From: Simon Horman <horms@kernel.org>
To: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: netdev@vger.kernel.org, markovicbudimir@gmail.com,
victor@mojatatu.com, pctammela@mojatatu.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
xiyou.wangcong@gmail.com, jiri@resnulli.us
Subject: Re: [PATCH net-n] net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
Date: Fri, 25 Oct 2024 09:58:01 +0100 [thread overview]
Message-ID: <20241025085801.GG1202098@kernel.org> (raw)
In-Reply-To: <20241024165547.418570-1-jhs@mojatatu.com>
On Thu, Oct 24, 2024 at 12:55:47PM -0400, Jamal Hadi Salim wrote:
> From: Pedro Tammela <pctammela@mojatatu.com>
>
> In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
> to be either root or ingress. This assumption is bogus since it's valid
> to create egress qdiscs with major handle ffff:
> Budimir Markovic found that for qdiscs like DRR that maintain an active
> class list, it will cause a UAF with a dangling class pointer.
>
> In 066a3b5b2346, the concern was to avoid iterating over the ingress
> qdisc since its parent is itself. The proper fix is to stop when parent
> TC_H_ROOT is reached because the only way to retrieve ingress is when a
> hierarchy which does not contain a ffff: major handle call into
> qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
>
> In the scenario where major ffff: is an egress qdisc in any of the tree
> levels, the updates will also propagate to TC_H_ROOT, which then the
> iteration must stop.
>
> Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop")
> Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
> Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
> Tested-by: Victor Nogueira <victor@mojatatu.com>
> Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2024-10-25 8:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-24 16:55 [PATCH net-n] net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Jamal Hadi Salim
2024-10-25 8:58 ` Simon Horman [this message]
2024-10-26 16:47 ` Cong Wang
2024-10-28 14:36 ` Pedro Tammela
2024-10-29 16:00 ` Jakub Kicinski
2024-10-29 18:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241025085801.GG1202098@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=markovicbudimir@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pctammela@mojatatu.com \
--cc=victor@mojatatu.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.