Netdev List
 help / color / mirror / Atom feed
* [PATCH net 0/3] Fix broken TC_ACT_REDIRECT from qdiscs
@ 2026-06-30 12:33 Daniel Borkmann
  2026-06-30 12:33 ` [PATCH net 1/3] bpf: Reject redirect helpers without a bpf_net_context Daniel Borkmann
                   ` (3 more replies)
  0 siblings, 4 replies; 11+ messages in thread
From: Daniel Borkmann @ 2026-06-30 12:33 UTC (permalink / raw)
  To: kuba; +Cc: pabeni, jhs, bigeasy, andrii, memxor, bpf, netdev

This is an alternative fix to [0] in order to not uglify
__dev_queue_xmit() with sprinkled ifdefs given this can be
simplified and isolated through a simple test into the BPF
redirect helper itself.

I've also added a proper BPF selftest, so there is no need
to check-in a binary BPF object into selftests given we do
have BPF infra for all of this.

  [0] https://lore.kernel.org/netdev/20260629102157.737306-1-jhs@mojatatu.com/
  [1] https://lore.kernel.org/netdev/20260629102157.737306-4-jhs@mojatatu.com/

Daniel Borkmann (2):
  bpf: Reject redirect helpers without a bpf_net_context
  selftests/bpf: Add test for redirect from qdisc qevent block

Jamal Hadi Salim (1):
  net/sched: Handle TC_ACT_REDIRECT from qdisc filter chains

 include/net/pkt_cls.h                         |  14 ++-
 net/core/filter.c                             |  17 ++-
 net/sched/cls_api.c                           |   6 +-
 net/sched/sch_cake.c                          |   2 +-
 net/sched/sch_drr.c                           |   2 +-
 net/sched/sch_dualpi2.c                       |   2 +-
 net/sched/sch_ets.c                           |   2 +-
 net/sched/sch_fq_codel.c                      |   2 +-
 net/sched/sch_fq_pie.c                        |   2 +-
 net/sched/sch_hfsc.c                          |   2 +-
 net/sched/sch_htb.c                           |   2 +-
 net/sched/sch_multiq.c                        |   2 +-
 net/sched/sch_prio.c                          |   2 +-
 net/sched/sch_qfq.c                           |   2 +-
 net/sched/sch_sfb.c                           |   2 +-
 net/sched/sch_sfq.c                           |   2 +-
 tools/testing/selftests/bpf/config            |   1 +
 .../selftests/bpf/prog_tests/tc_qevent.c      | 113 ++++++++++++++++++
 .../selftests/bpf/progs/test_tc_qevent.c      |  23 ++++
 19 files changed, 175 insertions(+), 25 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/tc_qevent.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_tc_qevent.c

-- 
2.43.0


^ permalink raw reply	[flat|nested] 11+ messages in thread
* [PATCH net 0/3] Fix broken TC_ACT_REDIRECT
@ 2026-06-26 16:51 Jamal Hadi Salim
  2026-06-26 16:51 ` [PATCH net 2/3] net/sched: Handle TC_ACT_REDIRECT from qdisc filter chains Jamal Hadi Salim
  0 siblings, 1 reply; 11+ messages in thread
From: Jamal Hadi Salim @ 2026-06-26 16:51 UTC (permalink / raw)
  To: netdev, bpf
  Cc: davem, edumazet, kuba, pabeni, horms, toke, jiri, bigeasy,
	clrkwllms, rostedt, kuniyu, sdf.kernel, skhawaja, liuhangbin,
	krikku, mkarsten, victor, ast, hawk, john.fastabend, daniel,
	Jamal Hadi Salim

When sashiko-gemini[1] reviewed commit a8a02897f2b4
("net/sched: cls_api: Handle TC_ACT_CONSUMED in tcf_qevent_handle") it
 correctly pointed out the following:

"
This is a pre-existing issue, but does executing a redirect via a qevent
filter cause a NULL pointer dereference?
When tcf_qevent_handle() processes a TC_ACT_REDIRECT, it calls
skb_do_redirect(). This eventually calls bpf_net_ctx_get_ri() which
dereferences the task bpf_net_context:
include/linux/filter.h:bpf_net_ctx_get_ri() {
    ...
    struct bpf_net_context *bpf_net_ctx = bpf_net_ctx_get();
    if (!(bpf_net_ctx->ri.kern_flags & BPF_RI_F_RI_INIT)) {
    ...
}
Since qevents are evaluated during enqueue, which runs within
__dev_queue_xmit() after sch_handle_egress() has already executed and
cleared the bpf_net_context pointer, will this dereference a NULL pointer?
"

That issue is fixed in patch 1. See the commit log for details.

Upon further investigation it turns out that TC_ACT_REDIRECT being returned
from the egress qdiscs never actually worked. When an action returns that
code we would silently loose it and the packet will never be redirected.
After all those years, if nobody complained, my gut feel is it was never
used by anyone with serious need for it.
Patch 2 fixes it by 1) putting a warning out when someone does and 2) asking
the core to drop the packet. At least this would help whoever is
misconfiguring to diagnose the issue much faster.
I had initially attempted to "fix" this and make it work, but unfortunately
it's a bit ugly so i left i didnt think it was worth fixing

Apologies for the shotgun Cc - its what get_maintainer.pl told me to use.

[1] https://sashiko.dev/#/patchset/20260620130749.226642-1-jhs%40mojatatu.com


^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2026-07-01 15:35 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 12:33 [PATCH net 0/3] Fix broken TC_ACT_REDIRECT from qdiscs Daniel Borkmann
2026-06-30 12:33 ` [PATCH net 1/3] bpf: Reject redirect helpers without a bpf_net_context Daniel Borkmann
2026-06-30 12:33 ` [PATCH net 2/3] net/sched: Handle TC_ACT_REDIRECT from qdisc filter chains Daniel Borkmann
2026-06-30 15:16   ` Jamal Hadi Salim
2026-06-30 15:23     ` Daniel Borkmann
2026-07-01 15:35       ` Jamal Hadi Salim
2026-06-30 12:33 ` [PATCH net 3/3] selftests/bpf: Add test for redirect from qdisc qevent block Daniel Borkmann
2026-06-30 14:37 ` [PATCH net 0/3] Fix broken TC_ACT_REDIRECT from qdiscs Sebastian Andrzej Siewior
2026-06-30 15:09   ` Daniel Borkmann
  -- strict thread matches above, loose matches on Subject: below --
2026-06-26 16:51 [PATCH net 0/3] Fix broken TC_ACT_REDIRECT Jamal Hadi Salim
2026-06-26 16:51 ` [PATCH net 2/3] net/sched: Handle TC_ACT_REDIRECT from qdisc filter chains Jamal Hadi Salim
     [not found]   ` <20260627165220.096B61F00A3A@smtp.kernel.org>
2026-06-28 12:28     ` Jamal Hadi Salim

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox