[PATCH 00/12] netem: fixes, cleanup, and selftest

[Stephen Hemminger <stephen@networkplumber.org>]

The netem packet scheduler is widely used for network emulation but
has not gotten enough of my attention lately.

The response to CVE-2024-45016 introduced check_netem_in_tree()
which was a clear regression. It rejected valid configurations
that have worked for over a decade -- HTB or HFSC trees with netem
leaves, including examples from our own documentation. A fix that
breaks existing users to paper over a bug that only occurred with
hostile misconfiguration should never have been merged.
Several approaches to undo the damage were discussed over
the past year but none landed, and in the meantime we've
accumulated four more CVE's and user bug reports.

The kernel management style doc says "the name of the game is to
avoid having to make a decision" and to "not get ushered into a
corner from which you cannot escape." Well, four CVE's and a pile
of user bug reports later, I'm in that corner. Time to decide.

I sat down with AI (Claude), reviewed the prior discussion, and
put together a working solution. While I was at it, I had it do
a deeper analysis of sch_netem.c which turned up several additional
bugs that have been lurking for years.

The series:

  Patch 01: selftest covering basic ops, multi-netem trees,
            inner qdisc combos, and crash-resistance scenarios
            for the CVE topologies.

  Patch 02: Revert the check_netem_in_tree() restriction.
  Patch 03: Replace it with a per-CPU recursion guard -- the
            approach that was discussed but dismissed prematurely.
  Patch 04: Restructure dequeue to eliminate the re-entrancy path
            that causes HFSC eltree corruption (CVE-2025-37890,
            CVE-2025-38001).

  Patch 05: Fix probability gaps in the 4-state loss model.
  Patch 06: Fix slot delay calculation overflow for ranges > 2.1s.
  Patch 07: Include reordered packets in the queue limit check.
  Patch 08: Null-terminate the tfifo linear queue tail.
  Patch 09: Only reseed PRNG when seed is explicitly provided.

  Patch 10: Move state enums out of struct (cleanup).
  Patch 11: Remove useless VERSION string.
  Patch 12: Replace pr_info with netlink extack messages.

Patches 01-04 are the CVE-related fixes and should go to net.
Patches 05-09 are additional bug fixes.
Patches 10-12 are cleanup and could go to net-next if preferred.

Stephen Hemminger (12):
  selftests: net: add netem qdisc test
  Revert "net/sched: Restrict conditions for adding duplicating netems
    to qdisc tree"
  net/sched: netem: add per-CPU recursion guard for duplication
  net/sched: netem: restructure dequeue to avoid re-entrancy with child
    qdisc
  net/sched: netem: fix probability gaps in 4-state loss model
  net/sched: netem: fix slot delay calculation overflow
  net/sched: netem: fix queue limit check to include reordered packets
  net/sched: netem: null-terminate tfifo linear queue tail
  net/sched: netem: only reseed PRNG when seed is explicitly provided
  net/sched: netem: move state enums out of struct netem_sched_data
  net/sched: netem: remove useless VERSION
  net/sched: netem: replace pr_info with netlink extack error messages

 MAINTAINERS                          |   1 +
 net/sched/sch_netem.c                | 219 ++++----
 tools/testing/selftests/net/Makefile |   1 +
 tools/testing/selftests/net/config   |   3 +
 tools/testing/selftests/net/netem.sh | 802 +++++++++++++++++++++++++++
 5 files changed, 923 insertions(+), 103 deletions(-)
 create mode 100755 tools/testing/selftests/net/netem.sh

-- 
2.51.0