From patchwork Wed Apr 16 10:24:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Victor Nogueira X-Patchwork-Id: 14053629 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D3322253BB for ; Wed, 16 Apr 2025 10:24:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744799080; cv=none; b=lEUhgz1YzU3BDJaVawMV00YBSSN7G4ycSBB7IveYYDUAeygjeckroAMCJ6bEi26F5uCKlxt7+eBO3tEmgQVHf/qlkvdjbcnkJXCL+F9mT9kyr6P+K3RS1BiXk9bjFHiWhkYPqTYQ/DOkGw4+5LbX0OXtGjLC6e+RvAzoxMMol8E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744799080; c=relaxed/simple; bh=omETtGJCALA8J9bjWNY0LRya57dd/a1BqnWH+fRZkjc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=m8jZug1Bj+aHA384MoGNkJLISY9VIQwmr62Kcg/ciZazVICQpKOftfsPSqLfzP6vIlofO3y1Hjm3Ct8uG+OmgADMmG+0m4OAO3btMKagEJKp48iK+gNXfkpzJFwDpOKBu5koKo6H3qKqm0BlosVIYuE0r02NwOkEXAhc9WwRd1E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com; spf=none smtp.mailfrom=mojatatu.com; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b=KSrjpUV1; arc=none smtp.client-ip=209.85.210.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b="KSrjpUV1" Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7394945d37eso5681390b3a.3 for ; Wed, 16 Apr 2025 03:24:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20230601.gappssmtp.com; s=20230601; t=1744799078; x=1745403878; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=C4iIKlGhsrCLIi35gr48AEMyyNNnFxBxT5XzC+gCyGo=; b=KSrjpUV1V8IeqYJqnnz8DXPVQySr/lCVsTllp4IRDYQPenitjggvVvJgMAaOF4Q3VW yOVkLS1psXPyRYd6jxYKZ3+YEPaSSHLREq9S0kSr8sDOHTVCowm3bYguuqPLpkKmXoqN 6ej9zqCmwFmgig3qXwDIW4ym7O32+NHrfqhS8oWmH4wTNvUW5pM1YSMi0d32+eP+MsTA KuWocZCoAFkXTCMSTLSSvLKNKv3htxrx7oPVkKkVIPDnU7HWViLalQ5jiojRnkN3LdZB gTsIRGyP4xC+A6na6X6wCpXmWkbD9JWyIkpP2Qe9y2cGr+C+2D4tbZmVy9nUwqFDcjsd 3PsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744799078; x=1745403878; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=C4iIKlGhsrCLIi35gr48AEMyyNNnFxBxT5XzC+gCyGo=; b=SDRzFcimDxoenApa28puWfP36OTXHSmJfQqsC/icPjRx1AVqXzm44R+OrXyVKRYBhI oO+zsgO3LlBMiYo5LrSbG2yfQ1RV1fwZVu0FRT3Qw2fc1uv1YuagLnd3CxTy0pb8m+uU j6aYKxod7Y3lrl5p1l8/gzJY3QoIIm72mQGJY203+X5xrvipk3Q4b5FGt7oKAfQrJAhC hoJ9wMhVuD/USnRZUkoldhM/r/tpIp7RmdGGt0J7LUoF/Zq5ixPLyvONwZaot9IwXxmz e3QcXelqUj0vh1GwfNDgp39WdnTROZpKa6pAysEknJ5bv4L5LmqgUfRHFpWlJkFHmJDh mK+w== X-Gm-Message-State: AOJu0YyBpYHAGXD8HKK0pISFjxVenGIwQbv9qah8ZjyxLl1B4QdinSCl NpRmjI4cIqhQQq8g6Ibh12bMqFis9eQJ9prBDksT3TS4F1DmRIYwcwN524NOYgM5KI2rFcYaToM = X-Gm-Gg: ASbGnctpgYh6DMMuvNCpvjQEonNuVd0nPE0W/Y82U4LSQoLf8bbtZiTxYrpxE3wQE5y y7HVFg/dkKgK0fi1mpd0WPbyyIn8JR7eLbfpofLM5aU6W01MTZs5ylO16129Gflr5AVsT2IcAmo OilFmhxymRqEvcMOX7rCObVX8rej2qaS4JmEQ7nyxGvOa/InOosEdG5NlY23dSIN4aYd7li4oyU 5vhkZXSWuGqYKao7oBzFH8ThIGVFbgZ98vk/UYVkrI65T8FFfXZb3najfWmXhzuDJBYtFiyBrfs lMZadpcjayRpiRJ9yHGGChN0CljxuU0bvyyRHNQZ906hYDdMBxK3e0m6e6Xh29/r X-Google-Smtp-Source: AGHT+IGjkXGjB5u3z5BS/KTAFatBJVj0Cve1uDbJijdbtelQPtXBt4CctdyFqHKnImPMcRjAdhOuAg== X-Received: by 2002:a17:90a:da83:b0:2f4:4500:bb4d with SMTP id 98e67ed59e1d1-30863f3046emr1716850a91.20.1744799078159; Wed, 16 Apr 2025 03:24:38 -0700 (PDT) Received: from exu-caveira.tail33bf8.ts.net ([2804:7f1:e2c3:dc7b:da12:1e53:d800:3508]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-308613cb765sm1193075a91.43.2025.04.16.03.24.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Apr 2025 03:24:37 -0700 (PDT) From: Victor Nogueira To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, toke@redhat.com, gerrard.tai@starlabs.sg, pctammela@mojatatu.com Subject: [PATCH net v2 1/5] net_sched: drr: Fix double list add in class with netem as child qdisc Date: Wed, 16 Apr 2025 07:24:23 -0300 Message-ID: <20250416102427.3219655-2-victor@mojatatu.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250416102427.3219655-1-victor@mojatatu.com> References: <20250416102427.3219655-1-victor@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of drr, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_initialised) before adding to the list to cover for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/ Fixes: 37d9cf1a3ce3 ("sched: Fix detection of empty queues in child qdiscs") Acked-by: Jamal Hadi Salim Signed-off-by: Victor Nogueira --- net/sched/sch_drr.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c index e0a81d313aa7..b18b7b739deb 100644 --- a/net/sched/sch_drr.c +++ b/net/sched/sch_drr.c @@ -35,6 +35,11 @@ struct drr_sched { struct Qdisc_class_hash clhash; }; +static bool cl_is_initialised(struct drr_class *cl) +{ + return !list_empty(&cl->alist); +} + static struct drr_class *drr_find_class(struct Qdisc *sch, u32 classid) { struct drr_sched *q = qdisc_priv(sch); @@ -357,7 +362,7 @@ static int drr_enqueue(struct sk_buff *skb, struct Qdisc *sch, return err; } - if (first) { + if (first && !cl_is_initialised(cl)) { list_add_tail(&cl->alist, &q->active); cl->deficit = cl->quantum; } From patchwork Wed Apr 16 10:24:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Victor Nogueira X-Patchwork-Id: 14053631 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8AF62253BB for ; Wed, 16 Apr 2025 10:24:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744799085; cv=none; b=jqvp1fPEuft6kncPaZPXtDRJQLJO0yI9/65owjsyY40k6h+o569ww7ZhFWWHb7L3MZpfx+smSgcKP3LxsAt+mIwW0n2TaO8ElG4nmQqc6dO4Uw/utXNgliUIn75NtRlYfgilj/1EDFogIE4LuStDEWtjwyUESqrwU9/ITE/Jq/s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744799085; c=relaxed/simple; bh=bKqoWOiVCChZZntCtwcDy3lN4TbaFAKlEkpw2lMw9Oc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iIxfqyUxxyWPBEIK02bizRffsjfVJBY+CgETKQ7+Mp0t4Awrw7Y8ONdiuesAq4I5cD7JxrUhTR3kHrZAMeR/s8bxnDP5bb2ldC1G5lJ0dlBwgyS/wRQzS7AcYzynwnpizX/QOeTaslF7CRmlQcnEB/GF1yq40loGufs+MLEcsCg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com; spf=none smtp.mailfrom=mojatatu.com; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b=3GU8XnvS; arc=none smtp.client-ip=209.85.216.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b="3GU8XnvS" Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-301302a328bso6482272a91.2 for ; Wed, 16 Apr 2025 03:24:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20230601.gappssmtp.com; s=20230601; t=1744799082; x=1745403882; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MZtvdl+5p3OgFbJBXGbjAg9XrQzePGnuE3sWtUwT6Lg=; b=3GU8XnvS42a+vaoHGaPJMq1YeAaMm7CYtZYOal6QzNfjXw4aIkPAsqYHRbNBHlrM9H p9XeitR5z1Ei3slIrJ5B15IY7jBdS1q/dla3EyK7ca9CVJJnnmUL0HIw34jPKld+wPwE itNKcAzhrcKm37npSiKapn+sjrJboD3d3Arl2gNtdx4GMpKOjg+uvo1kn3l1R0LIqb2l zfcz9yF+UT9inRp+1U5Yo3wA7apiwHzCjv0TTNInmpEPm6orTPFSad06c0XZB99Dub0h bOYEUHzYrN2x49A48UK2WhkGBUotV54vVgiWIHt/G2yHvGXjgGqtBuzllp+/XyvjRHa+ jSIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744799082; x=1745403882; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MZtvdl+5p3OgFbJBXGbjAg9XrQzePGnuE3sWtUwT6Lg=; b=YVdhK5txMlmGElJAXJf7AYZjm01YyuEAF+RMkyJJ+tAJEAmkVlg1+wdJvuRn5cLXD6 Jb/NN6SNrBeB27saWQKV86RRGO9YdVlf3CsTuMtnp2NE0tZYPh0VeipSKInkyXL0eOa6 KHLzko4H3044kegqwvEjbGdoY9e6dMOwcQ5WhoPzDY41V+26AeLOh/BP438to870IhMV A7x22d2qEzzgdVkCK/3MsIx8oVVgbhw1ABh9keLJ5fjc8Zz1ZMB3GDb86a53BFHKsH1t h/mgXrsPlOd+qT1WOjeqkuDfa9KX+rBTfV+WgmhKdVrPGUgf6xi8e6FlH4HB93TfTUtx 6jkg== X-Gm-Message-State: AOJu0YwBRKc1UrC3Vx/mLGl15oc4Bh0cKsmKak770sU+w6PvvUImxitl Vkbvfm67dWhCsJUs/ISCuZ1DNM+J30gSCYAqeYoZL34IBfxZJX7w2iI+/XsE7U5AUvzUvMK2F90 = X-Gm-Gg: ASbGncvWGslmKdIbHk95qhEJqj/mpo15vXtyN+IcR4D5yR66BQPHSXngjc4X+mq15UT J7EDhmnNHmmi7KjximTjDNGE4oNawn5XvSKC2KpkbkWjaoBA7L73DyWNeZ4h8/7WHguwLkX1w5d O9RcbnjeX1P6AjnXNd9PWF7zAa5LVJVBlZmsvJScdBObI/iN1TwvkvzQ6Zt2BRCLJxWrNowhCaD 2XdMn//cbJuorLHVSirY/sLlUrMKH7XOU8H2kX/IaU7gB5JbdNSKRFuTYjxCzVxze+V7Rkj+NZE zIRlap/btCbvRbUHM95YL92SJCfHonOL2wPobl9A9GJSXSm89BeQF5y7oPNaFHjm X-Google-Smtp-Source: AGHT+IEkdIlanGMKqGd2VnHhoCjSa3mrivtk1YCunHCiTeilUv7K/VYDrFE76YGweLIqP79PRxa+Iw== X-Received: by 2002:a17:90b:384c:b0:2f4:4003:f3d4 with SMTP id 98e67ed59e1d1-30864178c33mr1609017a91.30.1744799081656; Wed, 16 Apr 2025 03:24:41 -0700 (PDT) Received: from exu-caveira.tail33bf8.ts.net ([2804:7f1:e2c3:dc7b:da12:1e53:d800:3508]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-308613cb765sm1193075a91.43.2025.04.16.03.24.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Apr 2025 03:24:41 -0700 (PDT) From: Victor Nogueira To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, toke@redhat.com, gerrard.tai@starlabs.sg, pctammela@mojatatu.com Subject: [PATCH net v2 2/5] net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Date: Wed, 16 Apr 2025 07:24:24 -0300 Message-ID: <20250416102427.3219655-3-victor@mojatatu.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250416102427.3219655-1-victor@mojatatu.com> References: <20250416102427.3219655-1-victor@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/ Fixes: 37d9cf1a3ce3 ("sched: Fix detection of empty queues in child qdiscs") Reported-by: Gerrard Tai Acked-by: Jamal Hadi Salim Signed-off-by: Victor Nogueira --- net/sched/sch_hfsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c index ce5045eea065..73b0741ffd99 100644 --- a/net/sched/sch_hfsc.c +++ b/net/sched/sch_hfsc.c @@ -1564,7 +1564,7 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free) return err; } - if (first) { + if (first && !cl->cl_nactive) { if (cl->cl_flags & HFSC_RSC) init_ed(cl, len); if (cl->cl_flags & HFSC_FSC) From patchwork Wed Apr 16 10:24:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Victor Nogueira X-Patchwork-Id: 14053632 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E443E248869 for ; Wed, 16 Apr 2025 10:24:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744799087; cv=none; b=gvD5adCdRtUzerjHt0GrWu4bfHmjkItF1oRcXOlzKf4Lg6UZ0yREl01mhgHymB7HGkOTEVejF30f0mGgBPTr26yp2dJjAr3NPyvd8c6cAcKNjpfSODId1N1Qn1SYOEmmGSOCUYC2RBL/J1pEVBujJwZAyRYL7UYO5HCMrl+eeT8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744799087; c=relaxed/simple; bh=l/t6gA4UY1kIv67YoF9M+fIKr91RXpRPC0lZR5sniGQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WCWg/4xDodPS3HfVEJ0S9YzZ6mEhnRCMHP5WJrRV2Yv+XTVieeEkLVY43bKzXEeb3UVJjVpJdAvIox2hy+4h1tX3BRejpRWcopw8JwrzSRuU8EE0emNsHNuR4WNhA5yRqW2a9dRTTbmSjteDhiDUA1PumtWLCEIU59+R0I4THt8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com; spf=none smtp.mailfrom=mojatatu.com; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b=gFitkO0c; arc=none smtp.client-ip=209.85.215.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b="gFitkO0c" Received: by mail-pg1-f175.google.com with SMTP id 41be03b00d2f7-af5139ad9a2so4585057a12.1 for ; Wed, 16 Apr 2025 03:24:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20230601.gappssmtp.com; s=20230601; t=1744799085; x=1745403885; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6Rh8ko+Y85Vwg2eEvNNVcZcq5fGAb2hbLBn++HtKH28=; b=gFitkO0caH6fFU5I34H8DsMS//vRmXVQb6UMu+tlgJFQIzgJmmIdJMgSGOQZq3Nswl aNgfzkVX3iipvwASctIZYeFsk5esW4DjdBnWXyBAvgCc4ClPVk2f6Z660pc6ntzTD2EU I+DMxMXQ6CeYKPMOFPrWy8gOZcIMalpYw7MNXheyIRo2jnP8WhsfYEm5+ORNTz41CqOx w9YQCZSyi7GHwVEV6KTXZOlCEbShgrC7CxRN3dH0pwqF/dA0FmET6tG4ZZbAnjDLFuYl XyBVWyisPB1pj1u+Z4SOqZlOFRdUX7ad3ur9IlaDKtGJ5ZiASpviZmMPLsQPQY6DI+IX IFrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744799085; x=1745403885; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6Rh8ko+Y85Vwg2eEvNNVcZcq5fGAb2hbLBn++HtKH28=; b=hqcIDZbupQ183+c5ipQ8teb+VQMvW33nzBUByni5q+TDXVdcwoclzMsE+4OEEzEpe2 uLBFMgoroZaiArrt31ahMFdmVSPmeQz++5BWCbeP3bB5dprbIOkALpeRx+MW0f4SF2Pn vNXAFl9MeuIViyJMm3S2Vemty64xcMLWHyoV64n8jvwhm3qrALYbYK8dcwKU/w9eayKm roltwHicdmKYKlE44CgHBcdiQzDygdSxZSO15HPYsfdzT1w12CHnN10irRYcm60nI1/i 9BoPFpA0pzsh4EX255E4eyM9cb/Pel6DTst+4kzmBsDR454BhxkW5lGtU96Bdg3w63Ti YZCw== X-Gm-Message-State: AOJu0YyzKncLyhJwUz3SN1vy1re7Wy2D4rogSEDr5eGYVfJ6YW40h9ig UP0j0gPm2hZMxDmAdaSrmLwOuAP/As79tNTv/JXrxqDaBVshUUhPnwvMKQv2FHVVkP0XJzkjCHc = X-Gm-Gg: ASbGncs46yIbJanFOGP2q5cmm8qhtbTrPnoFL2wL0ryr75xn87DKbtS6y6+Jbd/UNYB l4eHYuhCBa1mdVSFTLWnF3sylQKgfiuwdP6az0vremTpYDbErD4fBYrPl6i4llKDYp379uG3570 srFjs3VAvxP/fwOSEkK1o/zT0akP+azdlI19J4HtoFcJ9KFUalwM+sWTvDpvJz+vngW9Ps8M07P NolVEDEyFZeFQy4byJIFVDDhm6qVWk1N5FIulv6bORiD++TWxKo4ucmuG9rmxvRdiqqFr0z3wM9 NPnAYfXlM6B6ni161vuqMUTu9tCYk3+t9ObLkaYBUXMCSRQQ1CWZiHp2DJ3Df0pM X-Google-Smtp-Source: AGHT+IHrNBEXD32tTc2ctTVHbEdKxeIs6e6pH+yjtSX96OZr9VqbDkWxIBvU+yXYWzxzCbGydguGrg== X-Received: by 2002:a17:90b:58c3:b0:2fe:a0ac:5fcc with SMTP id 98e67ed59e1d1-30864173c30mr1521518a91.34.1744799084906; Wed, 16 Apr 2025 03:24:44 -0700 (PDT) Received: from exu-caveira.tail33bf8.ts.net ([2804:7f1:e2c3:dc7b:da12:1e53:d800:3508]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-308613cb765sm1193075a91.43.2025.04.16.03.24.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Apr 2025 03:24:44 -0700 (PDT) From: Victor Nogueira To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, toke@redhat.com, gerrard.tai@starlabs.sg, pctammela@mojatatu.com Subject: [PATCH net v2 3/5] net_sched: ets: Fix double list add in class with netem as child qdisc Date: Wed, 16 Apr 2025 07:24:25 -0300 Message-ID: <20250416102427.3219655-4-victor@mojatatu.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250416102427.3219655-1-victor@mojatatu.com> References: <20250416102427.3219655-1-victor@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of ets, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_initialised) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/ Fixes: 37d9cf1a3ce3 ("sched: Fix detection of empty queues in child qdiscs") Acked-by: Jamal Hadi Salim Signed-off-by: Victor Nogueira --- net/sched/sch_ets.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c index c3bdeb14185b..af5827377ebc 100644 --- a/net/sched/sch_ets.c +++ b/net/sched/sch_ets.c @@ -74,6 +74,11 @@ static const struct nla_policy ets_class_policy[TCA_ETS_MAX + 1] = { [TCA_ETS_QUANTA_BAND] = { .type = NLA_U32 }, }; +static bool cl_is_initialised(struct ets_class *cl) +{ + return !list_empty(&cl->alist); +} + static int ets_quantum_parse(struct Qdisc *sch, const struct nlattr *attr, unsigned int *quantum, struct netlink_ext_ack *extack) @@ -436,7 +441,7 @@ static int ets_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch, return err; } - if (first && !ets_class_is_strict(q, cl)) { + if (first && !cl_is_initialised(cl) && !ets_class_is_strict(q, cl)) { list_add_tail(&cl->alist, &q->active); cl->deficit = cl->quantum; } From patchwork Wed Apr 16 10:24:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Victor Nogueira X-Patchwork-Id: 14053633 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 13A3E248869 for ; Wed, 16 Apr 2025 10:24:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744799090; cv=none; b=mZBiEiyJDWyKNZUWSMfE+timC8I/JPAdaOrilueRj22r5JmFGS+/lzdLnB1PgsTESooYpGHQDMTbbJyBk95q5SlXckNoOrTpbw0N5m6VOb7AdsiZmSmzGJJYNZfWkdRpBEUQsb+X1H8Hm85R11NXh9pmCxDKZkHWQ+zK5bHCeBM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744799090; c=relaxed/simple; bh=HKdT9C7x2YNQsFK1Qb8EDAr+x07HveeAegcxUMxhyew=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ScqYVFwAmiPYWIQF1qTbrlTjFZ8vtzwzcMmbSaN5tdOEbrjY/S59ajNei//Oa8PblP0M7ag3OBJPBxcX2vWoGhMX6X5w7U1/Hdmh6Z85ARoWkxAAKxcIlCLszGDDPCogrtcyOwV8UZ9jG2E67KnUkj8XeYr5l4hTfnz+SCPpesY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com; spf=none smtp.mailfrom=mojatatu.com; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b=qZ7SLIyu; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b="qZ7SLIyu" Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-226185948ffso69809215ad.0 for ; Wed, 16 Apr 2025 03:24:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20230601.gappssmtp.com; s=20230601; t=1744799088; x=1745403888; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XScvW62lTqsHAZZjpfgHq1RtWhakC6xCLet4pFaP59k=; b=qZ7SLIyu3pFqukTzYYROsXF5IztOmieUdFxNEYSLxTbse4Ni8u31IVQ8yftYwIQgWs wnSW6HIK2qAL/azYYAs4iZc0NA2yaOWUazvInbh5shgF63uKsgs7uhJBOa4+ArzSRsPv 6lePE+39/T3HxqAXrXKnt89byscU/aEyov737POCj5gGfemDPeDKp6Vc3lFKY2IJWn71 28ooR2ChdePX/bWeyQw68y/tSQ4i6w2Gzu4fqSqUz+1XKzA1idG2gbXKUFJ9nWBQSUYF q/TDlVnej6lsTXHI4gYrtKj1T8vGVLnTqdwdJENtHSlVGgRcur2nbjtG3UnXb69m4uXx C0BA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744799088; x=1745403888; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XScvW62lTqsHAZZjpfgHq1RtWhakC6xCLet4pFaP59k=; b=PZRahEs+ShnmzYyirQ4jEEAdqapZK1WgaJj3yodd5IcwQp91ijqiqhqLdVn3MjC8FN b7OODVtbRW99ISDZh5IIjh3fGSxS0JuLlFAB2qdB9DeS7HpB48KR5ewfT21u72KldvML fb9Cce8B72pseHXxrdt6giK2cadMAtmxGKqnS1lrxVJi/a20GE8kUY7LlOMQmPAe+MkD EpnNkWzbtdezO3HkD7QDab/JVXyU/koEibBlj/MuuWcCMRdTopgjwwnOdQDzusSz0RRD bOwBA7UZRR/uhvGPVMJefTZfR9Did5dDgjHmsvzJFPQx+nZjQx1okYDhz11qDXGzS0lT tGJw== X-Gm-Message-State: AOJu0Yz2b7042arT7OF7Go0k+iQd6X8aW1G0+bRQZIamY+ssAwkXm0k+ TpqcSR+ygeBCECEtBxT1HxIBht8z3osGivniKGxK5A6N8ODVUWNro2nBdztX/zr1iEwFq56J5NQ = X-Gm-Gg: ASbGncvUEvYb6FAlfS6zUVX7ou+k5BNU2XHMzN4yFnPdnWgDhNjGD6+61PaBnYuSqbJ LZYzWGmGV4vjsPTB/PSzpTZg05PtYKkXdvNu4Chk44OeiJf9X17v7AlAeLkVaPo38gxR6OUImKo /BqG8tVGX0Bl6844GjBRXT5Jz3RBFxcMIXsJm4/jEtpiMX9BYCbeyH1grLQH3oqL+QcMUMgICw7 r5Gm5hA9ihpOIkDf0hb3Mte239SHx7XPB2UNfHpwkmTJyfKVTcdV/dAl7p0uWmhiLl2LIyjOzjy zojukGFRf97b9dC+wqVEgDiS2hM7NKurgiyD8tQt1z0dKc+0kfgxF1E3VE8JCz5P X-Google-Smtp-Source: AGHT+IEklg/+LERHYyQKmGOvh0yTAJuQ7wjHaAOlKj/PKxlJVNBmzTnFRt9ViopH+u3PST2tc7Og0Q== X-Received: by 2002:a17:90a:ab0e:b0:305:2d27:7c9f with SMTP id 98e67ed59e1d1-30863f2f5eemr1740840a91.16.1744799088200; Wed, 16 Apr 2025 03:24:48 -0700 (PDT) Received: from exu-caveira.tail33bf8.ts.net ([2804:7f1:e2c3:dc7b:da12:1e53:d800:3508]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-308613cb765sm1193075a91.43.2025.04.16.03.24.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Apr 2025 03:24:47 -0700 (PDT) From: Victor Nogueira To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, toke@redhat.com, gerrard.tai@starlabs.sg, pctammela@mojatatu.com Subject: [PATCH net v2 4/5] net_sched: qfq: Fix double list add in class with netem as child qdisc Date: Wed, 16 Apr 2025 07:24:26 -0300 Message-ID: <20250416102427.3219655-5-victor@mojatatu.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250416102427.3219655-1-victor@mojatatu.com> References: <20250416102427.3219655-1-victor@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. This patch checks whether the class was already added to the agg->active list (cl_is_initialised) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/ Fixes: 37d9cf1a3ce3 ("sched: Fix detection of empty queues in child qdiscs") Acked-by: Jamal Hadi Salim Signed-off-by: Victor Nogueira --- net/sched/sch_qfq.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c index 687a932eb9b2..b7767b105506 100644 --- a/net/sched/sch_qfq.c +++ b/net/sched/sch_qfq.c @@ -202,6 +202,11 @@ struct qfq_sched { */ enum update_reason {enqueue, requeue}; +static bool cl_is_initialised(struct qfq_class *cl) +{ + return !list_empty(&cl->alist); +} + static struct qfq_class *qfq_find_class(struct Qdisc *sch, u32 classid) { struct qfq_sched *q = qdisc_priv(sch); @@ -1260,6 +1265,9 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch, == cl && cl->deficit < len) list_move_tail(&cl->alist, &agg->active); + return err; + /* cater for reentrant call */ + } else if (cl_is_initialised(cl)) { return err; } From patchwork Wed Apr 16 10:24:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Victor Nogueira X-Patchwork-Id: 14053634 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A34732472A1 for ; Wed, 16 Apr 2025 10:24:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744799094; cv=none; b=sgIY/RW0R4SnReYfQfKQII+QbZ99Z0qh9I47XqDMg/cBw2vm6HCMBk/B0gmeivyqNaIEffXoq4wtlw9YUkD3yjuxR7Inu6+7L9wsJkqoFwD4qiZm7ZkTz/miPffWugQvRTkZ/jL8Q9xwdaS/7B9Fw/bySwmgX7Txg7f5AohzS4E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744799094; c=relaxed/simple; bh=+E36J11eo3q6nOWYLSCgnd/3onYAefZEA8u2Zt3r9WE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qmdqloytmePTyrBwDLZI3XdXO0ghSCQzVg2qWt+ASvgMuwnPWRzRc3U/YXmz6aA6qvyC89QTSkjXgwdDx4L0xdzehiQooveyE3mczb6pBP1Rqqm7XCce6P5XQmwlqzX3e7v41vRXdP45s0qUOerVylw4TrkLT2ON85+HHmh2qJY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com; spf=none smtp.mailfrom=mojatatu.com; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b=sv1LjMX/; arc=none smtp.client-ip=209.85.215.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b="sv1LjMX/" Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-af519c159a8so5961440a12.3 for ; Wed, 16 Apr 2025 03:24:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20230601.gappssmtp.com; s=20230601; t=1744799092; x=1745403892; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IBmG+4jsKsOG1r3HYrYow15mhAZz6EQ6mqCjmaGPe1E=; b=sv1LjMX/ESUJQfd6Arzw9JAS57rIJ0SykZow6udozrxl8qw4Y/CdtjBuQHVRJyia6K 33F6xMUygKZVd6pXgeWY1PkbVYwQKiP6+M9bWnexwLB9++7SGhADQkXXRxOpSUA/qeoq ZxyGnj/xwb+WNnNn5HkDOfRy5NNfXb5wz5qBXOve1DLbX+/WbHooK2kbVHASDlFlAl98 yz/Wrkt3pHrh1TJpPbzE5ghcTAfkZElmQrAsHRs+vhDvFjGZ0YppnH+V5/yMUqiN9sel LCpWMGSLcmzFhRF1lzbHPqBwwhfjc70suHx1SQowmjQlP+IbGJKKlvThU0qAdCeFZqkb RJ7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744799092; x=1745403892; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IBmG+4jsKsOG1r3HYrYow15mhAZz6EQ6mqCjmaGPe1E=; b=CQHy4bQ8v9+4Vu9l90YBQoLEWcpiRGF2eyY651UBnVpQHgA65XhZm7sZATy7DgDwit 6fkxYt3onBceFkJsw8PJ+5He+wG5MovssFsFNsIsVoeNUiHBB5GlAyVPWyFJjnOv1gob 