[Patch net 1/4] pfifo_tail_enqueue: Drop new packet when sch->limit == 0

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Cong Wang <xiyou.wangcong@gmail.com>
To: netdev@vger.kernel.org
Cc: jhs@mojatatu.com, jiri@resnulli.us, quanglex97@gmail.com,
	mincho@theori.io, Cong Wang <cong.wang@bytedance.com>
Subject: [Patch net 1/4] pfifo_tail_enqueue: Drop new packet when sch->limit == 0
Date: Thu, 23 Jan 2025 22:07:37 -0800	[thread overview]
Message-ID: <20250124060740.356527-2-xiyou.wangcong@gmail.com> (raw)
In-Reply-To: <20250124060740.356527-1-xiyou.wangcong@gmail.com>

From: Quang Le <quanglex97@gmail.com>

Expected behaviour:
In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a
packet in scheduler's queue and decrease scheduler's qlen by one.
Then, pfifo_tail_enqueue() enqueue new packet and increase
scheduler's qlen by one. Finally, pfifo_tail_enqueue() return
`NET_XMIT_CN` status code.

Weird behaviour:
In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a
scheduler that has no packet, the 'drop a packet' step will do nothing.
This means the scheduler's qlen still has value equal 0.
Then, we continue to enqueue new packet and increase scheduler's qlen by
one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by
one and return `NET_XMIT_CN` status code.

The problem is:
Let's say we have two qdiscs: Qdisc_A and Qdisc_B.
 - Qdisc_A's type must have '->graft()' function to create parent/child relationship.
   Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.
 - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.
 - Qdisc_B is configured to have `sch->limit == 0`.
 - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.

Enqueue packet through Qdisc_A will lead to:
 - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)
 - Qdisc_B->q.qlen += 1
 - pfifo_tail_enqueue() return `NET_XMIT_CN`
 - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.

The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.
Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem.
This violate the design where parent's qlen should equal to the sum of its childrens'qlen.

Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.

Reported-by: Quang Le <quanglex97@gmail.com>
Signed-off-by: Quang Le <quanglex97@gmail.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
---
 net/sched/sch_fifo.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c
index b50b2c2cc09b..e6bfd39ff339 100644
--- a/net/sched/sch_fifo.c
+++ b/net/sched/sch_fifo.c
@@ -40,6 +40,9 @@ static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 {
 	unsigned int prev_backlog;

+	if (unlikely(READ_ONCE(sch->limit) == 0))
+		return qdisc_drop(skb, sch, to_free);
+
 	if (likely(sch->q.qlen < READ_ONCE(sch->limit)))
 		return qdisc_enqueue_tail(skb, sch);

-- 
2.34.1

next prev parent reply	other threads:[~2025-01-24  6:07 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-24  6:07 [Patch net 0/4] net_sched: two security bug fixes and test cases Cong Wang
2025-01-24  6:07 ` Cong Wang [this message]
2025-01-30 11:17   ` [Patch net 1/4] pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Jamal Hadi Salim
2025-01-31 21:53     ` Cong Wang
2025-01-24  6:07 ` [Patch net 2/4] Add test case to check for pfifo_tail_enqueue() behaviour when limit " Cong Wang
2025-01-24 11:37   ` Simon Horman
2025-01-26  3:20     ` Cong Wang
2025-01-26  3:52       ` Cong Wang
2025-01-27 17:54         ` Simon Horman
2025-01-24  6:07 ` [Patch net 3/4] netem: update sch->q.qlen before qdisc_tree_reduce_backlog() Cong Wang
2025-01-24  6:07 ` [Patch net 4/4] selftests/tc-testing: add tests for qdisc_tree_reduce_backlog Cong Wang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b50b2c2cc09 dfblob:e6bfd39ff33 )
 OR (
bs:"[Patch net 1/4] pfifo_tail_enqueue: Drop new packet when sch->limit == 0" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250124060740.356527-2-xiyou.wangcong@gmail.com \
    --to=xiyou.wangcong@gmail.com \
    --cc=cong.wang@bytedance.com \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=mincho@theori.io \
    --cc=netdev@vger.kernel.org \
    --cc=quanglex97@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).