Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4677218iob; Sun, 8 May 2022 21:38:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx2PFb+KXYuASEbB7RqTFNfAsBTu2v5y6lJJfMbUz3e+1S7tWFHY5Zsj+ejXha90vusWmHx X-Received: by 2002:a17:903:2286:b0:15e:d826:9213 with SMTP id b6-20020a170903228600b0015ed8269213mr14735761plh.126.1652071103650; Sun, 08 May 2022 21:38:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652071103; cv=none; d=google.com; s=arc-20160816; b=I/7cbZ86P+V4hDuHdEWoiJoBFyO0uh1Jc6kA0Vrzjp7Kb5Qx2gPfslA4c4iWXdIF1s DIck6Hb7zLUJkMw2wkPkNq6T10oYIkbvDEuQ84ntR6kVjNWswiIItuBheUx7ZJdicVId xBngFRqVn1f/t40hlmwhMrcsqVogdvMfEpWHRna331m7ab2jXQ94ilXRVZ6D8L1031DZ qbj/assnCkV78dO6YqRcYEzGq3cDeDFViJfAu8XOG/JGpkumYCSpyTLimR4BLKsqUlEk okCx4uKAEKjF8DlgZOgj950JD2/36kmYKGzGRB5VUDxy5P8sb657qK1jL6Bz74/be1GQ IHfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=AFw9PXyBSk/WNkQIM3l5UfsVFeJWVnrr4Za7pgabACc=; b=wvawNjNrl+pswCUrensDKs1RnPWwgymx5swY9oGGA1npvVR73K94izFEtCG/g3ZJRD Sj3HYQx52Sdf0NdVRDk5nRAIpnvQM11WHvw5ydylnzCwls8a7U/ASzuwHNBF/L63wUyK Gm+0JOtxBP28fCoSzi/Yk0slhgRh/jzpRNbY18Fjjiv05AyX6Tt4/FktyLNY5yrurwEk faaPZHJEMwF9YAoNHD5YJ3y6TnaBuJR/NyUOTeiVpAK3pLxWZ690Zk88P7hnaoSJnwji 85GaxfuEcz5n57T/AqsZAmHJncP+okj2bRH+LEnWxgW9abpXzyPBmoBMVcVubpdU96rb X/UQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=XO+OHpIj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id h8-20020a636c08000000b003c22771658dsi12312341pgc.482.2022.05.08.21.38.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 May 2022 21:38:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=XO+OHpIj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B681B972CF; Sun, 8 May 2022 21:36:05 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1445019AbiEFXig (ORCPT + 99 others); Fri, 6 May 2022 19:38:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35636 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1359057AbiEFXid (ORCPT ); Fri, 6 May 2022 19:38:33 -0400 Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 26A53712D2; Fri, 6 May 2022 16:34:49 -0700 (PDT) Received: by mail-qk1-x736.google.com with SMTP id s4so7037869qkh.0; Fri, 06 May 2022 16:34:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=AFw9PXyBSk/WNkQIM3l5UfsVFeJWVnrr4Za7pgabACc=; b=XO+OHpIjgPeTs/y///sf+ed3H32QFspI/ckdPQ+QuOhooD5MNPjBdU66FwQDXUuQ2I At/QbJu5ueSV0RrUanXBv7/1ynR75kUoKOIUKW3tfslQDHaatj6qb3pRZEvZloMKZ5O/ rwEFt3D7Js/BScdZV6PS37tjaXOTTee4ht/seY8HilobY04ZiEW+g6SyOe0CMcOg+fBh DpXQHLmzZn3h+YxXWYo0qtlwsAPTVYn0oliWbgOScUBJVWUBy9fXmiJadxDmXGnzKGnc HxK2dpDOSYNmOhszaSxjWKjHutnU7p8TVh4UiHONtuxRm/Bl2nIA0ruLhW8pIXAkdl45 AoGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=AFw9PXyBSk/WNkQIM3l5UfsVFeJWVnrr4Za7pgabACc=; b=cMknAGeWAdbqdVZE1rLqbIgFgddIlb3UsOsm1W8TF7Ueua8QlYF+949DkBv/cK3zPX /MBbPei8tQVGY5VPj00gADwnsq9h5DrGrDevI/tAW6lia+iKbsTNuGLcYMXNZkR30l41 wlYDH9rwVDvJMt4qSjbkNhSw6NMAarLYznKoosyMdaKBGSOWq7SOPh80rRAeyDhHJsBv jl9d8ksGkR5crWjfbRPjsfA6O4PCT2CuV/YevpaQomBebvReCZeRsSfeFNO2GoGBTmnQ kFfa64l5NjslAskpg4EERt65dA+1LYtS1+l4tGGL5XcvKFIM8Ytd2MPRU56Mx0b23EcX 3cSw== X-Gm-Message-State: AOAM533NUl8CE2P1enpf0kExX3BFW5mwN+flIcizqXi3eVt7/JiVld0U VBT5gtf+AH/W5KEgN7/K4vBi+l5tIA== X-Received: by 2002:a05:620a:c52:b0:648:d550:5583 with SMTP id u18-20020a05620a0c5200b00648d5505583mr4259248qki.232.1651880088270; Fri, 06 May 2022 16:34:48 -0700 (PDT) Received: from bytedance (ec2-52-72-174-210.compute-1.amazonaws.com. [52.72.174.210]) by smtp.gmail.com with ESMTPSA id 18-20020a05620a06d200b0069fc13ce213sm3119420qky.68.2022.05.06.16.34.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 May 2022 16:34:47 -0700 (PDT) Date: Fri, 6 May 2022 16:34:43 -0700 From: Peilin Ye To: Stephen Hemminger Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Hideaki YOSHIFUJI , David Ahern , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Peilin Ye , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Cong Wang Subject: Re: [PATCH RFC v1 net-next 1/4] net: Introduce Qdisc backpressure infrastructure Message-ID: <20220506233443.GA3336@bytedance> References: <20220506133111.1d4bebf3@hermes.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220506133111.1d4bebf3@hermes.local> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Stephen, On Fri, May 06, 2022 at 01:31:11PM -0700, Stephen Hemminger wrote: > On Fri, 6 May 2022 12:44:22 -0700, Peilin Ye wrote: > > +static inline void qdisc_backpressure_overlimit(struct Qdisc *sch, struct sk_buff *skb) > > +{ > > + struct sock *sk = skb->sk; > > + > > + if (!sk || !sk_fullsock(sk)) > > + return; > > + > > + if (cmpxchg(&sk->sk_backpressure_status, SK_UNTHROTTLED, SK_OVERLIMIT) == SK_UNTHROTTLED) { > > + sock_hold(sk); > > + list_add_tail(&sk->sk_backpressure_node, &sch->backpressure_list); > > + } > > +} > > What if socket is closed? You are holding reference but application maybe gone. Thanks for pointing this out! I just understood how sk_refcnt works together with sk_wmem_alloc. By the time we process this in-flight skb, sk_refcnt may have already reached 0, which means sk_free() may have already decreased that "extra" 1 sk_wmem_alloc, so skb->destructor() may call __sk_free() while I "hold" the sock here. Seems like a UAF. > Or if output is stalled indefinitely? It would be better to do a cleanup in sock destroying code, but I am trying to avoid acquiring Qdisc root_lock there. I will try to come up with a better solution. Thanks, Peilin Ye