From patchwork Tue May 23 07:13:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peilin Ye X-Patchwork-Id: 13251583 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6538B1B8EA for ; Tue, 23 May 2023 07:13:34 +0000 (UTC) Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9DEA911A; Tue, 23 May 2023 00:13:32 -0700 (PDT) Received: by mail-qk1-x734.google.com with SMTP id af79cd13be357-75b08ceddd1so223294185a.1; Tue, 23 May 2023 00:13:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684826011; x=1687418011; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=J74j1cuX46yDfNzc3Qiq/CfJJ1yt4vs8CiBnDAgOYno=; b=E1ue/swpTD+/IRaBgRL5zqtirLR3tZAZ9mg9A+1dlhC7Jvyd7syhAfXp7E+2jeS20Z tmv0gtu8C6YVRzFZtreeUIG6UUlnetMVKfSfX8iDorSNNhvvX3hipowMBjH2zgr8Iz2K 3oY/qO2H0BOtLFQkNDC828dmLXk0tG05QcLmG92k6PwxupNhsRsphCUezdEisyjhdRu/ dpZ6hzYwOGBezF9/mXiCOp4wKIR7Wfk+s9fyHUlmcVYza0ca1frEBJ+6BpPqKdN430rB WApDLpAqlBowSp97rxxGN0mLOqCNFU0az66snKq4f7ZEeU0GpkjF1/IF1K+PeW/b9Brm IrvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684826011; x=1687418011; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=J74j1cuX46yDfNzc3Qiq/CfJJ1yt4vs8CiBnDAgOYno=; b=OCkSFLOi823PfZWIev2m2rqz18JSLqrbb8PviQnSK9b9unisXGD6rZF3hneNfbxylo 6B4qjg3Clw1x2t1n3MKS19L9jctBC0hnAYiindv/FkEkT+h2AhSTe2rEtC7UV33QZ8rS emKPXtovzZIy/htqWEMNrzIj5bBACxjZizZBVmVvD3UqV250C6bEfyVrbPzKM2MXSB3J ifbDf605gCnUs0X9J15Hfliii2C0iWhWbe7aH1qq5FlKttLPuGGAgb8ZaM9w4Q/PRal/ pviB02MWY5PINk0f/unMtrSClNGjPT9AvRqmGCm3nR/qA017L+2SFc1bF32aZe13m0Zb xY4A== X-Gm-Message-State: AC+VfDweldg3q94mrFuT8SNKduv4RA0jG8HdtpIg2Pk04Mz22NAS8B6G z6hcdd28q7JjfR8fQ4kZnA== X-Google-Smtp-Source: ACHHUZ7pHWofx1U53JoLeUnDcI9QNPFsZ+RSFzdeaG2sEs0MAlVM1qkYdJ4r9Teqv93vBlVLKwq1aA== X-Received: by 2002:a05:620a:8592:b0:75b:23a0:debc with SMTP id pf18-20020a05620a859200b0075b23a0debcmr2936365qkn.58.1684826011635; Tue, 23 May 2023 00:13:31 -0700 (PDT) Received: from C02FL77VMD6R.bytedance.net ([2600:1700:d860:12b0:18c1:dc19:5e29:e9a0]) by smtp.gmail.com with ESMTPSA id s27-20020a05620a031b00b00759300a1ef9sm2317369qkm.31.2023.05.23.00.13.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 May 2023 00:13:31 -0700 (PDT) From: Peilin Ye X-Google-Original-From: Peilin Ye To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Jamal Hadi Salim , Cong Wang , Jiri Pirko Cc: Peilin Ye , Daniel Borkmann , John Fastabend , Vlad Buslov , Pedro Tammela , Hillf Danton , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Cong Wang , Peilin Ye Subject: [PATCH v4 net 1/6] net/sched: sch_ingress: Only create under TC_H_INGRESS Date: Tue, 23 May 2023 00:13:20 -0700 Message-Id: X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org From: Peilin Ye ingress Qdiscs are only supposed to be created under TC_H_INGRESS. Similar to mq_init(), return -EOPNOTSUPP if 'parent' is not TC_H_INGRESS. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+b53a9c0d1ea4ad62da8b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/0000000000006cf87705f79acf1a@google.com/ Reviewed-by: Jamal Hadi Salim Acked-by: Jamal Hadi Salim Signed-off-by: Peilin Ye --- change since v2: - add in-body From: tag net/sched/sch_ingress.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c index 84838128b9c5..3d71f7a3b4ad 100644 --- a/net/sched/sch_ingress.c +++ b/net/sched/sch_ingress.c @@ -80,6 +80,9 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt, struct net_device *dev = qdisc_dev(sch); int err; + if (sch->parent != TC_H_INGRESS) + return -EOPNOTSUPP; + net_inc_ingress_queue(); mini_qdisc_pair_init(&q->miniqp, sch, &dev->miniq_ingress); From patchwork Tue May 23 07:14:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peilin Ye X-Patchwork-Id: 13251592 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B54611D2AB for ; Tue, 23 May 2023 07:14:53 +0000 (UTC) Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58A60109; Tue, 23 May 2023 00:14:52 -0700 (PDT) Received: by mail-qt1-x833.google.com with SMTP id d75a77b69052e-3f392680773so34347771cf.0; Tue, 23 May 2023 00:14:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684826091; x=1687418091; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=k4RT8KtH61VT5UBgWC5UXkvWjA8gZ1S4WED/F36PazM=; b=APMod9rDv+JDt7Mke9LgtZqH3l4ccae3EMMMsQ8gqTojNI/LELDTXIsWVPQmHDkDtL h2UPoEEQsXZNS8uu2R4OkkqfJ3jLfGsees8LUcwP9BNiRVCjPwzxkukGtekCMjd/nRB6 OYPfZZGdS/Gjh1tHb5f8ZHRhVmOHDAEtMc3raW4QnyPWysPHYwoyitkxx68NXIbk3g6w tz+aGKzd8++nVVaShvpkGFQOCqDJDBfWV1nhQ4sHYKWfzU/oYpbgT9lLCLjdktGvG36+ 6QJJsBVxDuNGbUEwmccZ9yiAlBBCq5k3VpazaB37jyiUiiNJZt/Y/DwmV3Hq8bVpjxWY mNnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684826091; x=1687418091; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=k4RT8KtH61VT5UBgWC5UXkvWjA8gZ1S4WED/F36PazM=; b=CF9ES4w3+Q0RPwZrNOxO1YGFb1jsQzMYDT67v2KjQzJZXVIqjAZWluVR/QcNY6X6pB Go/Mkor3+fgVQfNe2ioShOViKAoxn9oN0KMncJ6ItVVLV1NPLzluePmWnunNOkzYjoI1 UJwQ4B98PDxt9ms8hwi4xk5LnUU6M/A3QjmVtIqpQu+wu5l+O4xdHDNSVqejycyVSbqu PL/JH0RptZgXvuppxjR8ty1ZrxhbiBzmt9WAi914lCxOm8XXZD/Sakm512WdWQvD/jcQ xSj/YavVKqT34LqMhG+Mc3qY90wvvRRwoa5tAU4aFhsHzcNL+evh0JLiMjGh01emXCS7 Mvow== X-Gm-Message-State: AC+VfDx4F7m7xUDnGLMbpidFF9YBNfgL9uxZRWZMjopS3bhEHAcngAeI TJF+C1vBKywMX9orz42GfQ== X-Google-Smtp-Source: ACHHUZ6AmvngE4qPcfmWUdZXrLcNLGv/fnQpza+GgGkWOO/EJg8+ZAicGF4SDorJu1XOyjkaJuKXNQ== X-Received: by 2002:ac8:7d0c:0:b0:3f5:3982:fa26 with SMTP id g12-20020ac87d0c000000b003f53982fa26mr24549341qtb.14.1684826091444; Tue, 23 May 2023 00:14:51 -0700 (PDT) Received: from C02FL77VMD6R.bytedance.net ([2600:1700:d860:12b0:18c1:dc19:5e29:e9a0]) by smtp.gmail.com with ESMTPSA id b13-20020ac8754d000000b003f364778b2bsm1867381qtr.4.2023.05.23.00.14.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 May 2023 00:14:51 -0700 (PDT) From: Peilin Ye X-Google-Original-From: Peilin Ye To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Jamal Hadi Salim , Cong Wang , Jiri Pirko Cc: Peilin Ye , Daniel Borkmann , John Fastabend , Vlad Buslov , Pedro Tammela , Hillf Danton , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Cong Wang , Peilin Ye Subject: [PATCH v4 net 2/6] net/sched: sch_clsact: Only create under TC_H_CLSACT Date: Tue, 23 May 2023 00:14:41 -0700 Message-Id: <042ff4af742ef0ed76fd5bb55b914403954b9d9f.1684825171.git.peilin.ye@bytedance.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org From: Peilin Ye clsact Qdiscs are only supposed to be created under TC_H_CLSACT (which equals TC_H_INGRESS). Return -EOPNOTSUPP if 'parent' is not TC_H_CLSACT. Fixes: 1f211a1b929c ("net, sched: add clsact qdisc") Reviewed-by: Jamal Hadi Salim Acked-by: Jamal Hadi Salim Signed-off-by: Peilin Ye --- change since v2: - add in-body From: tag net/sched/sch_ingress.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c index 3d71f7a3b4ad..13218a1fe4a5 100644 --- a/net/sched/sch_ingress.c +++ b/net/sched/sch_ingress.c @@ -222,6 +222,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt, struct net_device *dev = qdisc_dev(sch); int err; + if (sch->parent != TC_H_CLSACT) + return -EOPNOTSUPP; + net_inc_ingress_queue(); net_inc_egress_queue(); From patchwork Tue May 23 07:14:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peilin Ye X-Patchwork-Id: 13251593 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 18D6E1D2B2 for ; Tue, 23 May 2023 07:15:36 +0000 (UTC) Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 370EA120; Tue, 23 May 2023 00:15:34 -0700 (PDT) Received: by mail-qk1-x72c.google.com with SMTP id af79cd13be357-75b08ceddd1so223432385a.1; Tue, 23 May 2023 00:15:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684826133; x=1687418133; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=563KIW1CbzbOZG9uSI1EL/wqRfnJk9ZwfZaE6UMFES0=; b=mn4z2tVM//02hqXXjrXG9gO1+9fntZx7Pztl6I3viEgASGZw9b/LDeZrBjwRpDH+y0 vydlCZlOECuydOBQ0EF2Hnvqua1k3BcF5B0vkgkleDs6iiJjHJtqcYXZK1N0io/1CxO1 7rtnufvF3wKI4o2xk5m3KnFnWpGK8MqDVJwt1CAGCEPHzoOCP999/P7VUpB35kLyuZZa jkMtpzQTJFLqmKiqv8EfbSwI1oYn5nLUkR3zaCkT/lj4ZwXIpS1ejlGHI/53v3LkCumB eXYaygFCQV7wBWOvDCSUKVwGC8xAj+WZeVLaQaLz57U9bah0Ee0s7O/mIDIx4XuPklPh ZPrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684826133; x=1687418133; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=563KIW1CbzbOZG9uSI1EL/wqRfnJk9ZwfZaE6UMFES0=; b=baje/lPfisOUOiXTFdcqC8av6XtElSTf+0ytywAboOe2Ijgd38+J+qlJ9LDfEMv+WE /D9kJT4DubiqyU6cub5yFX3MxiF6JFS+IoN9mEQOfmAJRbmQsxIwSHH+QV2G8k2aIXmH 3TgXuFRph8d2DPl6gA2HK0Zykw13wSphxbjHE7XTYYUEBieNsyOqrscz5NP52pVbyumk yUUzuGVO+4HBfCKMJolHW8iMkM9/J4A38N1xby8CnFLjO7nEUeulNu6+zvTiRBnjs2U6 cvsHN1HVbd7c6u/nH+xn2LArvZZriaFkbyC/qmbLWx7RA/wNzyuQGxjMjNrEVUNKvrCz tg/w== X-Gm-Message-State: AC+VfDyNgDFyt6FrmeJdJkXPpotRu3KPApmqLAEJmjx23cnoSmtUjAbH BJFwV5fMy1+NA9e8uKFLQw== X-Google-Smtp-Source: ACHHUZ57PlqNkIBg85I+Sz/x/Ym+ca7ecOqk9IsCNzBwFQm4mwaufmd0cF2A3WFGzaRq+SqdgbuK/g== X-Received: by 2002:a05:620a:8a05:b0:75b:23a0:de84 with SMTP id qt5-20020a05620a8a0500b0075b23a0de84mr2969184qkn.2.1684826133352; Tue, 23 May 2023 00:15:33 -0700 (PDT) Received: from C02FL77VMD6R.bytedance.net ([2600:1700:d860:12b0:18c1:dc19:5e29:e9a0]) by smtp.gmail.com with ESMTPSA id m9-20020ae9e709000000b0074e21136a77sm2292040qka.127.2023.05.23.00.15.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 May 2023 00:15:33 -0700 (PDT) From: Peilin Ye X-Google-Original-From: Peilin Ye To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Jamal Hadi Salim , Cong Wang , Jiri Pirko Cc: Peilin Ye , Daniel Borkmann , John Fastabend , Vlad Buslov , Pedro Tammela , Hillf Danton , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Cong Wang , Peilin Ye Subject: [PATCH v4 net 3/6] net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs Date: Tue, 23 May 2023 00:14:57 -0700 Message-Id: <5e55909fafc7afcde9b7795d39dac0d10f5f45da.1684825171.git.peilin.ye@bytedance.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org From: Peilin Ye Currently it is possible to add e.g. an HTB Qdisc under ffff:fff1 (TC_H_INGRESS, TC_H_CLSACT): $ ip link add name ifb0 type ifb $ tc qdisc add dev ifb0 parent ffff:fff1 htb $ tc qdisc add dev ifb0 clsact Error: Exclusivity flag on, cannot modify. $ drgn ... >>> ifb0 = netdev_get_by_name(prog, "ifb0") >>> qdisc = ifb0.ingress_queue.qdisc_sleeping >>> print(qdisc.ops.id.string_().decode()) htb >>> qdisc.flags.value_() # TCQ_F_INGRESS 2 Only allow ingress and clsact Qdiscs under ffff:fff1. Return -EINVAL for everything else. Make TCQ_F_INGRESS a static flag of ingress and clsact Qdiscs. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Fixes: 1f211a1b929c ("net, sched: add clsact qdisc") Reviewed-by: Jamal Hadi Salim Acked-by: Jamal Hadi Salim Signed-off-by: Peilin Ye --- change since v2: - add in-body From: tag net/sched/sch_api.c | 7 ++++++- net/sched/sch_ingress.c | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index fdb8f429333d..383195955b7d 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -1252,7 +1252,12 @@ static struct Qdisc *qdisc_create(struct net_device *dev, sch->parent = parent; if (handle == TC_H_INGRESS) { - sch->flags |= TCQ_F_INGRESS; + if (!(sch->flags & TCQ_F_INGRESS)) { + NL_SET_ERR_MSG(extack, + "Specified parent ID is reserved for ingress and clsact Qdiscs"); + err = -EINVAL; + goto err_out3; + } handle = TC_H_MAKE(TC_H_INGRESS, 0); } else { if (handle == 0) { diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c index 13218a1fe4a5..caea51e0d4e9 100644 --- a/net/sched/sch_ingress.c +++ b/net/sched/sch_ingress.c @@ -137,7 +137,7 @@ static struct Qdisc_ops ingress_qdisc_ops __read_mostly = { .cl_ops = &ingress_class_ops, .id = "ingress", .priv_size = sizeof(struct ingress_sched_data), - .static_flags = TCQ_F_CPUSTATS, + .static_flags = TCQ_F_INGRESS | TCQ_F_CPUSTATS, .init = ingress_init, .destroy = ingress_destroy, .dump = ingress_dump, @@ -275,7 +275,7 @@ static struct Qdisc_ops clsact_qdisc_ops __read_mostly = { .cl_ops = &clsact_class_ops, .id = "clsact", .priv_size = sizeof(struct clsact_sched_data), - .static_flags = TCQ_F_CPUSTATS, + .static_flags = TCQ_F_INGRESS | TCQ_F_CPUSTATS, .init = clsact_init, .destroy = clsact_destroy, .dump = ingress_dump, From patchwork Tue May 23 07:16:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peilin Ye X-Patchwork-Id: 13251594 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 007771D2B1 for ; Tue, 23 May 2023 07:16:42 +0000 (UTC) Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E57FD1B1; Tue, 23 May 2023 00:16:25 -0700 (PDT) Received: by mail-qv1-xf2a.google.com with SMTP id 6a1803df08f44-6238daae378so24488276d6.1; Tue, 23 May 2023 00:16:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684826185; x=1687418185; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=57NopkrR4E6uJZDbhMvgsyr4j6E6ncv0YksYcMdLyVw=; b=rQl6JMojzazjCyTMuW/TrsUF7fJ1YCMeODyUxDa1qUbUcJyeDTSwtxfljWJtGfog7K fSYY110KA1aZInKmPmNjb+1Yqfusp3yR4/g5x8kdLik2qc2h2bKsMvXmMyzrasp52cA7 5yx+VL9c2B1BvyfKg7MfPBjK0roIs4ljxv9x8bmiLSUtDQ+zq+BXBcz2jvmVChJNYcNU Da8gn5lgX8QVPosepqm7EnPr6JePmp4GaagegjnLGJusO2ZIx4N8UPEOJB9gPzu/IDkP xnNqp5LQ0pQ/2WTBxGfyr7YU2FIo6cKYDE4GJ0SrBnG+a1vV9+01fEvsi5ce1+FeGYu3 BdfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684826185; x=1687418185; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=57NopkrR4E6uJZDbhMvgsyr4j6E6ncv0YksYcMdLyVw=; b=acO3LJedAhi4EFj7wCvf9VZleJpCZo4YFraCXCSsUXuCM0DtRVVy/BTfgSEcOVZicB mXku/eH8ELOgKWFnnyUMuj8AdPOqUjUaumc6kVFrVRYgO3qU8MtaAaItFWIsVF1nnERl k5EZMLssjhjLnv4k+C73ssvy8il/oieNpYlpGK8kuY4SQHvXd3dXAE3+OQzNNrYVo9IK PXMF+nPGM6RZtiysFiAOxGMu8Dt/nCo3N8o22yaPNf0Uj/hxYP//YtzsrufDruMv0zro D/bAsvbIRShzK/+PhyCYh56mCAbmi83nrhylYBzeBBecLAe9k8ayo83qp8VdcJL7r919 AlyQ== X-Gm-Message-State: AC+VfDzHu9F6tP7aFVlLVd0LN9ln+EJxLVsvs6BBmMYNGDavYHaFwcee EFjIAWhAx6Dkp1vtI8nE7Q== X-Google-Smtp-Source: ACHHUZ7KKo7njr3EmK4QVv/fuKhtYgXhltOz97vxh+IR3xbh8Jr5bTE5isoW9Vcm6V8bFfppsRj/qg== X-Received: by 2002:a05:6214:d8d:b0:621:363c:ea93 with SMTP id e13-20020a0562140d8d00b00621363cea93mr18128510qve.15.1684826184972; Tue, 23 May 2023 00:16:24 -0700 (PDT) Received: from C02FL77VMD6R.bytedance.net ([2600:1700:d860:12b0:18c1:dc19:5e29:e9a0]) by smtp.gmail.com with ESMTPSA id e11-20020ad4442b000000b0061c7431810esm2519139qvt.141.2023.05.23.00.16.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 May 2023 00:16:24 -0700 (PDT) From: Peilin Ye X-Google-Original-From: Peilin Ye To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Jamal Hadi Salim , Cong Wang , Jiri Pirko Cc: Peilin Ye , Daniel Borkmann , John Fastabend , Vlad Buslov , Pedro Tammela , Hillf Danton , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Cong Wang , Peilin Ye Subject: [PATCH v4 net 4/6] net/sched: Prohibit regrafting ingress or clsact Qdiscs Date: Tue, 23 May 2023 00:16:16 -0700 Message-Id: <4bc54b82ffc3816058de543f383623a022a36d18.1684825171.git.peilin.ye@bytedance.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org From: Peilin Ye Currently, after creating an ingress (or clsact) Qdisc and grafting it under TC_H_INGRESS (TC_H_CLSACT), it is possible to graft it again under e.g. a TBF Qdisc: $ ip link add ifb0 type ifb $ tc qdisc add dev ifb0 handle 1: root tbf rate 20kbit buffer 1600 limit 3000 $ tc qdisc add dev ifb0 clsact $ tc qdisc link dev ifb0 handle ffff: parent 1:1 $ tc qdisc show dev ifb0 qdisc tbf 1: root refcnt 2 rate 20Kbit burst 1600b lat 560.0ms qdisc clsact ffff: parent ffff:fff1 refcnt 2 ^^^^^^^^ clsact's refcount has increased: it is now grafted under both TC_H_CLSACT and 1:1. ingress and clsact Qdiscs should only be used under TC_H_INGRESS (TC_H_CLSACT). Prohibit regrafting them. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Fixes: 1f211a1b929c ("net, sched: add clsact qdisc") Reviewed-by: Jamal Hadi Salim Acked-by: Jamal Hadi Salim Signed-off-by: Peilin Ye --- change since v2: - add in-body From: tag net/sched/sch_api.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 383195955b7d..49b9c1bbfdd9 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -1596,6 +1596,11 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, NL_SET_ERR_MSG(extack, "Invalid qdisc name"); return -EINVAL; } + if (q->flags & TCQ_F_INGRESS) { + NL_SET_ERR_MSG(extack, + "Cannot regraft ingress or clsact Qdiscs"); + return -EINVAL; + } if (q == p || (p && check_loop(q, p, 0))) { NL_SET_ERR_MSG(extack, "Qdisc parent/child loop detected"); From patchwork Tue May 23 07:17:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peilin Ye X-Patchwork-Id: 13251595 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A5E11D2B1 for ; Tue, 23 May 2023 07:18:07 +0000 (UTC) Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 35C111737; Tue, 23 May 2023 00:17:38 -0700 (PDT) Received: by mail-qk1-x72b.google.com with SMTP id af79cd13be357-75b0b2d0341so187660185a.3; Tue, 23 May 2023 00:17:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684826255; x=1687418255; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7DP0WRhEZFA9apP4UUxu6qOcwGT3oty462OE7ZKWIbQ=; b=OUxWQ8i2mtKHdr5lHqfVnOO50e57a592r7zgEo7fJcgBpcI+H0c5G8vSDzdaJNQcAa d3+Dhm2uSgftKexBWEhp3xf/jvbM5B65gdQljfsNaG8WwJ110deoiEiWDN0aHmcjnLW6 l2aaOXEQk8zL3PoxbL2n7TB2hyBshlzWKpEtU8PSAW80G48Sd3z6iNt3b3xFJK7QDD3F jevDH4iNDUu3guPcwKcaKrs35vK+2lKRzVGO0E8/gMCI/dDUTTNIYn4QjlBBKHnHNA5c sFND2q9uX3AyhzDPMzyUdZAzQrzrCg9sF3eueXGyhQFfcORN0QLP8B2yefaSa/zHZkTf uWPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684826255; x=1687418255; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7DP0WRhEZFA9apP4UUxu6qOcwGT3oty462OE7ZKWIbQ=; b=TEj6iFCEoGhRJGRaW4PiIwirPtkQ/8yXBHLnbMl0A8QqNX8KXMQ+c78JlmAa9CAqxz l52pOrOedNX9OtXpHXsOmK7H+HNSuxXv5aOPdJ43mEVibUK2YYXAPZTS2+QmlWVtNhVD NPyW2qsqLpE+EOJNq5NWY29PohIEX82UbLjipHXFFMKTmzgRmNciNvTvFSd+rLDe+jTK hHFHkDl9eniNEAMM36jpht+IH1+UvwLQLztYzNj5kevbLBKSsy1HwkxbGFykSvc9ccUi BkdsmFUB5SvCpzd+P7FSyvKVaiIS0lHp9JC9NvzFE7OyBmoxAmfzdPYjwI9H8Z8mBc6S tjsg== X-Gm-Message-State: AC+VfDwFuYFmtPccTRDs89bnKyHFNggwyycUmwHF7lstYG4s/pS7C7ru vktzib7d0H0ms0zfzU5aGw== X-Google-Smtp-Source: ACHHUZ660zMrWscX3GY+5jLdNq+n3WWC4xRWqCTCIw0MiXXyWGuDblPiKIuPOp+g0rnncgdONTvOhA== X-Received: by 2002:a05:620a:95d:b0:75b:23a1:486 with SMTP id w29-20020a05620a095d00b0075b23a10486mr2781227qkw.76.1684826254970; Tue, 23 May 2023 00:17:34 -0700 (PDT) Received: from C02FL77VMD6R.bytedance.net ([2600:1700:d860:12b0:18c1:dc19:5e29:e9a0]) by smtp.gmail.com with ESMTPSA id y11-20020a37e30b000000b00759495bb52fsm2325251qki.39.2023.05.23.00.17.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 May 2023 00:17:34 -0700 (PDT) From: Peilin Ye X-Google-Original-From: Peilin Ye To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Jamal Hadi Salim , Cong Wang , Jiri Pirko Cc: Peilin Ye , Daniel Borkmann , John Fastabend , Vlad Buslov , Pedro Tammela , Hillf Danton , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Cong Wang , Peilin Ye Subject: [PATCH v4 net 5/6] net/sched: Refactor qdisc_graft() for ingress and clsact Qdiscs Date: Tue, 23 May 2023 00:17:24 -0700 Message-Id: <08267d7f0563327ad468dbaf3626ef3352e4924a.1684825171.git.peilin.ye@bytedance.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org From: Peilin Ye Grafting ingress and clsact Qdiscs does not need a for-loop in qdisc_graft(). Refactor it. No functional changes intended. Reviewed-by: Jamal Hadi Salim Acked-by: Jamal Hadi Salim Tested-by: Pedro Tammela Signed-off-by: Peilin Ye --- change since v2: - add in-body From: tag net/sched/sch_api.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 49b9c1bbfdd9..f72a581666a2 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -1073,12 +1073,12 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, if (parent == NULL) { unsigned int i, num_q, ingress; + struct netdev_queue *dev_queue; ingress = 0; num_q = dev->num_tx_queues; if ((q && q->flags & TCQ_F_INGRESS) || (new && new->flags & TCQ_F_INGRESS)) { - num_q = 1; ingress = 1; if (!dev_ingress_queue(dev)) { NL_SET_ERR_MSG(extack, "Device does not have an ingress queue"); @@ -1094,18 +1094,18 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, if (new && new->ops->attach && !ingress) goto skip; - for (i = 0; i < num_q; i++) { - struct netdev_queue *dev_queue = dev_ingress_queue(dev); - - if (!ingress) + if (!ingress) { + for (i = 0; i < num_q; i++) { dev_queue = netdev_get_tx_queue(dev, i); + old = dev_graft_qdisc(dev_queue, new); - old = dev_graft_qdisc(dev_queue, new); - if (new && i > 0) - qdisc_refcount_inc(new); - - if (!ingress) + if (new && i > 0) + qdisc_refcount_inc(new); qdisc_put(old); + } + } else { + dev_queue = dev_ingress_queue(dev); + old = dev_graft_qdisc(dev_queue, new); } skip: From patchwork Tue May 23 07:18:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peilin Ye X-Patchwork-Id: 13251596 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 72A471D2B1 for ; Tue, 23 May 2023 07:18:33 +0000 (UTC) Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 26857E46; Tue, 23 May 2023 00:18:14 -0700 (PDT) Received: by mail-qk1-x72d.google.com with SMTP id af79cd13be357-75b00e5f8e4so135240385a.0; Tue, 23 May 2023 00:18:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684826293; x=1687418293; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=d5nW0xJEneX9uqqXTzwuOB5+i2JqjWWSWS/a304uD8A=; b=XnS6CNDO/NF7L0a3t0H2omDiPixn5SgTHVwuRmvhCYHjopQ7A45wN4Acz9lvKvE+Z1 GB7XqC9u2cXi1YjGM29IuCDJaKncNQWsaHOENuQrUh+GKzA5QaevVzZaWaBZClqUPRtT P3nbrW+oE0EUn7QRKHfzSyAY41Pckso+NgvsB/j8+5W1WBPbFWNfxiGLWewj8mRWx2dT YeKaFzNTcXvTvQ8KxkHwpuU7LaeIo+n0mUrpMWyaevrLximEpCoC3hYojtgECWsg39yo ppwj4jO1S2LHbgSJVeByqvGFuUdjzeKIaTaaQo2NhZCl6xHxp6wx4kA8v8HIn2WEPmHs WEnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684826293; x=1687418293; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=d5nW0xJEneX9uqqXTzwuOB5+i2JqjWWSWS/a304uD8A=; b=kE2Fje1dnbSNvywrkhql0AMzBeZMomJVdpsfZYst7CQx52LwDNP6FZB62Y07127OW6 sYf/8GFRH8lzFFtWrJnLJb0fdwH5OVMtE3js47HGpPny8ZKJw5mKRuK9c0RsBgE2fufM umeo9L3RhBFAT9FaplAj9/AN/2YUFqBq9syIiV+B9xX7of21KCO5ETbB1SaBpxCoAB8X jCBRrO+jE25iJshHLCKXlsWUSjbwGl9zicFVkyJ2XErkLiDBeewp7HBD3T6ocy9COgye Hu/+Lh0Rivk216a14chsqZvyN37OL79NS3ovEL2NjyZAaQ+/DmAfwFf1CKp9Jmjw8Smf yDGg== X-Gm-Message-State: AC+VfDwN5C1biDy3mJXLbVDLmDkU8e6jFAoxiTd+5v9Jvt7vRbCBKoV8 I63D3UPxHmksMVD32QigHg== X-Google-Smtp-Source: ACHHUZ7z0GsGiIRZ8nSNpEt3q01wHJJWYFgQvvynlqmxa+6stIZbFOOpfsjiC9/Scu80Li1Y+N1MPg== X-Received: by 2002:a37:658b:0:b0:75b:23a0:d9c2 with SMTP id z133-20020a37658b000000b0075b23a0d9c2mr3109101qkb.24.1684826293182; Tue, 23 May 2023 00:18:13 -0700 (PDT) Received: from C02FL77VMD6R.bytedance.net ([2600:1700:d860:12b0:18c1:dc19:5e29:e9a0]) by smtp.gmail.com with ESMTPSA id o2-20020a05620a110200b0074adc37ec46sm2301807qkk.84.2023.05.23.00.18.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 May 2023 00:18:12 -0700 (PDT) From: Peilin Ye X-Google-Original-From: Peilin Ye To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Jamal Hadi Salim , Cong Wang , Jiri Pirko Cc: Peilin Ye , Daniel Borkmann , John Fastabend , Vlad Buslov , Pedro Tammela , Hillf Danton , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Cong Wang , Peilin Ye Subject: [PATCH v4 net 6/6] net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting Date: Tue, 23 May 2023 00:18:02 -0700 Message-Id: X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org From: Peilin Ye mini_Qdisc_pair::p_miniq is a double pointer to mini_Qdisc, initialized in ingress_init() to point to net_device::miniq_ingress. ingress Qdiscs access this per-net_device pointer in mini_qdisc_pair_swap(). Similar for clsact Qdiscs and miniq_egress. Unfortunately, after introducing RTNL-unlocked RTM_{NEW,DEL,GET}TFILTER requests (thanks Hillf Danton for the hint), when replacing ingress or clsact Qdiscs, for example, the old Qdisc ("@old") could access the same miniq_{in,e}gress pointer(s) concurrently with the new Qdisc ("@new"), causing race conditions [1] including a use-after-free bug in mini_qdisc_pair_swap() reported by syzbot: BUG: KASAN: slab-use-after-free in mini_qdisc_pair_swap+0x1c2/0x1f0 net/sched/sch_generic.c:1573 Write of size 8 at addr ffff888045b31308 by task syz-executor690/14901 ... Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:319 print_report mm/kasan/report.c:430 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:536 mini_qdisc_pair_swap+0x1c2/0x1f0 net/sched/sch_generic.c:1573 tcf_chain_head_change_item net/sched/cls_api.c:495 [inline] tcf_chain0_head_change.isra.0+0xb9/0x120 net/sched/cls_api.c:509 tcf_chain_tp_insert net/sched/cls_api.c:1826 [inline] tcf_chain_tp_insert_unique net/sched/cls_api.c:1875 [inline] tc_new_tfilter+0x1de6/0x2290 net/sched/cls_api.c:2266 ... @old and @new should not affect each other. In other words, @old should never modify miniq_{in,e}gress after @new, and @new should not update @old's RCU state. Fixing without changing sch_api.c turned out to be difficult (please refer to Closes: for discussions). Instead, make sure @new's first call always happen after @old's last call, in qdisc_destroy(), has finished: In qdisc_graft(), return -EAGAIN and tell the caller to replay (suggested by Vlad Buslov) if @old has any ongoing RTNL-unlocked filter requests, and call qdisc_destroy() for @old before grafting @new. Introduce qdisc_refcount_dec_if_one() as the counterpart of qdisc_refcount_inc_nz() used for RTNL-unlocked filter requests. Introduce a non-static version of qdisc_destroy() that does a TCQ_F_BUILTIN check, just like qdisc_put() etc. Depends on patch "net/sched: Refactor qdisc_graft() for ingress and clsact Qdiscs". [1] To illustrate, the syzkaller reproducer adds ingress Qdiscs under TC_H_ROOT (no longer possible after patch "net/sched: sch_ingress: Only create under TC_H_INGRESS") on eth0 that has 8 transmission queues: Thread 1 creates ingress Qdisc A (containing mini Qdisc a1 and a2), then adds a flower filter X to A. Thread 2 creates another ingress Qdisc B (containing mini Qdisc b1 and b2) to replace A, then adds a flower filter Y to B. Thread 1 A's refcnt Thread 2 RTM_NEWQDISC (A, RTNL-locked) qdisc_create(A) 1 qdisc_graft(A) 9 RTM_NEWTFILTER (X, RTNL-unlocked) __tcf_qdisc_find(A) 10 tcf_chain0_head_change(A) mini_qdisc_pair_swap(A) (1st) | | RTM_NEWQDISC (B, RTNL-locked) RCU sync 2 qdisc_graft(B) | 1 notify_and_destroy(A) | tcf_block_release(A) 0 RTM_NEWTFILTER (Y, RTNL-unlocked) qdisc_destroy(A) tcf_chain0_head_change(B) tcf_chain0_head_change_cb_del(A) mini_qdisc_pair_swap(B) (2nd) mini_qdisc_pair_swap(A) (3rd) | ... ... Here, B calls mini_qdisc_pair_swap(), pointing eth0->miniq_ingress to its mini Qdisc, b1. Then, A calls mini_qdisc_pair_swap() again during ingress_destroy(), setting eth0->miniq_ingress to NULL, so ingress packets on eth0 will not find filter Y in sch_handle_ingress(). This is only one of the possible consequences of concurrently accessing miniq_{in,e}gress pointers. The point is clear though: again, A should never modify those per-net_device pointers after B, and B should not update A's RCU state. Fixes: 7a096d579e8e ("net: sched: ingress: set 'unlocked' flag for Qdisc ops") Fixes: 87f373921c4e ("net: sched: ingress: set 'unlocked' flag for clsact Qdisc ops") Reported-by: syzbot+b53a9c0d1ea4ad62da8b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/0000000000006cf87705f79acf1a@google.com/ Cc: Hillf Danton Cc: Vlad Buslov Signed-off-by: Peilin Ye --- change since v2: - add in-body From: tag changes in v2: - replay the request if the current Qdisc has any ongoing RTNL-unlocked filter requests (Vlad) - minor changes in code comments and commit log include/net/sch_generic.h | 8 ++++++++ net/sched/sch_api.c | 32 ++++++++++++++++++++++++++------ net/sched/sch_generic.c | 14 +++++++++++--- 3 files changed, 45 insertions(+), 9 deletions(-) diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h index fab5ba3e61b7..3e9cc43cbc90 100644 --- a/include/net/sch_generic.h +++ b/include/net/sch_generic.h @@ -137,6 +137,13 @@ static inline void qdisc_refcount_inc(struct Qdisc *qdisc) refcount_inc(&qdisc->refcnt); } +static inline bool qdisc_refcount_dec_if_one(struct Qdisc *qdisc) +{ + if (qdisc->flags & TCQ_F_BUILTIN) + return true; + return refcount_dec_if_one(&qdisc->refcnt); +} + /* Intended to be used by unlocked users, when concurrent qdisc release is * possible. */ @@ -652,6 +659,7 @@ void dev_deactivate_many(struct list_head *head); struct Qdisc *dev_graft_qdisc(struct netdev_queue *dev_queue, struct Qdisc *qdisc); void qdisc_reset(struct Qdisc *qdisc); +void qdisc_destroy(struct Qdisc *qdisc); void qdisc_put(struct Qdisc *qdisc); void qdisc_put_unlocked(struct Qdisc *qdisc); void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len); diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index f72a581666a2..b3bafa6c1b44 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -1080,10 +1080,18 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, if ((q && q->flags & TCQ_F_INGRESS) || (new && new->flags & TCQ_F_INGRESS)) { ingress = 1; - if (!dev_ingress_queue(dev)) { + dev_queue = dev_ingress_queue(dev); + if (!dev_queue) { NL_SET_ERR_MSG(extack, "Device does not have an ingress queue"); return -ENOENT; } + + /* Replay if the current ingress (or clsact) Qdisc has ongoing + * RTNL-unlocked filter request(s). This is the counterpart of that + * qdisc_refcount_inc_nz() call in __tcf_qdisc_find(). + */ + if (!qdisc_refcount_dec_if_one(dev_queue->qdisc_sleeping)) + return -EAGAIN; } if (dev->flags & IFF_UP) @@ -1104,8 +1112,16 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, qdisc_put(old); } } else { - dev_queue = dev_ingress_queue(dev); - old = dev_graft_qdisc(dev_queue, new); + old = dev_graft_qdisc(dev_queue, NULL); + + /* {ingress,clsact}_destroy() @old before grafting @new to avoid + * unprotected concurrent accesses to net_device::miniq_{in,e}gress + * pointer(s) in mini_qdisc_pair_swap(). + */ + qdisc_notify(net, skb, n, classid, old, new, extack); + qdisc_destroy(old); + + dev_graft_qdisc(dev_queue, new); } skip: @@ -1119,8 +1135,6 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, if (new && new->ops->attach) new->ops->attach(new); - } else { - notify_and_destroy(net, skb, n, classid, old, new, extack); } if (dev->flags & IFF_UP) @@ -1458,6 +1472,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, struct Qdisc *p = NULL; int err; +replay: err = nlmsg_parse_deprecated(n, sizeof(*tcm), tca, TCA_MAX, rtm_tca_policy, extack); if (err < 0) @@ -1515,8 +1530,11 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, return -ENOENT; } err = qdisc_graft(dev, p, skb, n, clid, NULL, q, extack); - if (err != 0) + if (err != 0) { + if (err == -EAGAIN) + goto replay; return err; + } } else { qdisc_notify(net, skb, n, clid, NULL, q, NULL); } @@ -1704,6 +1722,8 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, if (err) { if (q) qdisc_put(q); + if (err == -EAGAIN) + goto replay; return err; } diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c index 37e41f972f69..e14ed47f961c 100644 --- a/net/sched/sch_generic.c +++ b/net/sched/sch_generic.c @@ -1046,7 +1046,7 @@ static void qdisc_free_cb(struct rcu_head *head) qdisc_free(q); } -static void qdisc_destroy(struct Qdisc *qdisc) +static void __qdisc_destroy(struct Qdisc *qdisc) { const struct Qdisc_ops *ops = qdisc->ops; @@ -1070,6 +1070,14 @@ static void qdisc_destroy(struct Qdisc *qdisc) call_rcu(&qdisc->rcu, qdisc_free_cb); } +void qdisc_destroy(struct Qdisc *qdisc) +{ + if (qdisc->flags & TCQ_F_BUILTIN) + return; + + __qdisc_destroy(qdisc); +} + void qdisc_put(struct Qdisc *qdisc) { if (!qdisc) @@ -1079,7 +1087,7 @@ void qdisc_put(struct Qdisc *qdisc) !refcount_dec_and_test(&qdisc->refcnt)) return; - qdisc_destroy(qdisc); + __qdisc_destroy(qdisc); } EXPORT_SYMBOL(qdisc_put); @@ -1094,7 +1102,7 @@ void qdisc_put_unlocked(struct Qdisc *qdisc) !refcount_dec_and_rtnl_lock(&qdisc->refcnt)) return; - qdisc_destroy(qdisc); + __qdisc_destroy(qdisc); rtnl_unlock(); } EXPORT_SYMBOL(qdisc_put_unlocked);