From: Weiming Shi <bestswngs@gmail.com>
To: Eric Dumazet <edumazet@google.com>
Cc: security@kernel.org, davem@davemloft.net, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, xmei5@asu.edu
Subject: Re: [PATCH net] net/core: add xmit recursion limit to qdisc transmit path
Date: Tue, 3 Mar 2026 17:43:06 +0800 [thread overview]
Message-ID: <aaatKuzRBaR_cSL2@SLSGDTSWING002> (raw)
In-Reply-To: <CANn89i+mK-CqGPeW65RBeOe2R-YjqjxU9W9AGbvV1Ef+HS4DtA@mail.gmail.com>
On 26-03-03 05:30, Eric Dumazet wrote:
> On Tue, Mar 3, 2026 at 3:37 AM <bestswngs@gmail.com> wrote:
> >
> > From: Weiming Shi <bestswngs@gmail.com>
> >
> > __dev_queue_xmit() has two transmit code paths depending on whether the
> > device has a qdisc attached:
> >
> > 1. Qdisc path (q->enqueue): calls __dev_xmit_skb()
> > 2. No-qdisc path: calls dev_hard_start_xmit() directly
> >
> > Commit 745e20f1b626 ("net: add a recursion limit in xmit path") added
> > recursion protection to the no-qdisc path via dev_xmit_recursion()
> > check and dev_xmit_recursion_inc()/dec() tracking. However, the qdisc
> > path performs no recursion depth checking at all.
> >
> > This allows unbounded recursion through qdisc-attached devices. For
> > example, a bond interface in broadcast mode with gretap slaves whose
> > remote endpoints route back through the bond creates an infinite
> > transmit loop that exhausts the kernel stack:
>
> Non lltx drivers would deadlock in HARD_TX_LOCK().
>
> I would prefer we try to fix this issue at configuration time instead
> of adding yet another expensive operations in the fast path.
>
> Can you provide a test ?
>
> Thanks.
Thanks for the review. I have two follow-up questions:
1. For the configuration-time approach: the loop in this case is
formed through the routing layer (gretap remote endpoint routes
back through the bond), not through direct upper/lower device
links. Since routes can change dynamically after enslave, would
this require adding checks in all of bond_enslave(), route change,
and address change paths to be complete? I want to make sure I
understand the scope before going down that path.
2. As an alternative, would it be acceptable to move the recursion
check into the bonding driver itself (e.g., bond_start_xmit() or
bond_xmit_broadcast())? This would avoid touching the generic fast
path entirely, and since bond is LLTX, there is no HARD_TX_LOCK()
deadlock concern. It would narrowly target the driver that causes
the fan-out recursion.
Happy to respin in either direction, or explore other approaches
you have in mind.
next prev parent reply other threads:[~2026-03-03 9:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 2:29 [PATCH net] net/core: add xmit recursion limit to qdisc transmit path bestswngs
2026-03-03 4:30 ` Eric Dumazet
2026-03-03 5:06 ` Xiang Mei
2026-03-03 9:43 ` Weiming Shi [this message]
2026-03-03 10:05 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaatKuzRBaR_cSL2@SLSGDTSWING002 \
--to=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=security@kernel.org \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.