahkJC/2vPpvfTqvWMYakKxxH o0xGa4qiPL2FaE5P3alTI2GdLbNWO7b5vVPdZe8TZ42DG1i9U7C9zdDGvKMHj54co2wv TQEFPvCAKyljFwFhZjPMWro36aWCDsLH0e9vUkHak4RRopQagInWuD8nRM3bhNKVixw/ 2oig2G8oe/h1StsqgW5gUHxnBSiLpIZGBP3tZamBNA4fOm3uvP3REEZx80xMJTu0ZZSW SBxIxCgyW12hmkmpmPvxmrZR8UMNjEmvaDT1Wd9+LYSKdRJikicnNgePs/IYfYvRRgN9 XdFw== X-Gm-Message-State: AOJu0Yy5pb+L2ELqhUzhoe2XwfpqbBFe7NGkkxkrkIw5I23RXUT1x21+ ssiBNZcmo4HkepVBLJVL+lLeRsMvuMKwWOkhSkVUGjcsMleYqtLWPOBTHA== X-Gm-Gg: ASbGnct83VTMEoV/N0xoXEmozKQEqLLVifQqVlgz5Z0zF40jHNrnxrGxyiTuUcmiSF5 WiB2s9VlSZ0tPzub+B46Kz/u6FcFS7iSZTEwmCXP5Askwtkyv0JlAl6mNwcGh20loBs039yoCX4 T8jmLEtSwr1LyCMTd/1LWJg/g9B5oyHT+JpIOSfdfSAfsSo/ocEji4/NJBiTEYpp73iLJu0uRny GS+o+YxbvJ7f0r3To8t6ep4uDGnwSQxcdKVfQE18CYquFNMnnqMiDH4rJCjxOSFb8aXLc5alGo+ 9J4eQtPISV4BjDolLHkYmux/iM51obhKKw== X-Google-Smtp-Source: AGHT+IFyMYTGikvhDCuCfaQO06HQZMGtABZtJvnEVU2nHJevXCP4m8z84+V069qDlHcTXJTgUDn+0Q== X-Received: by 2002:a05:6a21:6d8a:b0:1ea:f941:8da0 with SMTP id adf61e73a8af0-1eb214e52damr51417094637.24.1737864798282; Sat, 25 Jan 2025 20:13:18 -0800 (PST) Received: from pop-os.hsd1.ca.comcast.net ([2601:647:6881:9060:86c9:5de5:8784:6d0b]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72f8a69fd40sm4514213b3a.3.2025.01.25.20.13.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Jan 2025 20:13:17 -0800 (PST) From: Cong Wang To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, jiri@resnulli.us, quanglex97@gmail.com, mincho@theori.io, Cong Wang Subject: [Patch net v2 1/4] pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Date: Sat, 25 Jan 2025 20:12:21 -0800 Message-Id: <20250126041224.366350-2-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250126041224.366350-1-xiyou.wangcong@gmail.com> References: <20250126041224.366350-1-xiyou.wangcong@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Quang Le Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable. Reported-by: Quang Le Signed-off-by: Quang Le Signed-off-by: Cong Wang --- net/sched/sch_fifo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c index b50b2c2cc09b..e6bfd39ff339 100644 --- a/net/sched/sch_fifo.c +++ b/net/sched/sch_fifo.c @@ -40,6 +40,9 @@ static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc *sch, { unsigned int prev_backlog; + if (unlikely(READ_ONCE(sch->limit) == 0)) + return qdisc_drop(skb, sch, to_free); + if (likely(sch->q.qlen < READ_ONCE(sch->limit))) return qdisc_enqueue_tail(skb, sch); From patchwork Sun Jan 26 04:12:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 13950565 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C94BC19D07E for ; Sun, 26 Jan 2025 04:13:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737864802; cv=none; b=CxjV7/dIiZiXT4XED4O18DaG4evRR7p/BtX/vszeP/9fXTb/SkUgQh9YzTC26l3xXslVGe7DNQxGsDtzrY5Br/YOJa2COlpclYmKc1LAFiuIlIpdWZwvkHV9qS8qL0hgdZcUlszuvUD+cxVU1UW4IKU2biiwzdKtL/gDdtsr6dM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737864802; c=relaxed/simple; bh=1h/ttW4+SudPoH/B/mpE8lr3xQALJmsLdXgmNA4NLT0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=F69losc6KJw8Iyb3LgrQhdkWHW2IHEbyGwz6D+Jhn7eBTTcV2+n9o5dg2f0+V+VDHLh3GNrm2W8PbNgO3YhiDO4APznAkSWeWHkTTTgicraZX6PnrlE2/Tn7d37vLRoBOfovYeOODLW7PilvGBU3yAfz6o5EdlXP0Zojb43oOpc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BPvRaaVI; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BPvRaaVI" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-21631789fcdso58985805ad.1 for ; Sat, 25 Jan 2025 20:13:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737864799; x=1738469599; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mv9+wtSRm4ljFbkqrQXX27pmrgFds/MtXTjPo34ID7o=; b=BPvRaaVIyp4GLfxarcrFmgo8JqBW44uV1gS9yJMYHwuIZFMk8xHqaibQUu5J5aPVQ0 63KNXx5NMFjzQbosEHcCyMI1g++/su2pHLiFE09yTew5+sgmIAo2yWNkJjvwWEbK1vhP QnHMZL1WaMcmrwrlfcTou2PuQ5Nq+zTG8XlMA7/ayinfva3m7BL91WdtEoCP+hghA4F6 W94QXTqkT/ERcB3gMtfhQjWsr2+cy8j5Fbnqbdo1dSTK527Z4qs38A/iFyTZNRXqcZSo M3hBfPnq1JVZh5Tot1Tj5BD11qZIvyEEw4FMUcW/M+cGdjVjR04OiTGXObjDKPfPenPw S6YA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737864799; x=1738469599; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mv9+wtSRm4ljFbkqrQXX27pmrgFds/MtXTjPo34ID7o=; b=WaauwRFSDsvsxBSRj8n2PV31nc/3FMA1z4PdtAwmtnZ5jQd8IWweFkARWqFFy2wWY7 P8uF9jjfBdaKenn8PtBlMPWpD/g/kyAziP7L/7FeFp2lUESJTI2k1l3G5iRkC5fop2Zx q8PFr1SsghlaN1KP1O5kPuYJ4klOVR/DuDyRl1Q9LhV20546OgRGHGNbtE122arnJYe/ kAVijN8JPPlu0bIkM5H8dm+mxcywSBtHFXM5mOGz206wJkbw81vIewoEeqsojqIQjNWy F6OIukxG8iH2VK9Z5mV8SxbgAg8FpEMrVtNT7K0H17lsHzDJDMJIuACY1axFsxsp8oHR vuIw== X-Gm-Message-State: AOJu0Yze7g2cbmM1IMBRnnf6dw/396yVVYAU7g8fQ3epb9aUi6zIkWws ax0nurhQkC+CWWTqZXWy4N21TRSkib0ZcQgSxgKaI+ya+F7iKyUB4hCE4Q== X-Gm-Gg: ASbGncspx1w4lla2dJtxAIhmQJ0b3Xm0rkn7yUzDT7GccSL6/DhP7ejpZb8EoOxL9+7 amMYwxzv17S8L+ZqQDHN9s1fG5LliNiEeXW7xCGDyCg98VN5J5phzKN+jtiJrKgBu/RBK+9lteX M8cZdbZ5a7YPI++/1Tnia1y4n6apchnIdl3Wp5kY6QJ/XbnuGArj5ZiXRXZ4WKys4EQVS/u9riU K2fAgH6t/MhAzHKi5o9f3C6SHP3Cbp87UFkIJVPYrDsAc/sIeOm17OOMTy8jdvCapJlVrbiSZqg m2kFYcn0/GRagAGnZMmVvzBKe32iEULdkg== X-Google-Smtp-Source: AGHT+IENjnMgWigNglzj/mGuMW4GscN8/BwNq0b5VHqoQyQ6mmS5BEJJpGY+0sQZwss49PgNUgW0IQ== X-Received: by 2002:a05:6a21:6b17:b0:1e4:745c:4965 with SMTP id adf61e73a8af0-1eb696de77bmr19665247637.8.1737864799549; Sat, 25 Jan 2025 20:13:19 -0800 (PST) Received: from pop-os.hsd1.ca.comcast.net ([2601:647:6881:9060:86c9:5de5:8784:6d0b]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72f8a69fd40sm4514213b3a.3.2025.01.25.20.13.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Jan 2025 20:13:18 -0800 (PST) From: Cong Wang To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, jiri@resnulli.us, quanglex97@gmail.com, mincho@theori.io, Cong Wang Subject: [Patch net v2 2/4] selftests/tc-testing: Add a test case for pfifo_head_drop qdisc when limit==0 Date: Sat, 25 Jan 2025 20:12:22 -0800 Message-Id: <20250126041224.366350-3-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250126041224.366350-1-xiyou.wangcong@gmail.com> References: <20250126041224.366350-1-xiyou.wangcong@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Quang Le When limit == 0, pfifo_tail_enqueue() must drop new packet and increase dropped packets count of the qdisc. All test results: 1..16 ok 1 a519 - Add bfifo qdisc with system default parameters on egress ok 2 585c - Add pfifo qdisc with system default parameters on egress ok 3 a86e - Add bfifo qdisc with system default parameters on egress with handle of maximum value ok 4 9ac8 - Add bfifo qdisc on egress with queue size of 3000 bytes ok 5 f4e6 - Add pfifo qdisc on egress with queue size of 3000 packets ok 6 b1b1 - Add bfifo qdisc with system default parameters on egress with invalid handle exceeding maximum value ok 7 8d5e - Add bfifo qdisc on egress with unsupported argument ok 8 7787 - Add pfifo qdisc on egress with unsupported argument ok 9 c4b6 - Replace bfifo qdisc on egress with new queue size ok 10 3df6 - Replace pfifo qdisc on egress with new queue size ok 11 7a67 - Add bfifo qdisc on egress with queue size in invalid format ok 12 1298 - Add duplicate bfifo qdisc on egress ok 13 45a0 - Delete nonexistent bfifo qdisc ok 14 972b - Add prio qdisc on egress with invalid format for handles ok 15 4d39 - Delete bfifo qdisc twice ok 16 d774 - Check pfifo_head_drop qdisc enqueue behaviour when limit == 0 Signed-off-by: Quang Le Signed-off-by: Cong Wang --- .../tc-testing/tc-tests/qdiscs/fifo.json | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fifo.json b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fifo.json index ae3d286a32b2..94f6456ab460 100644 --- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fifo.json +++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fifo.json @@ -313,6 +313,31 @@ "matchPattern": "qdisc bfifo 1: root", "matchCount": "0", "teardown": [ + ] + }, + { + "id": "d774", + "name": "Check pfifo_head_drop qdisc enqueue behaviour when limit == 0", + "category": [ + "qdisc", + "pfifo_head_drop" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "$IP link add dev $DUMMY mtu 1279 type dummy || true", + "$IP addr add 10.10.10.10/24 dev $DUMMY || true", + "$TC qdisc add dev $DUMMY root handle 1: pfifo_head_drop limit 0", + "$IP link set dev $DUMMY up || true" + ], + "cmdUnderTest": "ping -c2 -W0.01 -I $DUMMY 10.10.10.1", + "expExitCode": "1", + "verifyCmd": "$TC -s qdisc show dev $DUMMY", + "matchPattern": "dropped 2", + "matchCount": "1", + "teardown": [ + "$IP link del dev $DUMMY" ] } ] From patchwork Sun Jan 26 04:12:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 13950566 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1EFC019DF66 for ; Sun, 26 Jan 2025 04:13:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737864803; cv=none; b=XYBTOptdM5uedz/hOB80FtW7AFgRVyg+22AD7lUjhzwoUP33SwcUcc7bA3O9CBShaqRcGiK0Pnvc3lZTbORNFRDRw/SCG+v+8qqE/+7Jwtgs3yPs5kp5aryCGpUmw5l2Mk6GBAswG2ni8s74hhXLzEgUw6sLwH38kBDYvlufIyo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737864803; c=relaxed/simple; bh=dKBbo/zOKaY/725VVR3ZaE2PLTItUmhVxhmz9H33944=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Nzev8tXbtVLfWHUUz6ZOHxneqXuI+gAioNTJxf8b0MjymMzr4BsQTu2o1Q/QPoN5M5asEt6QxEP94yONLZ5TOFOVaT3Rt/vC5MtUiyD3Pj+3S9CLQxUCJx6pqeUpGqHzSceY9f2Huz83E3sLVDiL3qNhmQbfS5M6H2UVIACgkD4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fYZ4Sr1y; arc=none smtp.client-ip=209.85.214.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fYZ4Sr1y" Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-21669fd5c7cso59252225ad.3 for ; Sat, 25 Jan 2025 20:13:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737864801; x=1738469601; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1lFN3IzbSH6trKyBzTVcJyUt+VsO7adS97MfPgoyp6s=; b=fYZ4Sr1y+Om/+knhCVDytrMkVY0oQNGmIQS9/l49qU+I65TVj4TC+Ol2HNAD4APcIm q02e0w36oIpOq+zKBze6TWWr1cpo+JsM43z92cj2VDMGaxIirPekUe4K1xDS3wnYkGhA CO1v6NQ1cAMzzGJWt6L2sr4CxfNnFI4D/UdBqNOOaf0ClcsuuvIDRBLlng5dniezg+3x CG3ev7D0zSmqlpIH56JBgyB5ewPSygt4RAib/GESwLbGZL74dnNj2M0LqUMeiDfzuBpU 34J4BxiAaEMEwfdXF89eCP5MCDR/EKDBL/hMNpDCyaDfEABMZeAATMmrKXk02CydqqD3 mLOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737864801; x=1738469601; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1lFN3IzbSH6trKyBzTVcJyUt+VsO7adS97MfPgoyp6s=; b=lhYKaOxyMRE9kBFmJ8UGOYLPmJtYfeO/uiRjnU8IjGSphZROSuKDICNwDcsg0mwxzb /RDjoUEW58ZHx4Deh1E7cpB+bPxypET4d6fOUW9iLJZqmn76SPLac69FOiNiFwuctuTt AVFdhKEOtOYQSWMg8HQftOLY2a7YfYQJwe+AMvbn72rLjVWSBu2p4VBf9kd+QTkOfe3j 82z+jLOUxTzxAjmzqNobLVEfJS4CDXo0srgLu3MpMCUo1i/spxFwOgl2nRO83yLOQUB3 kKtk1NPrbIV6K0EnX8bzWoCLs6ZxonVcdGYAwkmNdocI4O+QyVIi9emzcFBOWXX4oUt+ cceA== X-Gm-Message-State: AOJu0YwQUxL4yAzyUxf+wkv6dfVhO5IKgJ5xrc3CvBaNW5WM3yrS9a2Y 2vhQIG2AQWFq5JZaSZbwKIzDFPktDP8kQ0shgQxkg8pHKfGawHhv/eV2EA== X-Gm-Gg: ASbGncvPsKq8ppktdPHKq9fFFdW3q1zqXxDM4w6dGR8qwaZQb1R8GtWcLDcoY4EsIY4 /uND2futER/fd3N24Dp+npZ6ZMf7mxy+AMnOhRkM+5OTifjvdfNcYohaIYAbPyC72OOJaiqFUHp hOP27LGuPN0j8JfEwzlovaA38tQiHSuCptacACYk9HJRK4QWP1OVBA20L0T1nsuSAwayvbjoWvR I3/wxwzAW+g6HFu8PWsWaYTrO+ZqSt+itzF9yXcRtle+xLdyBiRb+ZJDNA0dXxKEXE0X68HOvR4 EtyDxDWSi+PYQUcebK8B+5Hh8hCYGcb2JQ== X-Google-Smtp-Source: AGHT+IGs76ecsSFlyanwfgdCrkDD4gP2uiaMc3zMqI+A+7wcmH4SYapt9RwQds3vCk9Wh17FrA4OYg== X-Received: by 2002:a05:6a00:3cd3:b0:727:d55e:4be3 with SMTP id d2e1a72fcca58-72daf9e0919mr51544557b3a.7.1737864801030; Sat, 25 Jan 2025 20:13:21 -0800 (PST) Received: from pop-os.hsd1.ca.comcast.net ([2601:647:6881:9060:86c9:5de5:8784:6d0b]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72f8a69fd40sm4514213b3a.3.2025.01.25.20.13.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Jan 2025 20:13:20 -0800 (PST) From: Cong Wang To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, jiri@resnulli.us, quanglex97@gmail.com, mincho@theori.io, Cong Wang , Martin Ottens Subject: [Patch net v2 3/4] netem: update sch->q.qlen before qdisc_tree_reduce_backlog() Date: Sat, 25 Jan 2025 20:12:23 -0800 Message-Id: <20250126041224.366350-4-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250126041224.366350-1-xiyou.wangcong@gmail.com> References: <20250126041224.366350-1-xiyou.wangcong@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Cong Wang qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would become a nop and result in UAF in DRR case (which is integrated