Re: [Patch net v3 1/4] pfifo_tail_enqueue: Drop new packet when sch->limit == 0

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Horman <horms@kernel.org>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: netdev@vger.kernel.org, jhs@mojatatu.com, jiri@resnulli.us,
	pctammela@mojatatu.com, mincho@theori.io, quanglex97@gmail.com,
	Cong Wang <cong.wang@bytedance.com>
Subject: Re: [Patch net v3 1/4] pfifo_tail_enqueue: Drop new packet when sch->limit == 0
Date: Tue, 4 Feb 2025 11:32:07 +0000	[thread overview]
Message-ID: <20250204113207.GU234677@kernel.org> (raw)
In-Reply-To: <20250204005841.223511-2-xiyou.wangcong@gmail.com>

On Mon, Feb 03, 2025 at 04:58:38PM -0800, Cong Wang wrote:
> From: Quang Le <quanglex97@gmail.com>
> 
> Expected behaviour:
> In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a
> packet in scheduler's queue and decrease scheduler's qlen by one.
> Then, pfifo_tail_enqueue() enqueue new packet and increase
> scheduler's qlen by one. Finally, pfifo_tail_enqueue() return
> `NET_XMIT_CN` status code.
> 
> Weird behaviour:
> In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a
> scheduler that has no packet, the 'drop a packet' step will do nothing.
> This means the scheduler's qlen still has value equal 0.
> Then, we continue to enqueue new packet and increase scheduler's qlen by
> one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by
> one and return `NET_XMIT_CN` status code.
> 
> The problem is:
> Let's say we have two qdiscs: Qdisc_A and Qdisc_B.
>  - Qdisc_A's type must have '->graft()' function to create parent/child relationship.
>    Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.
>  - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.
>  - Qdisc_B is configured to have `sch->limit == 0`.
>  - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.
> 
> Enqueue packet through Qdisc_A will lead to:
>  - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)
>  - Qdisc_B->q.qlen += 1
>  - pfifo_tail_enqueue() return `NET_XMIT_CN`
>  - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.
> 
> The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.
> Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem.
> This violate the design where parent's qlen should equal to the sum of its childrens'qlen.
> 
> Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.
> 
> Fixes: f70f90672a2c ("sched: add head drop fifo queue")

Hi Cong,

Not a proper review, but I believe the hash in mainline for the cited
commit is 57dbb2d83d100ea.

> Reported-by: Quang Le <quanglex97@gmail.com>
> Signed-off-by: Quang Le <quanglex97@gmail.com>
> Signed-off-by: Cong Wang <cong.wang@bytedance.com>

...

next prev parent reply	other threads:[~2025-02-04 11:32 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-04  0:58 [Patch net v3 0/4] net_sched: two security bug fixes and test cases Cong Wang
2025-02-04  0:58 ` [Patch net v3 1/4] pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Cong Wang
2025-02-04 11:32   ` Simon Horman [this message]
2025-02-06 17:40     ` Cong Wang
2025-02-04  0:58 ` [Patch net v3 2/4] selftests/tc-testing: Add a test case for pfifo_head_drop qdisc when limit==0 Cong Wang
2025-02-04 11:37   ` Simon Horman
2025-02-04 16:46     ` Jakub Kicinski
2025-02-05  2:21       ` Pedro Tammela
2025-02-05  2:38         ` Jakub Kicinski
2025-02-05 17:20           ` Simon Horman
2025-02-06 17:37             ` Cong Wang
2025-02-04  0:58 ` [Patch net v3 3/4] netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() Cong Wang
2025-02-04  0:58 ` [Patch net v3 4/4] selftests/tc-testing: Add a test case for qdisc_tree_reduce_backlog() Cong Wang
2025-02-06  2:20 ` [Patch net v3 0/4] net_sched: two security bug fixes and test cases patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250204113207.GU234677@kernel.org \
    --to=horms@kernel.org \
    --cc=cong.wang@bytedance.com \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=mincho@theori.io \
    --cc=netdev@vger.kernel.org \
    --cc=pctammela@mojatatu.com \
    --cc=quanglex97@gmail.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.