From: "Ilpo Järvinen" <ij@kernel.org>
To: "Chia-Yu Chang (Nokia)" <chia-yu.chang@nokia-bell-labs.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>,
"victor@mojatatu.com" <victor@mojatatu.com>,
"hxzene@gmail.com" <hxzene@gmail.com>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
"kees@kernel.org" <kees@kernel.org>,
"gustavoars@kernel.org" <gustavoars@kernel.org>,
"jhs@mojatatu.com" <jhs@mojatatu.com>,
"jiri@resnulli.us" <jiri@resnulli.us>,
"davem@davemloft.net" <davem@davemloft.net>,
"edumazet@google.com" <edumazet@google.com>,
"kuba@kernel.org" <kuba@kernel.org>,
"pabeni@redhat.com" <pabeni@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"horms@kernel.org" <horms@kernel.org>,
"ncardwell@google.com" <ncardwell@google.com>,
"Koen De Schepper (Nokia)"
<koen.de_schepper@nokia-bell-labs.com>,
"g.white@cablelabs.com" <g.white@cablelabs.com>,
"ingemar.s.johansson@ericsson.com"
<ingemar.s.johansson@ericsson.com>,
"mirja.kuehlewind@ericsson.com" <mirja.kuehlewind@ericsson.com>,
"cheshire@apple.com" <cheshire@apple.com>,
"rs.ietf@gmx.at" <rs.ietf@gmx.at>,
"Jason_Livingood@comcast.com" <Jason_Livingood@comcast.com>,
"vidhi_goel@apple.com" <vidhi_goel@apple.com>
Subject: RE: [PATCH v2 net 1/1] net/sched: sch_dualpi2: fix limit/memlimit enforcement when dequeueing L-queue
Date: Thu, 16 Apr 2026 22:35:41 +0300 (EEST) [thread overview]
Message-ID: <44dd0b98-244d-0059-9fe8-82c9f7c7ffca@kernel.org> (raw)
In-Reply-To: <PAXPR07MB7984FE65FF793F8E10F33871A3232@PAXPR07MB7984.eurprd07.prod.outlook.com>
On Thu, 16 Apr 2026, Chia-Yu Chang (Nokia) wrote:
> > -----Original Message-----
> > From: Stephen Hemminger <stephen@networkplumber.org>
> > Sent: Thursday, April 16, 2026 7:55 PM
> > To: Chia-Yu Chang (Nokia) <chia-yu.chang@nokia-bell-labs.com>
> > Cc: victor@mojatatu.com; hxzene@gmail.com; linux-hardening@vger.kernel.org; kees@kernel.org; gustavoars@kernel.org; jhs@mojatatu.com; jiri@resnulli.us; davem@davemloft.net; edumazet@google.com; kuba@kernel.org; pabeni@redhat.com; linux-kernel@vger.kernel.org; netdev@vger.kernel.org; horms@kernel.org; ij@kernel.org; ncardwell@google.com; Koen De Schepper (Nokia) <koen.de_schepper@nokia-bell-labs.com>; g.white@cablelabs.com; ingemar.s.johansson@ericsson.com; mirja.kuehlewind@ericsson.com; cheshire@apple.com; rs.ietf@gmx.at; Jason_Livingood@comcast.com; vidhi_goel@apple.com
> > Subject: Re: [PATCH v2 net 1/1] net/sched: sch_dualpi2: fix limit/memlimit enforcement when dequeueing L-queue
> >
> >
> > CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext for additional information.
> >
> >
> >
> > On Thu, 16 Apr 2026 19:09:06 +0200
> > chia-yu.chang@nokia-bell-labs.com wrote:
> >
> > > From: Chia-Yu Chang <chia-yu.chang@nokia-bell-labs.com>
> > >
> > > Fix dualpi2_change() to correctly enforce updated limit and memlimit
> > > values after a configuration change of the dualpi2 qdisc.
> > >
> > > Before this patch, dualpi2_change() always attempted to dequeue
> > > packets via the root qdisc (C-queue) when reducing backlog or memory
> > > usage, and unconditionally assumed that a valid skb will be returned.
> > > When traffic classification results in packets being queued in the
> > > L-queue while the C-queue is empty, this leads to a NULL skb
> > > dereference during limit or memlimit enforcement.
> > >
> > > This is fixed by first dequeuing from the C-queue path if it is non-empty.
> > > Once the C-queue is empty, packets are dequeued directly from the L-queue.
> > > Return values from qdisc_dequeue_internal() are checked for both
> > > queues. When dequeuing from the L-queue, the parent qdisc qlen and
> > > backlog counters are updated explicitly to keep overall qdisc statistics consistent.
> > >
> > > Fixes: 320d031ad6e4 ("sched: Struct definition and parsing of dualpi2
> > > qdisc")
> > > Reported-by: "Kito Xu (veritas501)" <hxzene@gmail.com>
> > > Signed-off-by: Chia-Yu Chang <chia-yu.chang@nokia-bell-labs.com>
> > > ---
> >
> > I was a little concerned about the complexity of managing qlen here.
> > But could not find anything obvious.
>
> Hi Stephen,
>
> This fix relies on some existing assmuptions of DualPI2.
>
> >
> > Turned to AI review and it found some things:
> >
> > Right fix direction and the reported crash is real. A few issues before this is ready:
> >
> > 1. The `c_len` construction is fragile. Declared `int`, initialized from a `u32 - u32`. If the invariant `qdisc_qlen(sch) >= qdisc_qlen(q->l_queue)` is ever violated, you get a large positive value, the C-queue branch is taken on an empty C-queue, `qdisc_dequeue_internal()` returns NULL, and the loop breaks out without draining the L-queue -- leaving the qdisc over limit. Simpler and more robust to just compare the two qlens directly and drop the delta variable entirely.
> >
>
> In current dequeue_packet() of DualPI2, we also calculate c_len via the same approach (line 524).
>
> As we only have queue length of L-queue and both C- and L-queues, so this is the way we derive the queue length of C-queue.
>
> > 2. Missing else/termination. If both branches' conditions are false
> > (neither `c_len` nor `qdisc_qlen(q->l_queue)`) but the outer `while`
> > still holds because `memory_used > memory_limit`, the loop spins
> > forever. An explicit `else break;` guards against an accounting
> > desync becoming a hang.
>
> This shall not happen, but adding an extra else guard indeed is
> definitely a good suggestion.
Hi,
Maybe also add WARN_ON_ONCE() there so that such a problem would be
exposed if it ever happens.
--
i.
prev parent reply other threads:[~2026-04-16 19:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 17:09 [PATCH v2 net 1/1] net/sched: sch_dualpi2: fix limit/memlimit enforcement when dequeueing L-queue chia-yu.chang
2026-04-16 17:55 ` Stephen Hemminger
2026-04-16 18:30 ` Chia-Yu Chang (Nokia)
2026-04-16 19:35 ` Ilpo Järvinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44dd0b98-244d-0059-9fe8-82c9f7c7ffca@kernel.org \
--to=ij@kernel.org \
--cc=Jason_Livingood@comcast.com \
--cc=cheshire@apple.com \
--cc=chia-yu.chang@nokia-bell-labs.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=g.white@cablelabs.com \
--cc=gustavoars@kernel.org \
--cc=horms@kernel.org \
--cc=hxzene@gmail.com \
--cc=ingemar.s.johansson@ericsson.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kees@kernel.org \
--cc=koen.de_schepper@nokia-bell-labs.com \
--cc=kuba@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mirja.kuehlewind@ericsson.com \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rs.ietf@gmx.at \
--cc=stephen@networkplumber.org \
--cc=victor@mojatatu.com \
--cc=vidhi_goel@apple.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox