From patchwork Tue Feb 4 00:58:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 13958490 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44A5325A62E for ; Tue, 4 Feb 2025 00:59:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738630746; cv=none; b=IOsfVyJMk1hLohA1c41+cNjA57zQbNZ0tzHC0mWEOSx8BbaSudcBvx6uC3VUcOqov8Cw4FLrC8Xxcdj2Jgw/GTDzxcMc3skcA8FE9XYsIsSzEserKW1fEmcwY33MDYWFzjS/n0tuUhldZYcoO/1oXFQfyueNwK4amwC/4SjNN24= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738630746; c=relaxed/simple; bh=anoltY1dt2zdHmqFufXxFhRD8xWvdz3bpxvr6vuDGaw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=D+eLJy3HTLIJRAhJPj+KCbqINrMGe6rn1qP5fGYqZS2hKs8V1Iej+G9TeUwFKPxh5pkrSMT/aY7xeBEY3vZpPEx8xA7LJcOJdqzGyoyZiTDjUnvDTUSb0MllKfgTT2804Gz32yosVEg56n56SVmfK7e1a6UZ5hF5jnV4SQ1mE+E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UxPOVAZf; arc=none smtp.client-ip=209.85.216.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UxPOVAZf" Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-2efded08c79so6639808a91.0 for ; Mon, 03 Feb 2025 16:59:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738630744; x=1739235544; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=J2x4uGypj2tYHXP5qRBhHFx0rQU2vkozD96rA0y9ykI=; b=UxPOVAZfFUuCKMFWWF357oVBFCqY9vNnToWGWKcfqjp/CGV7v2/dIO/KV6gtcUJnvl FultdujS2zOI+C+fItJdjR3Kou/vr3njInXo8In9VHG0kHebaH4TlRsv/zhlTZjHJpsB /x6xxChScPJsyDDYKr6nBGBxxlz9lPihvu99LRaiaIsR56nvQWqzGh2K0CPYMKpkHWmA zxenBk5gRHrg9Ig0fvD1IRD0ru6/e1DVJM9HAI5VJm4OqpKeJVg54IsafjD+PCXOSZyX D33q0aD1pTLTGQj3TCRj7AaYBwGqnjcEv2gdSW34RbZrLUu3NxHS7VBNyB+a3/9CXaTT TT/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738630744; x=1739235544; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=J2x4uGypj2tYHXP5qRBhHFx0rQU2vkozD96rA0y9ykI=; b=ve42qm1XQWUkC6MNVDSjDQQf1nRJGIFLzdd17VOQ7P74Y/BI2EGUjMzBpqUZ+IUvDD ZJY5x1vzs7eZaja7GMjCEn5Sk/tyTEChgXb92ilAdPskrViWxYJfdXHK1bSvEy8fnejo 7UZo4nML0VJ+kAHCfUih3Dqcdxo0cTA09Zj2G8jJU/NwApuFpGoYjnL3HX8Y6bukPUTN j9gqs0bOwXHYo24MYrsDrrgUDWoVxNhULSe3Rt7ieucLDXOwS6byWCwoR8F9jc0rcsxq 5RywRl3kOc20csRzC8zVWe7iNu6721nOiMt3nJBqgR7aPFfYTtmKR8CyYTbaw8ENLwpg wXlg== X-Gm-Message-State: AOJu0YxKIeTQKiU+EKWsj9P9acwm4YuPqxbuGQQzZSB9KEaxqkLVvR4k Jzfk7EF3HANX8xmRo08J5DjAZ6hKaPy33a/+lpJlXQQzk2qfOyNkFshbGQ== X-Gm-Gg: ASbGncvgRsl9jSELlLySpYweRnjBWvf4hG9QLYqvHGhXK/C+BsMRjrrDXB0FwkrlePt Trr29vhBOTic1Xz2Pd4kmyKGvlPwouQIKyNOya35Dh5dU5I3udEFMuF6o9JMICkie4+jfxqyTYC 89dcBdUjgqwSK9aJFclqpOZ46JP+7NhhZj25S5tFEhnNw8A8C0Ii8ousovqpZTMlyfvmyuLIDX8 xGBE82dTUtk+CaqLyy8KoOXy6cgU5m8M5ORhLXKwZ9XT+vmI1UArTI04wKntYQ5dbG7v9eYrZGG TzZiCMAT/zmi6UU/p2KUrASlnVcZRhnleoZX7+t39wHW X-Google-Smtp-Source: AGHT+IG/4XUs9Hr3JIgSaxOFu0jTWkd13hxm9uciAa8Z9c0lafJm/+vxAN1MNd6asRkS/r5YDo01jw== X-Received: by 2002:a05:6a00:3a0f:b0:71e:e4f:3e58 with SMTP id d2e1a72fcca58-72fd0c623ccmr32823860b3a.17.1738630743972; Mon, 03 Feb 2025 16:59:03 -0800 (PST) Received: from pop-os.hsd1.ca.comcast.net ([2601:647:6881:9060:90d2:24fd:b5ba:920d]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72fe6427b95sm9207069b3a.49.2025.02.03.16.59.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Feb 2025 16:59:03 -0800 (PST) From: Cong Wang To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, jiri@resnulli.us, pctammela@mojatatu.com, mincho@theori.io, quanglex97@gmail.com, Cong Wang Subject: [Patch net v3 1/4] pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Date: Mon, 3 Feb 2025 16:58:38 -0800 Message-Id: <20250204005841.223511-2-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250204005841.223511-1-xiyou.wangcong@gmail.com> References: <20250204005841.223511-1-xiyou.wangcong@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Quang Le Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable. Fixes: f70f90672a2c ("sched: add head drop fifo queue") Reported-by: Quang Le Signed-off-by: Quang Le Signed-off-by: Cong Wang --- net/sched/sch_fifo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c index b50b2c2cc09b..e6bfd39ff339 100644 --- a/net/sched/sch_fifo.c +++ b/net/sched/sch_fifo.c @@ -40,6 +40,9 @@ static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc *sch, { unsigned int prev_backlog; + if (unlikely(READ_ONCE(sch->limit) == 0)) + return qdisc_drop(skb, sch, to_free); + if (likely(sch->q.qlen < READ_ONCE(sch->limit))) return qdisc_enqueue_tail(skb, sch); From patchwork Tue Feb 4 00:58:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 13958491 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5ABAA78F2F for ; Tue, 4 Feb 2025 00:59:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738630747; cv=none; b=E2SSXZmKyVYxsNeVsSpf4XRjmktXLHQKhCyBvbHRCz0jhkNMiMKuNAPVj2wTmHeUohasJpSS3vAZbtetoG1vfNARU2DWP8m1k/H7pIY487KLKFOg166+t8i0mpkVRjKWBjaWtL/74APXlE3ybr+szCwJABVHG33QribrYEQTNYM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738630747; c=relaxed/simple; bh=ArLfJitmVTdKGDLSHh6AyhH40WuhJrWZODXLjS+1+BA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=rRmOgZ5Drq8E5nYZcbgi1I7QrzF3xgnXWn3D6JRuoiLM58GrbcHz63wTA/dcoXJ4TmXSUD5/3HxGpdlcNNF3Lh6JKr4w1ukhaatvU8yiYjzv4xmhKavo0DOOAj2joLRY/kjRXyAgEKIy7VzbjQ9m2ylUtIqSNHriXfN+kufX7Rs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HYim8cxb; arc=none smtp.client-ip=209.85.214.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HYim8cxb" Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-219f8263ae0so92288085ad.0 for ; Mon, 03 Feb 2025 16:59:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738630745; x=1739235545; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bwZdkONGM82odxcc95TW8vrlHy1uQ8qkE12CRIwnO+Q=; b=HYim8cxbqgDAiebcq9Zrh62JL4Lbh07XPAWYLEduavDO8YMVmwhWqD5g2wLh7eI/fX Tf+n6uoT+0WZfX7fVyFjIZC0JF25lN3L7T1nj2yXRWHRAx2xCmkM7GyMOsk/Hv0rqq9C zXh8vwi6EObk7yVzIWeBZkJ1T9DfDsdgRmPkr79e5wu0htEit7UF1xcl87B7pnzVzBJ7 