in the following patch). Fixes: f8d4bc455047 ("net/sched: netem: account for backlog updates from child qdisc") Cc: Martin Ottens Reported-by: Mingi Cho Signed-off-by: Cong Wang --- net/sched/sch_netem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c index 71ec9986ed37..fdd79d3ccd8c 100644 --- a/net/sched/sch_netem.c +++ b/net/sched/sch_netem.c @@ -749,9 +749,9 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) if (err != NET_XMIT_SUCCESS) { if (net_xmit_drop_count(err)) qdisc_qstats_drop(sch); - qdisc_tree_reduce_backlog(sch, 1, pkt_len); sch->qstats.backlog -= pkt_len; sch->q.qlen--; + qdisc_tree_reduce_backlog(sch, 1, pkt_len); } goto tfifo_dequeue; } From patchwork Sun Jan 26 04:12:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 13950567 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F7D119DFA7 for ; Sun, 26 Jan 2025 04:13:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737864804; cv=none; b=X/5zqA5SgqM5kF+vkIe44nAakjJ//AgJVYjgGbMXRJX4HAoDKa2syC4Zn62VEyEIn4Qy/UyrkoSnd6cQsVdAGp+IH6JYzLVTJMPvoeNSfPsBLsP5ojuLTv3uW8zUT72QvcxoxrDiCQAN0r54R4+uOnlvw/xtvAy5dz1Yiiv1m4w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737864804; c=relaxed/simple; bh=LWgxvj/KN59RqGC2OzK72Rk7dSY8bsknwV4JHD+nX5I=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=FaucscUYbxQ333h8zaMADHzbHw9QLZusMX8ZG/HOhRZt67K5XWtK+1GhWW6uGmC8QKnT1lXw59cwImDAxr2Sx0kv29x+KlKotQZ8ZwhyOnWmeRWYZv/QggUHYSFP2BpccMwNQ8kmtmLlHjgNb9gPEE3lJB+36Vay7PUDwoTbl1I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GbAZ/S52; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GbAZ/S52" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2162c0f6a39so81165935ad.0 for ; Sat, 25 Jan 2025 20:13:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737864802; x=1738469602; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=odZxDNANPjw9aQ1OR267U96V34DuukeaJXbQIgo9WJg=; b=GbAZ/S52WUl3NeU4ipdrzyO6QhfmA9Rmd0jGTFDV1/BWiKEsURFhXpzmlL1lPOAj04 Cmo+pIQl5QquAl+cf0FVeDpqErbmO2wyvpPmqTD8JY388CUk/+CpAO/+RJlgt066ut2H olmmqhmwsKcRyit7jBR0Na4USNt3MbTQG56juJ0jjDLY1aPT373qqUEpJnlT61wLNujv klJIoXOxyWR8J3nw9RTmqKWqVNPcZkmYfOmT/ne2J4G1HkxKGxkvTvCqUscilmW6Uvmr Mtx9nCmDMPQts4Y+IUkyBbb4S5y93jluw4vfehDuAlILhNGX+BJbJbNI/kgZBCnJnRFO IgXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737864802; x=1738469602; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=odZxDNANPjw9aQ1OR267U96V34DuukeaJXbQIgo9WJg=; b=mrNp5g2taWnY+WjKVh8IL1ejicy0kmXENem6oDE4MzHI8Z8TOuVUmQtzRq20jPcnaB Va5lXfZg/n16esMfdSPyQtHG21pNgEpctHS44v+Ipte6RBoDvmjmVRS3aYq5OvvJHSLz U9DVqW7oCLl6WWygiheJY/wnbwOEjGs5DERudtuTJODs7E+WAkJKpK2z/khiojBKxpWT Mb8N3CUxACdSD2XT5JDTqYmUe0BWNUfNH56B5uZW5VNb0m4dUNbP4QjgN9dnQtGUGYTN YPnYs7DoxGHuTqHL8DZUMkLSHnlSrbN67tUCUASbBNMdiuNwBRBXRC9EpL373KZuKs0I 258A== X-Gm-Message-State: AOJu0YwohLXeEqbG0Qa4pOzUjB3UdWSc91xO9jbjDwEerKcx9rvqQPE3 P8uqfp1IKWykKxatwZ4t4nCAiXemBz6rBzjG9J/Su9scJxcMwVT2xuBlfA== X-Gm-Gg: ASbGnctEScfoQm/mr1/VsHMgbzJkRdkqCzl1FwMPJU0vwUS+ng9Btbjzup0PAYdkQ8a WGLSwUvTzG0OZNihJzDRX5uv/6GYEdTwPwgpAk9b7TGGJMUZ8zu5T10dLuh+3qB45MR4qPN3UI0 3/Q7S6yAKXh1XtM1zLh8HAyTrgzciaWm8rohRh0FQh1TOi0C5L1aAKD8kCzKgJpgLvD4Sxa923T N9CS6X4smGKbyHBj2Hyr34cfvdAR0nC7z9gsDEDyr3pqxajR3J2P8naq03DfKhOnFRQyhh7S3S8 AhptZRP8O3WQ3Cjvrd4aanGBVuzJw91qZA== X-Google-Smtp-Source: AGHT+IEfvIo8rIfrQrNzUsgVicOokvBY1Ety/4y4nJEkHA2/LGKnmy4P1QLQ4dAPPNFEnakoEdP6gw== X-Received: by 2002:a05:6a00:2719:b0:72a:83ec:b1cb with SMTP id d2e1a72fcca58-72f8adf4091mr12559933b3a.0.1737864802201; Sat, 25 Jan 2025 20:13:22 -0800 (PST) Received: from pop-os.hsd1.ca.comcast.net ([2601:647:6881:9060:86c9:5de5:8784:6d0b]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72f8a69fd40sm4514213b3a.3.2025.01.25.20.13.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Jan 2025 20:13:21 -0800 (PST) From: Cong Wang To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, jiri@resnulli.us, quanglex97@gmail.com, mincho@theori.io, Cong Wang Subject: [Patch net v2 4/4] selftests/tc-testing: add a test case for qdisc_tree_reduce_backlog() Date: Sat, 25 Jan 2025 20:12:24 -0800 Message-Id: <20250126041224.366350-5-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250126041224.366350-1-xiyou.wangcong@gmail.com> References: <20250126041224.366350-1-xiyou.wangcong@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Cong Wang Integrate the test case provided by Mingi Cho into TDC. All test results: 1..4 ok 1 ca5e - Check class delete notification for ffff: ok 2 e4b7 - Check class delete notification for root ffff: ok 3 33a9 - Check ingress is not searchable on backlog update ok 4 a4b9 - Test class qlen notification Cc: Mingi Cho Signed-off-by: Cong Wang --- .../tc-testing/tc-tests/infra/qdiscs.json | 34 ++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json b/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json index d3dd65b05b5f..9044ac054167 100644 --- a/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json +++ b/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json @@ -94,5 +94,37 @@ "$TC qdisc del dev $DUMMY ingress", "$IP addr del 10.10.10.10/24 dev $DUMMY" ] - } + }, + { + "id": "a4b9", + "name": "Test class qlen notification", + "category": [ + "qdisc" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "$IP link set dev $DUMMY up || true", + "$IP addr add 10.10.10.10/24 dev $DUMMY || true", + "$TC qdisc add dev $DUMMY root handle 1: drr", + "$TC filter add dev $DUMMY parent 1: basic classid 1:1", + "$TC class add dev $DUMMY parent 1: classid 1:1 drr", + "$TC qdisc add dev $DUMMY parent 1:1 handle 2: netem", + "$TC qdisc add dev $DUMMY parent 2: handle 3: drr", + "$TC filter add dev $DUMMY parent 3: basic action drop", + "$TC class add dev $DUMMY parent 3: classid 3:1 drr", + "$TC class del dev $DUMMY classid 1:1", + "$TC class add dev $DUMMY parent 1: classid 1:1 drr" + ], + "cmdUnderTest": "ping -c1 -W0.01 -I $DUMMY 10.10.10.1", + "expExitCode": "1", + "verifyCmd": "$TC qdisc ls dev $DUMMY", + "matchPattern": "drr 1: root", + "matchCount": "1", + "teardown": [ + "$TC qdisc del dev $DUMMY root handle 1: drr", + "$IP addr del 10.10.10.10/24 dev $DUMMY" + ] + } ]