If asked to drop a packet via TC_ACT_SHOT it is unsafe to
assume that res.class contains a valid pointer.
Signed-off-by: Ma Ke <[email protected]>
---
net/sched/sch_drr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c
index 19901e77cd3b..a535dc3b0e05 100644
--- a/net/sched/sch_drr.c
+++ b/net/sched/sch_drr.c
@@ -310,6 +310,8 @@ static struct drr_class *drr_classify(struct sk_buff *skb, struct Qdisc *sch,
fl = rcu_dereference_bh(q->filter_list);
result = tcf_classify(skb, NULL, fl, &res, false);
if (result >= 0) {
+ if (result == TC_ACT_SHOT)
+ return NULL;
#ifdef CONFIG_NET_CLS_ACT
switch (result) {
case TC_ACT_QUEUED:
@@ -317,8 +319,6 @@ static struct drr_class *drr_classify(struct sk_buff *skb, struct Qdisc *sch,
case TC_ACT_TRAP:
*qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN;
fallthrough;
- case TC_ACT_SHOT:
- return NULL;
}
#endif
cl = (struct drr_class *)res.class;
--
2.37.2
On 15/09/2023 15:20, Ma Ke wrote:
> If asked to drop a packet via TC_ACT_SHOT it is unsafe to
> assume that res.class contains a valid pointer.
>
> Signed-off-by: Ma Ke <[email protected]>
> ---
> net/sched/sch_drr.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c
> index 19901e77cd3b..a535dc3b0e05 100644
> --- a/net/sched/sch_drr.c
> +++ b/net/sched/sch_drr.c
> @@ -310,6 +310,8 @@ static struct drr_class *drr_classify(struct sk_buff *skb, struct Qdisc *sch,
> fl = rcu_dereference_bh(q->filter_list);
> result = tcf_classify(skb, NULL, fl, &res, false);
> if (result >= 0) {
> + if (result == TC_ACT_SHOT)
> + return NULL;
With CONFIG_NET_CLS_ACT undefined tcf_classify can only return
TC_ACT_UNSPEC and the if statement above is always false.
Do you have any real issue you are trying to fix?
> #ifdef CONFIG_NET_CLS_ACT
> switch (result) {
> case TC_ACT_QUEUED:
> @@ -317,8 +319,6 @@ static struct drr_class *drr_classify(struct sk_buff *skb, struct Qdisc *sch,
> case TC_ACT_TRAP:
> *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN;
> fallthrough;
> - case TC_ACT_SHOT:
> - return NULL;
> }
> #endif
> cl = (struct drr_class *)res.class;
On 15/09/2023 19:55, Jamal Hadi Salim wrote:
> On Fri, Sep 15, 2023 at 11:06 AM Eric Dumazet <[email protected]> wrote:
>>
>> On Fri, Sep 15, 2023 at 5:03 PM Pedro Tammela <[email protected]> wrote:
>>>
>>> On 15/09/2023 09:55, Eric Dumazet wrote:
>>>> On Fri, Sep 15, 2023 at 12:42 PM Ma Ke <[email protected]> wrote:
>>>>>
>>>>> If asked to drop a packet via TC_ACT_SHOT it is unsafe to
>>>>> assume res.class contains a valid pointer.
>>>>>
>>>>> Signed-off-by: Ma Ke <[email protected]>
>>>>> ---
>>>>> net/sched/sch_drr.c | 2 ++
>>>>> 1 file changed, 2 insertions(+)
>>>>>
>>>>> diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c
>>>>> index 19901e77cd3b..2b854cb6edf9 100644
>>>>> --- a/net/sched/sch_drr.c
>>>>> +++ b/net/sched/sch_drr.c
>>>>> @@ -309,6 +309,8 @@ static struct drr_class *drr_classify(struct sk_buff *skb, struct Qdisc *sch,
>>>>> *qerr = NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
>>>>> fl = rcu_dereference_bh(q->filter_list);
>>>>> result = tcf_classify(skb, NULL, fl, &res, false);
>>>>> + if (result == TC_ACT_SHOT)
>>>>> + return NULL;
>>>>> if (result >= 0) {
>>>>> #ifdef CONFIG_NET_CLS_ACT
>>>>> switch (result) {
>>>>> --
>>>>> 2.37.2
>>>>>
>>>>
>>>> I do not see a bug, TC_ACT_SHOT is handled in the switch (result) just fine
>>>> at line 320 ?
>>>
>>> Following the code path (with CONFIG_NET_CLS_ACT=n in mind), it looks
>>> like there are a couple of places which return TC_ACT_SHOT before
>>> calling any classifiers, which then would cause some qdiscs to look into
>>> a uninitialized 'struct tcf_result res'.
>>> I could be misreading it... But if it's the problem the author is trying
>>> to fix, the obvious way to do it would be:
>>> struct tcf_result res = {};
>>
>> CONFIG_NET_CLS_ACT=n, how come TC_ACT_SHOT could be used ?
>>
>> Can we get rid of CONFIG_NET_CLS_ACT, this seems obfuscation to me at
>> this point.
>
> The problem is the verdict vs return code are intermixed - not saying
> this was fixing anything useful.
> We discussed this in the past after/during commit
> caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12
> Victor worked on a patch to resolve that. Victor, maybe revive that
> patch and post as RFC?
Okk, will review, rebase on top of net-next and post.
cheers,
Victor
Hi Ma,
kernel test robot noticed the following build errors:
[auto build test ERROR on net-next/main]
[also build test ERROR on net/main linus/master v6.6-rc1 next-20230915]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Ma-Ke/net-sched-drr-dont-intepret-cls-results-when-asked-to-drop/20230915-223913
base: net-next/main
patch link: https://lore.kernel.org/r/20230915142056.3411330-1-make_ruc2021%40163.com
patch subject: [PATCH] net: sched: drr: dont intepret cls results when asked to drop
config: x86_64-rhel-8.3-rust (https://download.01.org/0day-ci/archive/20230916/[email protected]/config)
compiler: clang version 16.0.4 (https://github.com/llvm/llvm-project.git ae42196bc493ffe877a7e3dff8be32035dea4d07)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20230916/[email protected]/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <[email protected]>
| Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/
All errors (new ones prefixed by >>):
>> net/sched/sch_drr.c:321:4: error: fallthrough annotation does not directly precede switch label
fallthrough;
^
include/linux/compiler_attributes.h:227:41: note: expanded from macro 'fallthrough'
# define fallthrough __attribute__((__fallthrough__))
^
1 error generated.
vim +321 net/sched/sch_drr.c
13d2a1d2b032de Patrick McHardy 2008-11-20 293
13d2a1d2b032de Patrick McHardy 2008-11-20 294 static struct drr_class *drr_classify(struct sk_buff *skb, struct Qdisc *sch,
13d2a1d2b032de Patrick McHardy 2008-11-20 295 int *qerr)
13d2a1d2b032de Patrick McHardy 2008-11-20 296 {
13d2a1d2b032de Patrick McHardy 2008-11-20 297 struct drr_sched *q = qdisc_priv(sch);
13d2a1d2b032de Patrick McHardy 2008-11-20 298 struct drr_class *cl;
13d2a1d2b032de Patrick McHardy 2008-11-20 299 struct tcf_result res;
25d8c0d55f241c John Fastabend 2014-09-12 300 struct tcf_proto *fl;
13d2a1d2b032de Patrick McHardy 2008-11-20 301 int result;
13d2a1d2b032de Patrick McHardy 2008-11-20 302
13d2a1d2b032de Patrick McHardy 2008-11-20 303 if (TC_H_MAJ(skb->priority ^ sch->handle) == 0) {
13d2a1d2b032de Patrick McHardy 2008-11-20 304 cl = drr_find_class(sch, skb->priority);
13d2a1d2b032de Patrick McHardy 2008-11-20 305 if (cl != NULL)
13d2a1d2b032de Patrick McHardy 2008-11-20 306 return cl;
13d2a1d2b032de Patrick McHardy 2008-11-20 307 }
13d2a1d2b032de Patrick McHardy 2008-11-20 308
13d2a1d2b032de Patrick McHardy 2008-11-20 309 *qerr = NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
25d8c0d55f241c John Fastabend 2014-09-12 310 fl = rcu_dereference_bh(q->filter_list);
3aa2605594556c Davide Caratti 2021-07-28 311 result = tcf_classify(skb, NULL, fl, &res, false);
13d2a1d2b032de Patrick McHardy 2008-11-20 312 if (result >= 0) {
13abeaf39ca823 Ma Ke 2023-09-15 313 if (result == TC_ACT_SHOT)
13abeaf39ca823 Ma Ke 2023-09-15 314 return NULL;
13d2a1d2b032de Patrick McHardy 2008-11-20 315 #ifdef CONFIG_NET_CLS_ACT
13d2a1d2b032de Patrick McHardy 2008-11-20 316 switch (result) {
13d2a1d2b032de Patrick McHardy 2008-11-20 317 case TC_ACT_QUEUED:
13d2a1d2b032de Patrick McHardy 2008-11-20 318 case TC_ACT_STOLEN:
e25ea21ffa66a0 Jiri Pirko 2017-06-06 319 case TC_ACT_TRAP:
13d2a1d2b032de Patrick McHardy 2008-11-20 320 *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN;
964201de695b8a Gustavo A. R. Silva 2020-07-07 @321 fallthrough;
13d2a1d2b032de Patrick McHardy 2008-11-20 322 }
13d2a1d2b032de Patrick McHardy 2008-11-20 323 #endif
13d2a1d2b032de Patrick McHardy 2008-11-20 324 cl = (struct drr_class *)res.class;
13d2a1d2b032de Patrick McHardy 2008-11-20 325 if (cl == NULL)
13d2a1d2b032de Patrick McHardy 2008-11-20 326 cl = drr_find_class(sch, res.classid);
13d2a1d2b032de Patrick McHardy 2008-11-20 327 return cl;
13d2a1d2b032de Patrick McHardy 2008-11-20 328 }
13d2a1d2b032de Patrick McHardy 2008-11-20 329 return NULL;
13d2a1d2b032de Patrick McHardy 2008-11-20 330 }
13d2a1d2b032de Patrick McHardy 2008-11-20 331
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki