1. Patchew
  2. linux
  3. View series

[PATCH] fq_codel: Discard problematic packets with pkt_len 0

Di Zhu posted 1 patch 3 years, 10 months ago 
net/sched/sch_fq_codel.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] fq_codel: Discard problematic packets with pkt_len 0
Posted by Di Zhu 3 years, 10 months ago 
Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
skbs, that is, the flow->head is null.
The root cause is that: when the first queued skb with pkt_len 0, backlogs
of the flow that this skb enqueued is still 0 and if sch->limit is set to
0 then fq_codel_drop() will be called. At this point, the backlogs of all
flows are all 0, so flow with idx 0 is selected to drop, but this flow have
not any skbs.
skb with pkt_len 0 can break existing processing logic, so just discard
these invalid skbs.

LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5

Reported-by: syzbot+7a12909485b94426aceb@syzkaller.appspotmail.com
Signed-off-by: Di Zhu <zhudi2@huawei.com>
---
 net/sched/sch_fq_codel.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 839e1235db05..c0f82b7358e1 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -191,6 +191,9 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 	unsigned int pkt_len;
 	bool memory_limited;
 
+	if (unlikely(!qdisc_pkt_len(skb)))
+		return qdisc_drop(skb, sch, to_free);
+
 	idx = fq_codel_classify(skb, sch, &ret);
 	if (idx == 0) {
 		if (ret & __NET_XMIT_BYPASS)
-- 
2.27.0
Re: [PATCH] fq_codel: Discard problematic packets with pkt_len 0
Posted by Eric Dumazet 3 years, 10 months ago 
On Fri, Jun 10, 2022 at 12:07 AM Di Zhu <zhudi2@huawei.com> wrote:
>
> Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
> skbs, that is, the flow->head is null.
> The root cause is that: when the first queued skb with pkt_len 0, backlogs
> of the flow that this skb enqueued is still 0 and if sch->limit is set to
> 0 then fq_codel_drop() will be called. At this point, the backlogs of all
> flows are all 0, so flow with idx 0 is selected to drop, but this flow have
> not any skbs.
> skb with pkt_len 0 can break existing processing logic, so just discard
> these invalid skbs.
>
> LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5
>
> Reported-by: syzbot+7a12909485b94426aceb@syzkaller.appspotmail.com
> Signed-off-by: Di Zhu <zhudi2@huawei.com>
> ---
>  net/sched/sch_fq_codel.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
> index 839e1235db05..c0f82b7358e1 100644
> --- a/net/sched/sch_fq_codel.c
> +++ b/net/sched/sch_fq_codel.c
> @@ -191,6 +191,9 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch,
>         unsigned int pkt_len;
>         bool memory_limited;
>
> +       if (unlikely(!qdisc_pkt_len(skb)))
> +               return qdisc_drop(skb, sch, to_free);
> +


This has been discussed in the past.

Feeding ndo_start_xmit() in hundreds of drivers with zero-length
packets will crash anyway.

We are not going to add such silly tests in all qdiscs, and then all
ndo_start_xmit(), since qdiscs are not mandatory.

Please instead fix BPF layer, instead of hundreds of drivers/qdiscs.
Re: [PATCH] fq_codel: Discard problematic packets with pkt_len 0
Posted by Eric Dumazet 3 years, 10 months ago 
On Fri, Jun 10, 2022 at 12:32 AM Eric Dumazet <edumazet@google.com> wrote:
>
> On Fri, Jun 10, 2022 at 12:07 AM Di Zhu <zhudi2@huawei.com> wrote:
> >
> > Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
> > skbs, that is, the flow->head is null.
> > The root cause is that: when the first queued skb with pkt_len 0, backlogs
> > of the flow that this skb enqueued is still 0 and if sch->limit is set to
> > 0 then fq_codel_drop() will be called. At this point, the backlogs of all
> > flows are all 0, so flow with idx 0 is selected to drop, but this flow have
> > not any skbs.
> > skb with pkt_len 0 can break existing processing logic, so just discard
> > these invalid skbs.
> >
> > LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5
> >
> > Reported-by: syzbot+7a12909485b94426aceb@syzkaller.appspotmail.com
> > Signed-off-by: Di Zhu <zhudi2@huawei.com>
> > ---
> >  net/sched/sch_fq_codel.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
> > index 839e1235db05..c0f82b7358e1 100644
> > --- a/net/sched/sch_fq_codel.c
> > +++ b/net/sched/sch_fq_codel.c
> > @@ -191,6 +191,9 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch,
> >         unsigned int pkt_len;
> >         bool memory_limited;
> >
> > +       if (unlikely(!qdisc_pkt_len(skb)))
> > +               return qdisc_drop(skb, sch, to_free);
> > +
>
>
> This has been discussed in the past.
>

https://www.spinics.net/lists/netdev/msg777503.html

> Feeding ndo_start_xmit() in hundreds of drivers with zero-length
> packets will crash anyway.
>
> We are not going to add such silly tests in all qdiscs, and then all
> ndo_start_xmit(), since qdiscs are not mandatory.
>
> Please instead fix BPF layer, instead of hundreds of drivers/qdiscs.
答复: [PATCH] fq_codel: Discard problematic packets with pkt_len 0
Posted by zhudi (E) 3 years, 10 months ago 
Thanks Eric, I'll take a look.


> On Fri, Jun 10, 2022 at 12:32 AM Eric Dumazet <edumazet@google.com> wrote:
> >
> > On Fri, Jun 10, 2022 at 12:07 AM Di Zhu <zhudi2@huawei.com> wrote:
> > >
> > > Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
> > > skbs, that is, the flow->head is null.
> > > The root cause is that: when the first queued skb with pkt_len 0, backlogs
> > > of the flow that this skb enqueued is still 0 and if sch->limit is set to
> > > 0 then fq_codel_drop() will be called. At this point, the backlogs of all
> > > flows are all 0, so flow with idx 0 is selected to drop, but this flow have
> > > not any skbs.
> > > skb with pkt_len 0 can break existing processing logic, so just discard
> > > these invalid skbs.
> > >
> > > LINK: [1]
> https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16e
> c96c5
> > >
> > > Reported-by: syzbot+7a12909485b94426aceb@syzkaller.appspotmail.com
> > > Signed-off-by: Di Zhu <zhudi2@huawei.com>
> > > ---
> > >  net/sched/sch_fq_codel.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > >
> > > diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
> > > index 839e1235db05..c0f82b7358e1 100644
> > > --- a/net/sched/sch_fq_codel.c
> > > +++ b/net/sched/sch_fq_codel.c
> > > @@ -191,6 +191,9 @@ static int fq_codel_enqueue(struct sk_buff *skb,
> struct Qdisc *sch,
> > >         unsigned int pkt_len;
> > >         bool memory_limited;
> > >
> > > +       if (unlikely(!qdisc_pkt_len(skb)))
> > > +               return qdisc_drop(skb, sch, to_free);
> > > +
> >
> >
> > This has been discussed in the past.
> >
> 
> https://www.spinics.net/lists/netdev/msg777503.html
> 
> > Feeding ndo_start_xmit() in hundreds of drivers with zero-length
> > packets will crash anyway.
> >
> > We are not going to add such silly tests in all qdiscs, and then all
> > ndo_start_xmit(), since qdiscs are not mandatory.
> >
> > Please instead fix BPF layer, instead of hundreds of drivers/qdiscs.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.