* [PATCH net 1/2] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
@ 2026-02-25 13:43 Victor Nogueira
2026-02-25 13:47 ` Jamal Hadi Salim
2026-02-28 3:20 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Victor Nogueira @ 2026-02-25 13:43 UTC (permalink / raw)
To: davem, edumazet, kuba, pabeni, jhs, jiri, horms, taoliu828
Cc: netdev, pctammela, km.kim1503, stable
As Paolo said earlier [1]:
"Since the blamed commit below, classify can return TC_ACT_CONSUMED while
the current skb being held by the defragmentation engine. As reported by
GangMin Kim, if such packet is that may cause a UaF when the defrag engine
later on tries to tuch again such packet."
act_ct was never meant to be used in the egress path, however some users
are attaching it to egress today [2]. Attempting to reach a middle
ground, we noticed that, while most qdiscs are not handling
TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we
address the issue by only allowing act_ct to bind to clsact/ingress
qdiscs and shared blocks. That way it's still possible to attach act_ct to
egress (albeit only with clsact).
[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/
[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
Reported-by: GangMin Kim <km.kim1503@gmail.com>
Fixes: 3f14b377d01d ("net/sched: act_ct: fix skb leak and crash on ooo frags")
CC: stable@vger.kernel.org
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
---
include/net/act_api.h | 1 +
net/sched/act_ct.c | 6 ++++++
net/sched/cls_api.c | 7 +++++++
3 files changed, 14 insertions(+)
diff --git a/include/net/act_api.h b/include/net/act_api.h
index 91a24b5e0b93..2ba40eb45aad 100644
--- a/include/net/act_api.h
+++ b/include/net/act_api.h
@@ -70,6 +70,7 @@ struct tc_action {
#define TCA_ACT_FLAGS_REPLACE (1U << (TCA_ACT_FLAGS_USER_BITS + 2))
#define TCA_ACT_FLAGS_NO_RTNL (1U << (TCA_ACT_FLAGS_USER_BITS + 3))
#define TCA_ACT_FLAGS_AT_INGRESS (1U << (TCA_ACT_FLAGS_USER_BITS + 4))
+#define TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT (1U << (TCA_ACT_FLAGS_USER_BITS + 5))
/* Update lastuse only if needed, to avoid dirtying a cache line.
* We use a temp variable to avoid fetching jiffies twice.
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 81d488655793..7de6eb3ff53b 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -1360,6 +1360,12 @@ static int tcf_ct_init(struct net *net, struct nlattr *nla,
return -EINVAL;
}
+ if (bind && !(flags & TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT)) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "Attaching ct to a non ingress/clsact qdisc is unsupported");
+ return -EOPNOTSUPP;
+ }
+
err = nla_parse_nested(tb, TCA_CT_MAX, nla, ct_policy, extack);
if (err < 0)
return err;
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index ebca4b926dcf..8c72faf3314d 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -2228,6 +2228,11 @@ static bool is_qdisc_ingress(__u32 classid)
return (TC_H_MIN(classid) == TC_H_MIN(TC_H_MIN_INGRESS));
}
+static bool is_ingress_or_clsact(struct tcf_block *block, struct Qdisc *q)
+{
+ return tcf_block_shared(block) || (q && !!(q->flags & TCQ_F_INGRESS));
+}
+
static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
struct netlink_ext_ack *extack)
{
@@ -2420,6 +2425,8 @@ static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
flags |= TCA_ACT_FLAGS_NO_RTNL;
if (is_qdisc_ingress(parent))
flags |= TCA_ACT_FLAGS_AT_INGRESS;
+ if (is_ingress_or_clsact(block, q))
+ flags |= TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT;
err = tp->ops->change(net, skb, tp, cl, t->tcm_handle, tca, &fh,
flags, extack);
if (err == 0) {
--
2.52.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net 1/2] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
2026-02-25 13:43 [PATCH net 1/2] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Victor Nogueira
@ 2026-02-25 13:47 ` Jamal Hadi Salim
2026-02-28 3:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Jamal Hadi Salim @ 2026-02-25 13:47 UTC (permalink / raw)
To: Victor Nogueira
Cc: davem, edumazet, kuba, pabeni, jiri, horms, taoliu828, netdev,
pctammela, km.kim1503, stable
On Wed, Feb 25, 2026 at 8:44 AM Victor Nogueira <victor@mojatatu.com> wrote:
>
> As Paolo said earlier [1]:
>
> "Since the blamed commit below, classify can return TC_ACT_CONSUMED while
> the current skb being held by the defragmentation engine. As reported by
> GangMin Kim, if such packet is that may cause a UaF when the defrag engine
> later on tries to tuch again such packet."
>
> act_ct was never meant to be used in the egress path, however some users
> are attaching it to egress today [2]. Attempting to reach a middle
> ground, we noticed that, while most qdiscs are not handling
> TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we
> address the issue by only allowing act_ct to bind to clsact/ingress
> qdiscs and shared blocks. That way it's still possible to attach act_ct to
> egress (albeit only with clsact).
>
> [1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/
> [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
>
> Reported-by: GangMin Kim <km.kim1503@gmail.com>
> Fixes: 3f14b377d01d ("net/sched: act_ct: fix skb leak and crash on ooo frags")
> CC: stable@vger.kernel.org
> Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
cheers,
jamal
> ---
> include/net/act_api.h | 1 +
> net/sched/act_ct.c | 6 ++++++
> net/sched/cls_api.c | 7 +++++++
> 3 files changed, 14 insertions(+)
>
> diff --git a/include/net/act_api.h b/include/net/act_api.h
> index 91a24b5e0b93..2ba40eb45aad 100644
> --- a/include/net/act_api.h
> +++ b/include/net/act_api.h
> @@ -70,6 +70,7 @@ struct tc_action {
> #define TCA_ACT_FLAGS_REPLACE (1U << (TCA_ACT_FLAGS_USER_BITS + 2))
> #define TCA_ACT_FLAGS_NO_RTNL (1U << (TCA_ACT_FLAGS_USER_BITS + 3))
> #define TCA_ACT_FLAGS_AT_INGRESS (1U << (TCA_ACT_FLAGS_USER_BITS + 4))
> +#define TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT (1U << (TCA_ACT_FLAGS_USER_BITS + 5))
>
> /* Update lastuse only if needed, to avoid dirtying a cache line.
> * We use a temp variable to avoid fetching jiffies twice.
> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> index 81d488655793..7de6eb3ff53b 100644
> --- a/net/sched/act_ct.c
> +++ b/net/sched/act_ct.c
> @@ -1360,6 +1360,12 @@ static int tcf_ct_init(struct net *net, struct nlattr *nla,
> return -EINVAL;
> }
>
> + if (bind && !(flags & TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT)) {
> + NL_SET_ERR_MSG_MOD(extack,
> + "Attaching ct to a non ingress/clsact qdisc is unsupported");
> + return -EOPNOTSUPP;
> + }
> +
> err = nla_parse_nested(tb, TCA_CT_MAX, nla, ct_policy, extack);
> if (err < 0)
> return err;
> diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
> index ebca4b926dcf..8c72faf3314d 100644
> --- a/net/sched/cls_api.c
> +++ b/net/sched/cls_api.c
> @@ -2228,6 +2228,11 @@ static bool is_qdisc_ingress(__u32 classid)
> return (TC_H_MIN(classid) == TC_H_MIN(TC_H_MIN_INGRESS));
> }
>
> +static bool is_ingress_or_clsact(struct tcf_block *block, struct Qdisc *q)
> +{
> + return tcf_block_shared(block) || (q && !!(q->flags & TCQ_F_INGRESS));
> +}
> +
> static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
> struct netlink_ext_ack *extack)
> {
> @@ -2420,6 +2425,8 @@ static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
> flags |= TCA_ACT_FLAGS_NO_RTNL;
> if (is_qdisc_ingress(parent))
> flags |= TCA_ACT_FLAGS_AT_INGRESS;
> + if (is_ingress_or_clsact(block, q))
> + flags |= TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT;
> err = tp->ops->change(net, skb, tp, cl, t->tcm_handle, tca, &fh,
> flags, extack);
> if (err == 0) {
> --
> 2.52.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net 1/2] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
2026-02-25 13:43 [PATCH net 1/2] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Victor Nogueira
2026-02-25 13:47 ` Jamal Hadi Salim
@ 2026-02-28 3:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-02-28 3:20 UTC (permalink / raw)
To: Victor Nogueira
Cc: davem, edumazet, kuba, pabeni, jhs, jiri, horms, taoliu828,
netdev, pctammela, km.kim1503, stable
Hello:
This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Wed, 25 Feb 2026 10:43:48 -0300 you wrote:
> As Paolo said earlier [1]:
>
> "Since the blamed commit below, classify can return TC_ACT_CONSUMED while
> the current skb being held by the defragmentation engine. As reported by
> GangMin Kim, if such packet is that may cause a UaF when the defrag engine
> later on tries to tuch again such packet."
>
> [...]
Here is the summary with links:
- [net,1/2] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
https://git.kernel.org/netdev/net/c/11cb63b0d1a0
- [net,2/2] selftests/tc-testing: Create tests to exercise act_ct binding restrictions
https://git.kernel.org/netdev/net/c/b14e82abf78a
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-02-28 3:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-25 13:43 [PATCH net 1/2] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Victor Nogueira
2026-02-25 13:47 ` Jamal Hadi Salim
2026-02-28 3:20 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox