From patchwork Tue Jul 11 21:01:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pedro Tammela X-Patchwork-Id: 13309388 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E3241ED24 for ; Tue, 11 Jul 2023 21:01:20 +0000 (UTC) Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 71F5310EF for ; Tue, 11 Jul 2023 14:01:19 -0700 (PDT) Received: by mail-oi1-x22f.google.com with SMTP id 5614622812f47-3a3a8d21208so5363230b6e.0 for ; Tue, 11 Jul 2023 14:01:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20221208.gappssmtp.com; s=20221208; t=1689109278; x=1691701278; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qUzpFQyAUrW6n50WA4a2cK2TtZnq8gyOTaEzArpZSgM=; b=zh9RcHcgOYX1he0ZvHiplZ9YaMvrfQa/jXJDQOUzHPlu2swaCWz4IT6c0fK5tyuin3 pGtf8Zu80UyGOwW9ZUSwj5RMKpEd+1V0ARW6MUAj26SXH/FZzltE/TrJFfNWFm584wHx JoJfw44BjFHn3T8VDHuzcfvxP5vwTHzfyRZVeGQbZrvgW+SRsVHZZ0Uk1QknouMatpoN aMh8Tw2WvCVeLi3Ob2g3hHkl959/AFvL4R9/olcDKNkUJo+XLIDqfar6bWkwWMZy5bwU niZtF2uJX5WDdzjdhuw1/3hdNpQPH6oMqNNFhxL1/LXouCK5aop+KRNUfogCB86f7MyX h2aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689109278; x=1691701278; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qUzpFQyAUrW6n50WA4a2cK2TtZnq8gyOTaEzArpZSgM=; b=jGETH4FOMpftNf1QnLHPP7Va4Snaqy5nTdh36u53crnrpuDtuW1HPn6vN1saLC0Dk9 uhn/HPLouvZqLf7hoDbAvfkqAS/isC2YqhzF2LcoiROsE6tRHkcg1qfIOuxv7soS9hkt wAziwVrZjO955xcfUzAV7hzwiQuCF6LWNvlJHoycCCbzZXS2OBG6ffuDeMdthyRFH0sL 8rP6VAjvpBJt6UiD2NcAN5/bcO0GpTGtnGZYobG1ZwLvMvCHf5W5muUHyNX1DZXooHFC o6DUA5Ifr6ShEXI3pQYIH4Fuh+l2duyyI/W8TI5minLoWXuaSL19CIUrenca8Ec+kRRT nZNw== X-Gm-Message-State: ABy/qLbr/rWUtv+yuK85yiv8CC5/2+jCrWOsBl6+srZEA3oo97YLjuPY p+rDaK1oa0TJ4YCi+y6CqEW+gC9p0Y/J2TcfBug= X-Google-Smtp-Source: APBJJlFxJsM4fimMcBBgdZaafK/iWn0CtcIu3/VZJES7uhBnCEqNriTKnJ+A0AoK04IbRgEWHfRsqA== X-Received: by 2002:a05:6808:1596:b0:3a1:ecdf:5f74 with SMTP id t22-20020a056808159600b003a1ecdf5f74mr21715314oiw.43.1689109278594; Tue, 11 Jul 2023 14:01:18 -0700 (PDT) Received: from rogue-one.tail33bf8.ts.net ([2804:14d:5c5e:44fb:d1e8:1b90:7e91:3217]) by smtp.gmail.com with ESMTPSA id d5-20020a05680808e500b003a1e965bf39sm1290575oic.2.2023.07.11.14.01.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jul 2023 14:01:18 -0700 (PDT) From: Pedro Tammela To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, shaozhengchao@huawei.com, victor@mojatatu.com, simon.horman@corigine.com, paolo.valente@unimore.it, Pedro Tammela Subject: [PATCH net v3 1/4] net/sched: sch_qfq: reintroduce lmax bound check for MTU Date: Tue, 11 Jul 2023 18:01:00 -0300 Message-Id: <20230711210103.597831-2-pctammela@mojatatu.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230711210103.597831-1-pctammela@mojatatu.com> References: <20230711210103.597831-1-pctammela@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org 25369891fcef deletes a check for the case where no 'lmax' is specified which 3037933448f6 previously fixed as 'lmax' could be set to the device's MTU without any bound checking for QFQ_LMAX_MIN and QFQ_LMAX_MAX. Therefore, reintroduce the check. Fixes: 25369891fcef ("net/sched: sch_qfq: refactor parsing of netlink parameters") Acked-by: Jamal Hadi Salim Reviewed-by: Eric Dumazet Signed-off-by: Pedro Tammela Reviewed-by: Simon Horman --- net/sched/sch_qfq.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c index dfd9a99e6257..63a5b277c117 100644 --- a/net/sched/sch_qfq.c +++ b/net/sched/sch_qfq.c @@ -423,10 +423,17 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, else weight = 1; - if (tb[TCA_QFQ_LMAX]) + if (tb[TCA_QFQ_LMAX]) { lmax = nla_get_u32(tb[TCA_QFQ_LMAX]); - else + } else { + /* MTU size is user controlled */ lmax = psched_mtu(qdisc_dev(sch)); + if (lmax < QFQ_MIN_LMAX || lmax > QFQ_MAX_LMAX) { + NL_SET_ERR_MSG_MOD(extack, + "MTU size out of bounds for qfq"); + return -EINVAL; + } + } inv_w = ONE_FP / weight; weight = ONE_FP / inv_w; From patchwork Tue Jul 11 21:01:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pedro Tammela X-Patchwork-Id: 13309389 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A62A71ED24 for ; Tue, 11 Jul 2023 21:01:25 +0000 (UTC) Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90F8B10EF for ; Tue, 11 Jul 2023 14:01:24 -0700 (PDT) Received: by mail-oi1-x22c.google.com with SMTP id 5614622812f47-3a3a8d21208so5363276b6e.0 for ; Tue, 11 Jul 2023 14:01:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20221208.gappssmtp.com; s=20221208; t=1689109284; x=1691701284; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QBOeuLVuAPTLN6vQKVxAw0mAbQvV60ZgiF6RxAel8/s=; b=T3WVH9I2ybeE65k6gXqSbCyCxWdGDtLop0yxaCZpoSjFF9GKsLwoMCwPGorM1exo7C 1uurtmCsu87pBMMs+83M1YiR09qn1ropnSPOkX0KVs4Ef9OfGT9QrggYAm02IA1TaaBu CTz6JVJyDWL/hDy7j9zO1FDh9U46eVOMiFlhMiNh1P0OpFgBypFAS/Ne6OYR3rzd/W+L uJgQ3Kcc3cxbcWwTEH1MjEeXxX3o5LHmrqC4yMwuuCAUVBykexh5FJhXUD/rlj+4r2Fd aO7LhA92xaAmjE9jlVlZVJkHijfZF9bifjwdK7fHm+y5ji83NfaH3ygvE5gB02gIQiWE QiVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689109284; x=1691701284; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QBOeuLVuAPTLN6vQKVxAw0mAbQvV60ZgiF6RxAel8/s=; b=DXHoiqBodsEtpe5XvWU6dtrNoPxGLiV9qB8eHOAPttZ6QKYNqoI3mXVsa5XN9LcAxQ 3uA/pDXUGDA9aADOZZJgd/l2xPCCgh0f5oaLJGvoqJPhzGAj8OnTrkusiM61c+KWj0IT ZB3Hu68RT18VsXCNCWFlwAiHnSsmLEKEWRGDGrjr51Un0tSRRz/rIf2Zig0gitUOJWMM d+8hYumFDZ9a8Tb+gKYOrNx6eW/cxB5QaQgjkG1R0/XS2h0WKhxlhBWHkQyGd0NlPJZU IZGtSYeUUCuEHHe09xqSAWpCmuB+19nO36LWb8hxUJqhB3LaKpSwBrVJGUB5aRf6zuut +BgA== X-Gm-Message-State: ABy/qLZbDqbXbruvQCjoZ3+rnHvYHCxCY8Jx/tjK6xpAvkx60JTI64Bo WMbcU9za3sXB7nzxd/cNkaAHkdFAakhuNHlxn7o= X-Google-Smtp-Source: APBJJlFL+eBGE8iC49k1T3p8ap0pFJsYB4yOfOHZr7K0ISqzqPws7NcTJbde0JeETxCOtlQb2rZA1g== X-Received: by 2002:a05:6808:10c5:b0:3a3:eab8:8ba5 with SMTP id s5-20020a05680810c500b003a3eab88ba5mr18920078ois.27.1689109282744; Tue, 11 Jul 2023 14:01:22 -0700 (PDT) Received: from rogue-one.tail33bf8.ts.net ([2804:14d:5c5e:44fb:d1e8:1b90:7e91:3217]) by smtp.gmail.com with ESMTPSA id d5-20020a05680808e500b003a1e965bf39sm1290575oic.2.2023.07.11.14.01.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jul 2023 14:01:22 -0700 (PDT) From: Pedro Tammela To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, shaozhengchao@huawei.com, victor@mojatatu.com, simon.horman@corigine.com, paolo.valente@unimore.it, Pedro Tammela Subject: [PATCH net v3 2/4] selftests: tc-testing: add tests for qfq mtu sanity check Date: Tue, 11 Jul 2023 18:01:01 -0300 Message-Id: <20230711210103.597831-3-pctammela@mojatatu.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230711210103.597831-1-pctammela@mojatatu.com> References: <20230711210103.597831-1-pctammela@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org QFQ only supports a certain bound of MTU size so make sure we check for this requirement in the tests. Acked-by: Jamal Hadi Salim Signed-off-by: Pedro Tammela Reviewed-by: Simon Horman Tested-by: Zhengchao Shao --- .../tc-testing/tc-tests/qdiscs/qfq.json | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/qfq.json b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/qfq.json index 147899a868d3..965da7622dac 100644 --- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/qfq.json +++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/qfq.json @@ -213,5 +213,53 @@ "$TC qdisc del dev $DUMMY handle 1: root", "$IP link del dev $DUMMY type dummy" ] + }, + { + "id": "85ee", + "name": "QFQ with big MTU", + "category": [ + "qdisc", + "qfq" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "$IP link add dev $DUMMY type dummy || /bin/true", + "$IP link set dev $DUMMY mtu 2147483647 || /bin/true", + "$TC qdisc add dev $DUMMY handle 1: root qfq" + ], + "cmdUnderTest": "$TC class add dev $DUMMY parent 1: classid 1:1 qfq weight 100", + "expExitCode": "2", + "verifyCmd": "$TC class show dev $DUMMY", + "matchPattern": "class qfq 1:", + "matchCount": "0", + "teardown": [ + "$IP link del dev $DUMMY type dummy" + ] + }, + { + "id": "ddfa", + "name": "QFQ with small MTU", + "category": [ + "qdisc", + "qfq" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "$IP link add dev $DUMMY type dummy || /bin/true", + "$IP link set dev $DUMMY mtu 256 || /bin/true", + "$TC qdisc add dev $DUMMY handle 1: root qfq" + ], + "cmdUnderTest": "$TC class add dev $DUMMY parent 1: classid 1:1 qfq weight 100", + "expExitCode": "2", + "verifyCmd": "$TC class show dev $DUMMY", + "matchPattern": "class qfq 1:", + "matchCount": "0", + "teardown": [ + "$IP link del dev $DUMMY type dummy" + ] } ] From patchwork Tue Jul 11 21:01:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pedro Tammela X-Patchwork-Id: 13309390 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C8A519BDF for ; Tue, 11 Jul 2023 21:01:29 +0000 (UTC) Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01B7510F1 for ; Tue, 11 Jul 2023 14:01:28 -0700 (PDT) Received: by mail-ot1-x330.google.com with SMTP id 46e09a7af769-6b87d505e28so5077251a34.2 for ; Tue, 11 Jul 2023 14:01:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20221208.gappssmtp.com; s=20221208; t=1689109287; x=1691701287; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RlnDNLdpdnv+uiB8Iv7LsxctH7UI4fZlMEPS3+5XDa4=; b=RC01A3frKl+2h6CPdwGYGi1mSfnsVL6K9/1SbXH6mcgZopWrJv2FWA0pT55jKzqgfG 6rVbpUtaYkumYdFoi0yhwwExwXS6RBuqz0JzOHXtBIVFH0XTNqwCYyUYKvVd+LIERhct c7/FOi6sTn0d1Lpv4iVZEw6fxdnI2u2JcTMfh2/KV7M0I7ES5AMPBSiHaKQKqjQEM47b BR43RkxcZnIbzm0MWExn4sbGigncWn2pQXi0mXvV3mDaf2qwd/+3aboZA7IZVUVjDBkB TibKqpbmoCIXNOLW7YZONYwKCezxrGTiG6Vm2hOqv2yDCnGG7nV2y7OyytiGyLru1r7T T4EA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689109287; x=1691701287; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RlnDNLdpdnv+uiB8Iv7LsxctH7UI4fZlMEPS3+5XDa4=; b=M3dSc+qMoXEfwuNvtOp+83xOVy/973TVFAyrIfZmHcqtgKMaK1ZO1aoY/ZqLTmwoqK +lpGuKQ78fgJTYQGd2u7ZXp/lnmlu3lFs7qW7zAl8ejywLdCL+7A5HUqprEMVu4XTbge YeehdYYbBhq0b7Pb++98DYs2b0Kfedd5eJy1BQq+jOFg0bFmVf3drrhL2gycTx101SO0 CosRYuVZn3Dt9dA6Q3hF7ZEnz0Uz1GySXx7bKnMlCtbr4xjt0Mkx2fVVhsC/6P8bZfnU BxY0g4V8+bp90eKJN+m2KIUVcZE2kBbDz+D6vf1e2UXpXLX1JBKDHzC7L+/t9Il+65At OjGg== X-Gm-Message-State: ABy/qLbALpqOLjeSkbJAjFvlBjkMTW949De/TjfQ7a9Xu4EVyH6CPdbj R/x8sd2pcnrcq77Tx0UgqchB/vB7fnLV/0vR7Lk= X-Google-Smtp-Source: APBJJlEtAwWPBKyTATbAWq0zNmOeg/OpGavRC4200jfzNYCn30afUorLS0PwNpfE4PY319OB92sOEg== X-Received: by 2002:a05:6808:f0b:b0:3a3:ac49:77dc with SMTP id m11-20020a0568080f0b00b003a3ac4977dcmr17366105oiw.1.1689109287244; Tue, 11 Jul 2023 14:01:27 -0700 (PDT) Received: from rogue-one.tail33bf8.ts.net ([2804:14d:5c5e:44fb:d1e8:1b90:7e91:3217]) by smtp.gmail.com with ESMTPSA id d5-20020a05680808e500b003a1e965bf39sm1290575oic.2.2023.07.11.14.01.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jul 2023 14:01:26 -0700 (PDT) From: Pedro Tammela To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, shaozhengchao@huawei.com, victor@mojatatu.com, simon.horman@corigine.com, paolo.valente@unimore.it, Pedro Tammela , Lion Subject: [PATCH net v3 3/4] net/sched: sch_qfq: account for stab overhead in qfq_enqueue Date: Tue, 11 Jul 2023 18:01:02 -0300 Message-Id: <20230711210103.597831-4-pctammela@mojatatu.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230711210103.597831-1-pctammela@mojatatu.com> References: <20230711210103.597831-1-pctammela@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org Lion says: ------- In the QFQ scheduler a similar issue to CVE-2023-31436 persists. Consider the following code in net/sched/sch_qfq.c: static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free) { unsigned int len = qdisc_pkt_len(skb), gso_segs; // ... if (unlikely(cl->agg->lmax < len)) { pr_debug("qfq: increasing maxpkt from %u to %u for class %u", cl->agg->lmax, len, cl->common.classid); err = qfq_change_agg(sch, cl, cl->agg->class_weight, len); if (err) { cl->qstats.drops++; return qdisc_drop(skb, sch, to_free); } // ... } Similarly to CVE-2023-31436, "lmax" is increased without any bounds checks according to the packet length "len". Usually this would not impose a problem because packet sizes are naturally limited. This is however not the actual packet length, rather the "qdisc_pkt_len(skb)" which might apply size transformations according to "struct qdisc_size_table" as created by "qdisc_get_stab()" in net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc. A user may choose virtually any size using such a table. As a result the same issue as in CVE-2023-31436 can occur, allowing heap out-of-bounds read / writes in the kmalloc-8192 cache. ------- We can create the issue with the following commands: tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \ overhead 999999999 linklayer ethernet qfq tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k tc filter add dev $DEV parent 1: matchall classid 1:1 ping -I $DEV 1.1.1.2 This is caused by incorrectly assuming that qdisc_pkt_len() returns a length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX. Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") Reported-by: Lion Reviewed-by: Eric Dumazet Signed-off-by: Jamal Hadi Salim Signed-off-by: Pedro Tammela Reviewed-by: Simon Horman --- net/sched/sch_qfq.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c index 63a5b277c117..befaf74b33ca 100644 --- a/net/sched/sch_qfq.c +++ b/net/sched/sch_qfq.c @@ -381,8 +381,13 @@ static int qfq_change_agg(struct Qdisc *sch, struct qfq_class *cl, u32 weight, u32 lmax) { struct qfq_sched *q = qdisc_priv(sch); - struct qfq_aggregate *new_agg = qfq_find_agg(q, lmax, weight); + struct qfq_aggregate *new_agg; + /* 'lmax' can range from [QFQ_MIN_LMAX, pktlen + stab overhead] */ + if (lmax > QFQ_MAX_LMAX) + return -EINVAL; + + new_agg = qfq_find_agg(q, lmax, weight); if (new_agg == NULL) { /* create new aggregate */ new_agg = kzalloc(sizeof(*new_agg), GFP_ATOMIC); if (new_agg == NULL) From patchwork Tue Jul 11 21:01:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pedro Tammela X-Patchwork-Id: 13309391 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 721DA1ED20 for ; Tue, 11 Jul 2023 21:01:33 +0000 (UTC) Received: from mail-oo1-xc36.google.com (mail-oo1-xc36.google.com [IPv6:2607:f8b0:4864:20::c36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FD5110DD for ; Tue, 11 Jul 2023 14:01:32 -0700 (PDT) Received: by mail-oo1-xc36.google.com with SMTP id 006d021491bc7-565f8e359b8so4287398eaf.2 for ; Tue, 11 Jul 2023 14:01:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20221208.gappssmtp.com; s=20221208; t=1689109291; x=1691701291; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Y+wNL7uX7hr5BtVhWKeG8QW6Iwt6qL0jrJtflU9Rw0g=; b=F4mb2Bm/nJEI8G1VXSHURHaJoxZSolT4mdMNufTM4a3dWrX5sPgvjcj9sKbWlbuNyk zsxKRv2yldnAnvsjOjQNTHJaUneJFjRy0kR2vb6ILsfW3n8xlRONKcalZEykFNUhj6+Y wZLAJtzCWbWhxq3b2J/SlcCVATJ+NMdPcOFL6NPZQJk/P2MyeZXaUuo1jcBcQDa/yXWo 4Xyxgnu2Yzy3oS4K15wVtCSGI1osh8i9UObSxs8PytxoDJoniQh3hoccUhPcFggXcBP+ 72mgRboMdDBXqzGWUTyNL3Q86UYSXVMD4/a/WEkLLz96p4wU5zdpEzqc9m9TKkDEZwx4 8hjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689109291; x=1691701291; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y+wNL7uX7hr5BtVhWKeG8QW6Iwt6qL0jrJtflU9Rw0g=; b=FJdbL23jVJdrq8DuTC6jZwR8YWNq4aRZd1582Cu5XXUm4JrRAg2qjYzDgD6p+0eJU+ Yf5J+FJBP/oy5G1YG8wt1Kb1nZBr+LJy0bshjq8nPjWyQ7lrYvPSWLURKqHikKG03d+a BAq7BZCBrK6+Rqh61t38fWDezJLG9Od6ryg4dZRKpDM/m0v1zRkkW1ni0gfgT801ashN yAQbkvF4BRZ0jBrVDJngxfwQH5mp4tHxVf+Mcy3pgvZIonpavCZ+SyjrW8lNiiE4W/U0 kN8A/20HYyjc5gCP154f0Suartn2FTjFiI9Jp/NwOavv9FoMN9eODS//WScFLR3lkeFy Vbzg== X-Gm-Message-State: ABy/qLY+X2dDCR5nyJ2ilToXMF8wuuxgJhmirFmCsMmAvbWHCF+SUHxW O9OAXgmS11GrJ5T0tPxUG8HJXxrGjL+/iORUs4s= X-Google-Smtp-Source: APBJJlGuc0vkNQFpBfr5S8ohkx89OKez5xdQwLvy0dCFMNpbd2aeeWhOV5OqZjE+XeOvDC6XBay7EQ== X-Received: by 2002:a05:6808:10d2:b0:3a1:e3ee:742a with SMTP id s18-20020a05680810d200b003a1e3ee742amr20748917ois.8.1689109291443; Tue, 11 Jul 2023 14:01:31 -0700 (PDT) Received: from rogue-one.tail33bf8.ts.net ([2804:14d:5c5e:44fb:d1e8:1b90:7e91:3217]) by smtp.gmail.com with ESMTPSA id d5-20020a05680808e500b003a1e965bf39sm1290575oic.2.2023.07.11.14.01.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jul 2023 14:01:31 -0700 (PDT) From: Pedro Tammela To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, shaozhengchao@huawei.com, victor@mojatatu.com, simon.horman@corigine.com, paolo.valente@unimore.it, Pedro Tammela Subject: [PATCH net v3 4/4] selftests: tc-testing: add test for qfq with stab overhead Date: Tue, 11 Jul 2023 18:01:03 -0300 Message-Id: <20230711210103.597831-5-pctammela@mojatatu.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230711210103.597831-1-pctammela@mojatatu.com> References: <20230711210103.597831-1-pctammela@mojatatu.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org A packet with stab overhead greater than QFQ_MAX_LMAX should be dropped by the QFQ qdisc as it can't handle such lengths. Signed-off-by: Jamal Hadi Salim Signed-off-by: Pedro Tammela Reviewed-by: Simon Horman Tested-by: Zhengchao Shao --- .../tc-testing/tc-tests/qdiscs/qfq.json | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/qfq.json b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/qfq.json index 965da7622dac..976dffda4654 100644 --- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/qfq.json +++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/qfq.json @@ -261,5 +261,43 @@ "teardown": [ "$IP link del dev $DUMMY type dummy" ] + }, + { + "id": "5993", + "name": "QFQ with stab overhead greater than max packet len", + "category": [ + "qdisc", + "qfq", + "scapy" + ], + "plugins": { + "requires": [ + "nsPlugin", + "scapyPlugin" + ] + }, + "setup": [ + "$IP link add dev $DUMMY type dummy || /bin/true", + "$IP link set dev $DUMMY up || /bin/true", + "$TC qdisc add dev $DUMMY handle 1: stab mtu 2048 tsize 512 mpu 0 overhead 999999999 linklayer ethernet root qfq", + "$TC class add dev $DUMMY parent 1: classid 1:1 qfq weight 100", + "$TC qdisc add dev $DEV1 clsact", + "$TC filter add dev $DEV1 ingress protocol ip flower dst_ip 1.3.3.7/32 action mirred egress mirror dev $DUMMY" + ], + "cmdUnderTest": "$TC filter add dev $DUMMY parent 1: matchall classid 1:1", + "scapy": [ + { + "iface": "$DEV0", + "count": 22, + "packet": "Ether(type=0x800)/IP(src='10.0.0.10',dst='1.3.3.7')/TCP(sport=5000,dport=10)" + } + ], + "expExitCode": "0", + "verifyCmd": "$TC -s qdisc ls dev $DUMMY", + "matchPattern": "dropped 22", + "matchCount": "1", + "teardown": [ + "$TC qdisc del dev $DUMMY handle 1: root qfq" + ] } ]