V4fEEk+7YoAyNIZhlB9BKhGk4IBoWcIiYj4B3bxppnGc0MvOzRj4xXqpBeksFr4rHHV7 lxuCZvGYERSsV8syRD1gXnorGvwK5nOqci2/n0PT6GSpDplJNNT20M6ZP/FVcit+DHAX SIUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738630745; x=1739235545; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bwZdkONGM82odxcc95TW8vrlHy1uQ8qkE12CRIwnO+Q=; b=t+knI8yW9I423rwq3AUu21r5Q4JMxEzP2CZb4zxlkxBp7yrcKp381svkaajqb9JREM jRLmgnhuKW8Y6asZYOxwujGB++s4f2LVX/ksNwD4M/VupXoZ3b6mAf5VI4pjIEDn/rTp OL4GIggKDRgJsFlG5vo0jFMu+2mGWCxYgR8013+KuxrvCnRyk2oZpccuhNo2yKoc1IvX JbkA2USjNKEYGtIhnZpwJFjjh60J/tJlCQCYxMjZRT4gAeoc1dEdb5CN1KMeF2fVlzAK v0hNMEWAKMv6pPu0VqsVAOW/ZxDMGA0mNNWfV+vw9WcmevQ7segIG48EIinmVYPDycWA wwcQ== X-Gm-Message-State: AOJu0Yx2aIrQHp0JEJXgLEN+ZNPxtNkJdAMm+VjFYGZsuOFDO0VOWKUW KOvy0ogoSTpSvU/M7DOJunzCiuWCPdUTQxKeaDmMsJokSiEdpXXsGDA8PQ== X-Gm-Gg: ASbGncsoGR7vzQxtZwE6QYZvdjL4X96u4yRPm4gUXwrXGWcDyVygMKIer+wsClyTElc 3O4bntGHFlyo9EZ9LHi8V7v7CaQWfyHRjiKlhHYb/V5G4Fufr4JOiExaPlkBt9fitRdqLesgHbv NK/4adBi1j9xNCKge+Haj7YhY4xoKCjb8NS1Yo4jTA436lcj7+2X49al+VhHTPnWRC4bWTYvBqj OaZrYadIicgwjxiJaXVed2TAvLn5PGrfaTDcZCNEl8+zPd/8At/aAJg7ga8KkI8RS49XN599ngV E85RXx7FhDysW3UtGuT75h4W9vfY916o/6JGfxp74El9 X-Google-Smtp-Source: AGHT+IGrwKYZNz11seBoWT8+i2GpFIqE/gyq7jMuAMPqFOhhE/f2TpL17ARcFUJBrMDtAzelbX7dMg== X-Received: by 2002:a05:6a00:a89:b0:725:b4f7:378e with SMTP id d2e1a72fcca58-72fd0960665mr34340935b3a.0.1738630745248; Mon, 03 Feb 2025 16:59:05 -0800 (PST) Received: from pop-os.hsd1.ca.comcast.net ([2601:647:6881:9060:90d2:24fd:b5ba:920d]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72fe6427b95sm9207069b3a.49.2025.02.03.16.59.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Feb 2025 16:59:04 -0800 (PST) From: Cong Wang To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, jiri@resnulli.us, pctammela@mojatatu.com, mincho@theori.io, quanglex97@gmail.com, Cong Wang Subject: [Patch net v3 2/4] selftests/tc-testing: Add a test case for pfifo_head_drop qdisc when limit==0 Date: Mon, 3 Feb 2025 16:58:39 -0800 Message-Id: <20250204005841.223511-3-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250204005841.223511-1-xiyou.wangcong@gmail.com> References: <20250204005841.223511-1-xiyou.wangcong@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Quang Le When limit == 0, pfifo_tail_enqueue() must drop new packet and increase dropped packets count of the qdisc. All test results: 1..16 ok 1 a519 - Add bfifo qdisc with system default parameters on egress ok 2 585c - Add pfifo qdisc with system default parameters on egress ok 3 a86e - Add bfifo qdisc with system default parameters on egress with handle of maximum value ok 4 9ac8 - Add bfifo qdisc on egress with queue size of 3000 bytes ok 5 f4e6 - Add pfifo qdisc on egress with queue size of 3000 packets ok 6 b1b1 - Add bfifo qdisc with system default parameters on egress with invalid handle exceeding maximum value ok 7 8d5e - Add bfifo qdisc on egress with unsupported argument ok 8 7787 - Add pfifo qdisc on egress with unsupported argument ok 9 c4b6 - Replace bfifo qdisc on egress with new queue size ok 10 3df6 - Replace pfifo qdisc on egress with new queue size ok 11 7a67 - Add bfifo qdisc on egress with queue size in invalid format ok 12 1298 - Add duplicate bfifo qdisc on egress ok 13 45a0 - Delete nonexistent bfifo qdisc ok 14 972b - Add prio qdisc on egress with invalid format for handles ok 15 4d39 - Delete bfifo qdisc twice ok 16 d774 - Check pfifo_head_drop qdisc enqueue behaviour when limit == 0 Signed-off-by: Quang Le Signed-off-by: Cong Wang --- .../tc-testing/tc-tests/qdiscs/fifo.json | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fifo.json b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fifo.json index ae3d286a32b2..6f20d033670d 100644 --- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fifo.json +++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fifo.json @@ -313,6 +313,29 @@ "matchPattern": "qdisc bfifo 1: root", "matchCount": "0", "teardown": [ + ] + }, + { + "id": "d774", + "name": "Check pfifo_head_drop qdisc enqueue behaviour when limit == 0", + "category": [ + "qdisc", + "pfifo_head_drop" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "$IP addr add 10.10.10.10/24 dev $DUMMY || true", + "$TC qdisc add dev $DUMMY root handle 1: pfifo_head_drop limit 0", + "$IP link set dev $DUMMY up || true" + ], + "cmdUnderTest": "ping -c2 -W0.01 -I $DUMMY 10.10.10.1", + "expExitCode": "1", + "verifyCmd": "$TC -s qdisc show dev $DUMMY", + "matchPattern": "dropped 2", + "matchCount": "1", + "teardown": [ ] } ] From patchwork Tue Feb 4 00:58:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 13958492 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C04C8632D for ; Tue, 4 Feb 2025 00:59:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738630749; cv=none; b=lCzwoNI6hLVEiCNuMLAHpKsZ23YCXqly8nv+Ov9A/WhAjqPt8vOv0k6p2ScticK2wAuRoxg/puEq55VoyPrHGywaeaa5sMUViWFzIDkzFtE3ZGAJOCM6TQ16uZJR8tD+oWRD4PX5MckgvGxUMO8Ip+4l1CgbXCD9oQimFblqfYM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738630749; c=relaxed/simple; bh=WSA/PFv9lltq0hzEePygiTxz7Ki3MUarpLezLjBVZPY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=akcTRFjgNVotUTLNl56jafNH2kos2oFJVmjby+kHDOBOrgM1OQF4RzIF+bYFqmBlMxN4TBMMmm8pBFMXSyWK6O75fdLJ1sXFklejUZ34FIpXgHVduwW6MwGonxrmbUKYNVnweuKuB5sU8YSr/jDYcGtpvObFK2II/3mbECazmwA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gzqMIW87; arc=none smtp.client-ip=209.85.214.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gzqMIW87" Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-21619108a6bso84499165ad.3 for ; Mon, 03 Feb 2025 16:59:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738630747; x=1739235547; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=g4j+qmqoQwY09I8DP4lfGxeBXOY3+ArSp5V1tfcv07o=; b=gzqMIW873Rd1phu1kqWVQr5+c+QZraICPDblIx/1rJ83NCdvB0yFxotAzkbHW/Fr+w kYj5/z33czIxRM2dOnVeGc2HyJgNazq8PDHGvb9FWRLoqjG+fQJGI7apO1F/NA6cJh/p yACX/c8sizIWJSxfoTGVW/jEvnBpV8mWgsY9wxThuZYg0Pv7EPuxMThvzad8CVdyh84w b52tipPsUImlwg4D3OS4juDsavG1RbWjbqdVbUdhDGqLKbsjZe86MzHSECDG0ggqnxYu 5sVJfcpSXv4QdtGK2wbn3CNLyle6I4RCcwsAI/cszAKD1Rrc5xjCQr+suJ1rnTW1CvhW wrPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738630747; x=1739235547; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=g4j+qmqoQwY09I8DP4lfGxeBXOY3+ArSp5V1tfcv07o=; b=WDk0C/stR76X81ugbv6SyIZG8cBiZYd6YTbjlvdgw2AOJGABDkXV3u6xOFEbStAbgK CpswCNTS46zGfNN6ADTfxX/yzzvRUio+mUtrmSVUpc4vB/Mx0Y3QQoi18o26dfvZ/73i NBmr11GBzF9QrQwOYCSaDO6kpeuQmiwBKe7aqfERLmCL/eaOUgGOlMxACtmB7lAha34B 7gvEqyXIdzn3CM4s7osjajQ2UBshk240kP+0wgO1xTQ9qrSXHZ3KaM+X9upyckLqz3nh sLv/WyELEfUcUTncAIjhGlL0suReRAUW6Z284mwK84nz0E2RPI04yxQHogN5xZPn8UOe yCOw== X-Gm-Message-State: AOJu0YwqbCMcKaTSqinDhQFQPZSpIIz2D3D7GfO2/4DNqEsIPtB14fkn DcDt0idvl9Oo8/GlgRzjZ5SnwXTbIxV+EsM9cZhXYH8kfvlO3DSociAASQ== X-Gm-Gg: ASbGncsAgjR3MTpkwi9yY0J6HQdMB75UtQNNevc3NlS7DyKG7YjsSpgl4iMyuCHc3Yl 50pmYbExyqIWAB81mlGPoKWOcOlxelsLtrwTBk6zFVExAKqzizmPV/kSae+GMzU0vntbB7Pa3KE ZGZcrQ5d9Gzk2UdiSjnGf9QC+QnxTEo1jVWdaRtC7NtfgeWzfNG/jwWbDCB+cNGw4O5CXM5/sYI 4Ailvj4OdcfXsHlaIo/XFlJFMdxisOYqU2eUmeeTWzZjPiNCuPASGTn9Fc3UD0NT2g/sdigpGTR dkw3Ln8M+X6gI+sI00pOlDFQB8K2V66C08/70U3Xw0yC X-Google-Smtp-Source: AGHT+IEPSEN3Ay1LnZn9qzmdlGMWV24D18lyhnzc5mqPN9JXMqRE8Wis4Flm/qRWlgo1GSIW//35Iw== X-Received: by 2002:a05:6a00:2917:b0:72f:59d8:43ed with SMTP id d2e1a72fcca58-72fd0c0b851mr30022584b3a.14.1738630747033; Mon, 03 Feb 2025 16:59:07 -0800 (PST) Received: from pop-os.hsd1.ca.comcast.net ([2601:647:6881:9060:90d2:24fd:b5ba:920d]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72fe6427b95sm9207069b3a.49.2025.02.03.16.59.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Feb 2025 16:59:06 -0800 (PST) From: Cong Wang To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, jiri@resnulli.us, pctammela@mojatatu.com, mincho@theori.io, quanglex97@gmail.com, Cong Wang , Martin Ottens Subject: [Patch net v3 3/4] netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() Date: Mon, 3 Feb 2025 16:58:40 -0800 Message-Id: <20250204005841.223511-4-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250204005841.223511-1-xiyou.wangcong@gmail.com> References: <20250204005841.223511-1-xiyou.wangcong@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Cong Wang qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list. Fixes: f8d4bc455047 ("net/sched: netem: account for backlog updates from child qdisc") Cc: Martin Ottens Reported-by: Mingi Cho Signed-off-by: Cong Wang --- net/sched/sch_netem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c index 71ec9986ed37..fdd79d3ccd8c 100644 --- a/net/sched/sch_netem.c +++ b/net/sched/sch_netem.c @@ -749,9 +749,9 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) if (err != NET_XMIT_SUCCESS) { if (net_xmit_drop_count(err)) qdisc_qstats_drop(sch); - qdisc_tree_reduce_backlog(sch, 1, pkt_len); sch->qstats.backlog -= pkt_len; sch->q.qlen--; + qdisc_tree_reduce_backlog(sch, 1, pkt_len); } goto tfifo_dequeue; } From patchwork Tue Feb 4 00:58:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 13958493 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 656D378F2F for ; Tue, 4 Feb 2025 00:59:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738630750; cv=none; b=aMSTXDBFTUC0kNgK2ejOwjqmWc4iWkGtB7wtLVtbae2cEHwswQx7dYuSWq88SDfGag8te2LbRSKxaWNAwdlp+3Cb3YCVxW8ajEo/Zdpan9e8L1Pqiyrg6MBraq7QEgxLrCqGa6YdR9hyPMNYJqll2dPZOqCsVDQrmcEXeqNJYAY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738630750; c=relaxed/simple; bh=LWgxvj/KN59RqGC2OzK72Rk7dSY8bsknwV4JHD+nX5I=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=o/sQTVViPpLgjhOH19DYVHum8wxWvHp29fudhGQPN9SLsmwclsrwuH6Oslzd6VPxm+PatxOUP8BvFes30WwHtfT5IHIywwFe0J4n11e7KcJUKgkcrpxUMEAlgwEtVY/ZG2U/R51n/+Q+r0qSpNWVTromdWn6reRTc5r0C6z3U4U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Ba6uiDza; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ba6uiDza" Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2165448243fso96838415ad.1 for ; Mon, 03 Feb 2025 16:59:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738630748; x=1739235548; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=odZxDNANPjw9aQ1OR267U96V34DuukeaJXbQIgo9WJg=; b=Ba6uiDzajcn5bEf0NwUwDzUGz4DLFfvpK5QXD8zoOhEKJYwTuhP/xypPpqL9uQDY0z 33irYmUh8W/sINF17FR9rbWx1l3SoDZV2EbsQPUvRw6s4zlnsO1ZoOcv6eUZnwkP8fRh xJi4oTw4nnax0lX42MFlFHBFzJTxnfGvaPBCQHN84p0bx1fPPAvEwqdyaeWuARbtdtWi lVfAxB+XLP1jc0FNQHAVWgv59gsYH5MIgK7vo5ZaSxQgJZyoSGTGbcAzQ06mBWbi9bmE KhQGmvsl64/9F52LhqhCMM+pc3v6yYUnWmnQb0CrKP3ye+OEPQ1+ZDsS1gzwFbNzlFBw h50Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738630748; x=1739235548; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=odZxDNANPjw9aQ1OR267U96V34DuukeaJXbQIgo9WJg=; b=j53kjPJyVU7jhBOdo0BqIXyvuOQBpeMF5JxZyPH8Haz0BhLhVgZZSCrPxKB/VElA2+ HCB2+bAB/hx1AI8lw3rt3WCuzl230DctpHgTujzy72YEnTs8+ZNmngBj3qIk8+vARwWq oPcTxEuHSKWgQCYf5p5gP9kVM1pb+sFbztuqQT9HMwYIuBlSsvw7fPNRhp7UZ1ZHTZpm 0SVd+kIfehBwPbs7+3x1RaNIqAsKE99tQ7fofCVaowSHqMJFsELIl5Eh7D+qF+5+ewMX Ellmhvddhaps9C4d+dARQ0aNGL07LxgV1fzdD6ubzf4oM1Qq119QC8H2SeP3IMORcq+3 V6Dw== X-Gm-Message-State: AOJu0YxhiCDFZTSLkm44N6l7eK2MrlYCoZa9M1oR3yQtauLtzX5rHmmO H9unHBUBwGWlzGqKxqh6eevXqlxz786Vdw/IPsf/PV07yo+DTjIQu6cF8A== X-Gm-Gg: ASbGnct3nryEvSNzMmQBDsR+/ikWxncNC9u2CO4cZFgUWR1Z6wJWSwnz7BFTKoXNedQ U0I2xNSD303w8l6kAUYhL4xYLEwS0A9ayWFZX/3UmdyT7UC/LVqb0hFUQkjCrFeBQxB2Z82YzPU OwEi/OovKRDNglmwiVS5Fe8AaQOsC931bDvWra+ZSmOErIgehuU5BCAZWDqRD/LiElVIKUQ3k5V PQzutE57JPyjgyl0ytMtoK5h5MWI6UBLcukOd3Pg3Bxl601zaLaIM7dY+yY/hKUoO49mIX5vXQe YiUyOCLKM1NV2aLReez4FQiY+yL17tcxMRvks5YF93aS X-Google-Smtp-Source: AGHT+IEYts8rmKm/Av0SFIwF3dEAW0dmW/mJI70jc2SmDm6nbtWaeZtugiMPfZ7c/gXXIu+FR2MfwQ== X-Received: by 2002:a05:6a00:218a:b0:725:eb85:f7ef with SMTP id d2e1a72fcca58-72fd0bffcf0mr31440900b3a.14.1738630748155; Mon, 03 Feb 2025 16:59:08 -0800 (PST) Received: from pop-os.hsd1.ca.comcast.net ([2601:647:6881:9060:90d2:24fd:b5ba:920d]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72fe6427b95sm9207069b3a.49.2025.02.03.16.59.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Feb 2025 16:59:07 -0800 (PST) From: Cong Wang To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, jiri@resnulli.us, pctammela@mojatatu.com, mincho@theori.io, quanglex97@gmail.com, Cong Wang Subject: [Patch net v3 4/4] selftests/tc-testing: Add a test case for qdisc_tree_reduce_backlog() Date: Mon, 3 Feb 2025 16:58:41 -0800 Message-Id: <20250204005841.223511-5-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250204005841.223511-1-xiyou.wangcong@gmail.com> References: <20250204005841.223511-1-xiyou.wangcong@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Cong Wang Integrate the test case provided by Mingi Cho into TDC. All test results: 1..4 ok 1 ca5e - Check class delete notification for ffff: ok 2 e4b7 - Check class delete notification for root ffff: ok 3 33a9 - Check ingress is not searchable on backlog update ok 4 a4b9 - Test class qlen notification Cc: Mingi Cho Signed-off-by: Cong Wang --- .../tc-testing/tc-tests/infra/qdiscs.json | 34 ++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json b/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json index d3dd65b05b5f..9044ac054167 100644 --- a/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json +++ b/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json @@ -94,5 +94,37 @@ "$TC qdisc del dev $DUMMY ingress", "$IP addr del 10.10.10.10/24 dev $DUMMY" ] - } + }, + { + "id": "a4b9", + "name": "Test class qlen notification", + "category": [ + "qdisc" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "$IP link set dev $DUMMY up || true", + "$IP addr add 10.10.10.10/24 dev $DUMMY || true", + "$TC qdisc add dev $DUMMY root handle 1: drr", + "$TC filter add dev $DUMMY parent 1: basic classid 1:1", + "$TC class add dev $DUMMY parent 1: classid 1:1 drr", + "$TC qdisc add dev $DUMMY parent 1:1 handle 2: netem", + "$TC qdisc add dev $DUMMY parent 2: handle 3: drr", + "$TC filter add dev $DUMMY parent 3: basic action drop", + "$TC class add dev $DUMMY parent 3: classid 3:1 drr", + "$TC class del dev $DUMMY classid 1:1", + "$TC class add dev $DUMMY parent 1: classid 1:1 drr" + ], + "cmdUnderTest": "ping -c1 -W0.01 -I $DUMMY 10.10.10.1", + "expExitCode": "1", + "verifyCmd": "$TC qdisc ls dev $DUMMY", + "matchPattern": "drr 1: root", + "matchCount": "1", + "teardown": [ + "$TC qdisc del dev $DUMMY root handle 1: drr", + "$IP addr del 10.10.10.10/24 dev $DUMMY" + ] + } ]