2zO83wrgebmTUpXCgbt3xlOidoiFHWD4m1wBpnXwor21NSxmF+X/qTwHiSx51I4P9gAf swOMDF9n0WBiit0ajLqEWyrAslgIdufVwnpAtme9L/IsyGr67u9zXUhwZ+bLmbdIMPCg whP6rZUMB9tvX8k6Xb6WzQlYMYbVZ1FCcGDi62CfAik5D2v8OZhwFJgOntJrieT2IZv/ O1/Q== X-Gm-Message-State: AOJu0Yzv8I6EI39UaeWVElIqfr7Wsz5cfIK/w3pS/bPEoHCaq7XZBLA+ I4I6s9bOnzkuNbGkQ8mT/mb+JXZSk+c7Q9nUJPoupSIg32RqsTQC08EO/64QW35mF+xGLeQ8OGM = X-Gm-Gg: ASbGncuNT88Y9i1/pE3jbw4rvC0TdNsXGl2SlXgvDaX8huav/B6+QAfTaZwgpebrQMC rCJhVB4ADiKciQC9Rf//tedSPztErHEFx1Iil4GEGAqSPMQKPlBtjHqWa/HYLdiBZWKLiXUJNO1 M/bKLPXBgpL6I2RDt7u+om82iOPoESPHAHupFLUT/uRztQoMWK6BUId5/B4NVy1+dJqb4yRaaAd hhWuAAF34BxY+nXeHpQi6klSMRDSWiMT2HUmN0so5jUKYpJ6KKH0saTWjjy3HGmRdVjeYIj8Vf2 5H9W8jVekKY6XNpuTZ7Hyxdmulx582RxKnX1a0icxuOM7ueARv0jUSHOHM1zF2x4LO6CR4ZOHc0 = X-Google-Smtp-Source: AGHT+IEZ3WA0x98eqhIsrs5xZIKwLa1sX6oiu+Ixvu90olV+1WuU3rYUsRDINX0aqKfSBN7iy//0yw== X-Received: by 2002:a17:90a:e70b:b0:2fc:3264:3657 with SMTP id 98e67ed59e1d1-30863c54ae3mr2387793a91.0.1744799091679; Wed, 16 Apr 2025 03:24:51 -0700 (PDT) Received: from exu-caveira.tail33bf8.ts.net ([2804:7f1:e2c3:dc7b:da12:1e53:d800:3508]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-308613cb765sm1193075a91.43.2025.04.16.03.24.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Apr 2025 03:24:51 -0700 (PDT) From: Victor Nogueira To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, toke@redhat.com, gerrard.tai@starlabs.sg, pctammela@mojatatu.com Subject: [PATCH net v2 5/5] selftests: tc-testing: Add TDC tests that exercise reentrant enqueue behaviour Date: Wed, 16 Apr 2025 07:24:27 -0300 Message-ID: <20250416102427.3219655-6-victor@mojatatu.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250416102427.3219655-1-victor@mojatatu.com> References: <20250416102427.3219655-1-victor@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Add 4 TDC tests that exercise the reentrant enqueue behaviour in drr, ets, qfq, and hfsc: - Test DRR's enqueue reentrant behaviour with netem (which caused a double list add) - Test ETS's enqueue reentrant behaviour with netem (which caused a double list add) - Test QFQ's enqueue reentrant behaviour with netem (which caused a double list add) - Test HFSC's enqueue reentrant behaviour with netem (which caused a UAF) Acked-by: Jamal Hadi Salim Signed-off-by: Victor Nogueira --- .../tc-testing/tc-tests/infra/qdiscs.json | 148 ++++++++++++++++++ 1 file changed, 148 insertions(+) diff --git a/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json b/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json index d4ea9cd845a3..19037059e9e4 100644 --- a/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json +++ b/tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json @@ -313,5 +313,153 @@ "$TC qdisc del dev $DUMMY handle 1: root", "$IP addr del 10.10.10.10/24 dev $DUMMY || true" ] + }, + { + "id": "90ec", + "name": "Test DRR's enqueue reentrant behaviour with netem", + "category": [ + "qdisc", + "drr" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "$IP link set dev $DUMMY up || true", + "$IP addr add 10.10.10.10/24 dev $DUMMY || true", + "$TC qdisc add dev $DUMMY handle 1:0 root drr", + "$TC class replace dev $DUMMY parent 1:0 classid 1:1 drr", + "$TC qdisc add dev $DUMMY parent 1:1 handle 2:0 netem duplicate 100%", + "$TC filter add dev $DUMMY parent 1:0 protocol ip prio 1 u32 match ip protocol 1 0xff flowid 1:1" + ], + "cmdUnderTest": "ping -c 1 -I $DUMMY 10.10.10.1 > /dev/null || true", + "expExitCode": "0", + "verifyCmd": "$TC -j -s qdisc ls dev $DUMMY handle 1:0", + "matchJSON": [ + { + "kind": "drr", + "handle": "1:", + "bytes": 196, + "packets": 2 + } + ], + "matchCount": "1", + "teardown": [ + "$TC qdisc del dev $DUMMY handle 1:0 root", + "$IP addr del 10.10.10.10/24 dev $DUMMY || true" + ] + }, + { + "id": "1f1f", + "name": "Test ETS's enqueue reentrant behaviour with netem", + "category": [ + "qdisc", + "ets" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "$IP link set dev $DUMMY up || true", + "$IP addr add 10.10.10.10/24 dev $DUMMY || true", + "$TC qdisc add dev $DUMMY handle 1:0 root ets bands 2", + "$TC class replace dev $DUMMY parent 1:0 classid 1:1 ets quantum 1500", + "$TC qdisc add dev $DUMMY parent 1:1 handle 2:0 netem duplicate 100%", + "$TC filter add dev $DUMMY parent 1:0 protocol ip prio 1 u32 match ip protocol 1 0xff flowid 1:1" + ], + "cmdUnderTest": "ping -c 1 -I $DUMMY 10.10.10.1 > /dev/null || true", + "expExitCode": "0", + "verifyCmd": "$TC -j -s class show dev $DUMMY", + "matchJSON": [ + { + "class": "ets", + "handle": "1:1", + "stats": { + "bytes": 196, + "packets": 2 + } + } + ], + "matchCount": "1", + "teardown": [ + "$TC qdisc del dev $DUMMY handle 1:0 root", + "$IP addr del 10.10.10.10/24 dev $DUMMY || true" + ] + }, + { + "id": "5e6d", + "name": "Test QFQ's enqueue reentrant behaviour with netem", + "category": [ + "qdisc", + "qfq" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "$IP link set dev $DUMMY up || true", + "$IP addr add 10.10.10.10/24 dev $DUMMY || true", + "$TC qdisc add dev $DUMMY handle 1:0 root qfq", + "$TC class replace dev $DUMMY parent 1:0 classid 1:1 qfq weight 100 maxpkt 1500", + "$TC qdisc add dev $DUMMY parent 1:1 handle 2:0 netem duplicate 100%", + "$TC filter add dev $DUMMY parent 1:0 protocol ip prio 1 u32 match ip protocol 1 0xff flowid 1:1" + ], + "cmdUnderTest": "ping -c 1 -I $DUMMY 10.10.10.1 > /dev/null || true", + "expExitCode": "0", + "verifyCmd": "$TC -j -s qdisc ls dev $DUMMY handle 1:0", + "matchJSON": [ + { + "kind": "qfq", + "handle": "1:", + "bytes": 196, + "packets": 2 + } + ], + "matchCount": "1", + "teardown": [ + "$TC qdisc del dev $DUMMY handle 1:0 root", + "$IP addr del 10.10.10.10/24 dev $DUMMY || true" + ] + }, + { + "id": "bf1d", + "name": "Test HFSC's enqueue reentrant behaviour with netem", + "category": [ + "qdisc", + "hfsc" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "$IP link set dev $DUMMY up || true", + "$IP addr add 10.10.10.10/24 dev $DUMMY || true", + "$TC qdisc add dev $DUMMY handle 1:0 root hfsc", + "$TC class add dev $DUMMY parent 1:0 classid 1:1 hfsc ls m2 10Mbit", + "$TC qdisc add dev $DUMMY parent 1:1 handle 2:0 netem duplicate 100%", + "$TC filter add dev $DUMMY parent 1:0 protocol ip prio 1 u32 match ip dst 10.10.10.1/32 flowid 1:1", + "$TC class add dev $DUMMY parent 1:0 classid 1:2 hfsc ls m2 10Mbit", + "$TC qdisc add dev $DUMMY parent 1:2 handle 3:0 netem duplicate 100%", + "$TC filter add dev $DUMMY parent 1:0 protocol ip prio 2 u32 match ip dst 10.10.10.2/32 flowid 1:2", + "ping -c 1 10.10.10.1 -I$DUMMY > /dev/null || true", + "$TC filter del dev $DUMMY parent 1:0 protocol ip prio 1", + "$TC class del dev $DUMMY classid 1:1" + ], + "cmdUnderTest": "ping -c 1 10.10.10.2 -I$DUMMY > /dev/null || true", + "expExitCode": "0", + "verifyCmd": "$TC -j -s qdisc ls dev $DUMMY handle 1:0", + "matchJSON": [ + { + "kind": "hfsc", + "handle": "1:", + "bytes": 392, + "packets": 4 + } + ], + "matchCount": "1", + "teardown": [ + "$TC qdisc del dev $DUMMY handle 1:0 root", + "$IP addr del 10.10.10.10/24 dev $DUMMY || true" + ] } ]