From: Peilin Ye <yepeilin.cs@gmail.com>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <eric.dumazet@gmail.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
David Ahern <dsahern@kernel.org>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Peilin Ye <peilin.ye@bytedance.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Cong Wang <cong.wang@bytedance.com>
Subject: Re: [PATCH RFC v1 net-next 1/4] net: Introduce Qdisc backpressure infrastructure
Date: Fri, 6 May 2022 16:34:43 -0700 [thread overview]
Message-ID: <20220506233443.GA3336@bytedance> (raw)
In-Reply-To: <20220506133111.1d4bebf3@hermes.local>
Hi Stephen,
On Fri, May 06, 2022 at 01:31:11PM -0700, Stephen Hemminger wrote:
> On Fri, 6 May 2022 12:44:22 -0700, Peilin Ye <yepeilin.cs@gmail.com> wrote:
> > +static inline void qdisc_backpressure_overlimit(struct Qdisc *sch, struct sk_buff *skb)
> > +{
> > + struct sock *sk = skb->sk;
> > +
> > + if (!sk || !sk_fullsock(sk))
> > + return;
> > +
> > + if (cmpxchg(&sk->sk_backpressure_status, SK_UNTHROTTLED, SK_OVERLIMIT) == SK_UNTHROTTLED) {
> > + sock_hold(sk);
> > + list_add_tail(&sk->sk_backpressure_node, &sch->backpressure_list);
> > + }
> > +}
>
> What if socket is closed? You are holding reference but application maybe gone.
Thanks for pointing this out! I just understood how sk_refcnt works
together with sk_wmem_alloc.
By the time we process this in-flight skb, sk_refcnt may have already
reached 0, which means sk_free() may have already decreased that "extra" 1
sk_wmem_alloc, so skb->destructor() may call __sk_free() while I "hold"
the sock here. Seems like a UAF.
> Or if output is stalled indefinitely?
It would be better to do a cleanup in sock destroying code, but I am
trying to avoid acquiring Qdisc root_lock there. I will try to come up
with a better solution.
Thanks,
Peilin Ye
next prev parent reply other threads:[~2022-05-06 23:34 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-06 19:43 [PATCH RFC v1 net-next 0/4] net: Qdisc backpressure infrastructure Peilin Ye
2022-05-06 19:44 ` [PATCH RFC v1 net-next 1/4] net: Introduce " Peilin Ye
2022-05-06 20:31 ` Stephen Hemminger
2022-05-06 23:34 ` Peilin Ye [this message]
2022-05-09 7:53 ` Dave Taht
2022-05-10 2:23 ` Peilin Ye
2022-05-06 19:44 ` [PATCH RFC v1 net-next 2/4] net/sched: sch_tbf: Use " Peilin Ye
2022-05-06 19:45 ` [PATCH RFC v1 net-next 3/4] net/sched: sch_htb: " Peilin Ye
2022-05-06 19:45 ` [PATCH RFC v1 net-next 4/4] net/sched: sch_cbq: " Peilin Ye
2022-05-10 3:26 ` [PATCH RFC v1 net-next 0/4] net: " Eric Dumazet
2022-05-10 23:03 ` Peilin Ye
2022-05-10 23:27 ` Peilin Ye
2022-08-22 9:10 ` [PATCH RFC v2 net-next 0/5] " Peilin Ye
2022-08-22 9:11 ` [PATCH RFC v2 net-next 1/5] net: Introduce " Peilin Ye
2022-08-22 9:12 ` [PATCH RFC v2 net-next 2/5] net/udp: Implement Qdisc backpressure algorithm Peilin Ye
2022-08-31 10:42 ` Hillf Danton
2022-08-22 9:12 ` [PATCH RFC v2 net-next 3/5] net/sched: sch_tbf: Use Qdisc backpressure infrastructure Peilin Ye
2022-08-22 9:12 ` [PATCH RFC v2 net-next 4/5] net/sched: sch_htb: " Peilin Ye
2022-08-22 9:12 ` [PATCH RFC v2 net-next 5/5] net/sched: sch_cbq: " Peilin Ye
2022-08-22 16:17 ` [PATCH RFC v2 net-next 0/5] net: " Jakub Kicinski
2022-08-29 16:53 ` Cong Wang
2022-08-30 0:21 ` Jakub Kicinski
2022-09-19 17:00 ` Cong Wang
2022-08-22 16:22 ` Eric Dumazet
2022-08-29 16:47 ` Cong Wang
2022-08-29 16:53 ` Eric Dumazet
2022-09-19 17:06 ` Cong Wang
2022-08-30 2:28 ` Yafang Shao
2022-09-19 17:04 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220506233443.GA3336@bytedance \
--to=yepeilin.cs@gmail.com \
--cc=cong.wang@bytedance.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=eric.dumazet@gmail.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=peilin.ye@bytedance.com \
--cc=stephen@networkplumber.org \
--cc=xiyou.wangcong@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.