From: Jamal Hadi Salim <jhs@mojatatu.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, jiri@resnulli.us,
stephen@networkplumber.org, victor@mojatatu.com,
savy@syst3mfailure.io, will@willsroot.io, xmei5@asu.edu,
pctammela@mojatatu.com, kuniyu@google.com, toke@toke.dk,
willemdebruijnkernel@gmail.com, hxzene@gmail.com,
Jamal Hadi Salim <jhs@mojatatu.com>
Subject: [PATCH net v5 4/9] net/sched: fix packet loop on netem when duplicate is on
Date: Thu, 14 May 2026 10:47:42 -0400 [thread overview]
Message-ID: <20260514144747.527175-5-jhs@mojatatu.com> (raw)
In-Reply-To: <20260514144747.527175-1-jhs@mojatatu.com>
When netem duplicates a packet it re-enqueues the copy at the root qdisc.
If another netem sits in the tree the copy can be duplicated
again, recursing until the stack or memory is exhausted.
The original duplication guard temporarily zeroed q->duplicate around
the re-enqueue, but that does not cover all cases because it is
per-qdisc state shared across all concurrent enqueue paths
and is not safe without additional locking.
Use the skb tc_depth field introduced in an earlier patch:
- increment it on the duplicate before re-enqueue
- skip duplication for any skb whose tc_depth is already non-zero.
This marks the packet itself rather than mutating qdisc state,
therefore it is safe regardless of tree topology or concurrency.
Fixes: 0afb51e72855 ("[PKT_SCHED]: netem: reinsert for duplication")
Reported-by: William Liu <will@willsroot.io>
Reported-by: Savino Dicanosa <savy@syst3mfailure.io>
Closes: https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/
Co-developed-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: William Liu <will@willsroot.io>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
---
net/sched/sch_netem.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index d97acd2f3923..17a79fe2f091 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -461,7 +461,8 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
skb->prev = NULL;
/* Random duplication */
- if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor, &q->prng))
+ if (q->duplicate && skb->tc_depth == 0 &&
+ q->duplicate >= get_crandom(&q->dup_cor, &q->prng))
++count;
/* Drop packet? */
@@ -540,11 +541,9 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
*/
if (skb2) {
struct Qdisc *rootq = qdisc_root_bh(sch);
- u32 dupsave = q->duplicate; /* prevent duplicating a dup... */
- q->duplicate = 0;
+ skb2->tc_depth++; /* prevent duplicating a dup... */
rootq->enqueue(skb2, rootq, to_free);
- q->duplicate = dupsave;
skb2 = NULL;
}
--
2.34.1
next prev parent reply other threads:[~2026-05-14 14:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 14:47 [PATCH net v5 0/9] net/sched: Fix packet loops in mirred and netem Jamal Hadi Salim
2026-05-14 14:47 ` [PATCH net v5 1/9] net: Introduce skb tc depth field to track packet loops Jamal Hadi Salim
2026-05-14 14:47 ` [PATCH net v5 2/9] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Jamal Hadi Salim
2026-05-14 14:47 ` [PATCH net v5 3/9] Revert "selftests/tc-testing: Add tests for restrictions on netem duplication" Jamal Hadi Salim
2026-05-14 14:47 ` Jamal Hadi Salim [this message]
2026-05-14 14:47 ` [PATCH net v5 5/9] net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop Jamal Hadi Salim
2026-05-14 14:47 ` [PATCH net v5 6/9] net/sched: act_mirred: Fix blockcast recursion bypass leading to stack overflow Jamal Hadi Salim
2026-05-14 14:47 ` [PATCH net v5 7/9] net/sched: act_mirred: Fix skb leak in early mirred redirect returns Jamal Hadi Salim
2026-05-14 14:47 ` [PATCH net v5 8/9] selftests/tc-testing: Add mirred test cases exercising loops Jamal Hadi Salim
2026-05-14 14:47 ` [PATCH net v5 9/9] selftests/tc-testing: Add netem test case " Jamal Hadi Salim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514144747.527175-5-jhs@mojatatu.com \
--to=jhs@mojatatu.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=hxzene@gmail.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pctammela@mojatatu.com \
--cc=savy@syst3mfailure.io \
--cc=stephen@networkplumber.org \
--cc=toke@toke.dk \
--cc=victor@mojatatu.com \
--cc=will@willsroot.io \
--cc=willemdebruijnkernel@gmail.com \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox