linux/net/sched
Frederick Lawler 96398560f2 net: sched: disallow noqueue for qdisc classes
While experimenting with applying noqueue to a classful queue discipline,
we discovered a NULL pointer dereference in the __dev_queue_xmit()
path that generates a kernel OOPS:

    # dev=enp0s5
    # tc qdisc replace dev $dev root handle 1: htb default 1
    # tc class add dev $dev parent 1: classid 1:1 htb rate 10mbit
    # tc qdisc add dev $dev parent 1:1 handle 10: noqueue
    # ping -I $dev -w 1 -c 1 1.1.1.1

[    2.172856] BUG: kernel NULL pointer dereference, address: 0000000000000000
[    2.173217] #PF: supervisor instruction fetch in kernel mode
...
[    2.178451] Call Trace:
[    2.178577]  <TASK>
[    2.178686]  htb_enqueue+0x1c8/0x370
[    2.178880]  dev_qdisc_enqueue+0x15/0x90
[    2.179093]  __dev_queue_xmit+0x798/0xd00
[    2.179305]  ? _raw_write_lock_bh+0xe/0x30
[    2.179522]  ? __local_bh_enable_ip+0x32/0x70
[    2.179759]  ? ___neigh_create+0x610/0x840
[    2.179968]  ? eth_header+0x21/0xc0
[    2.180144]  ip_finish_output2+0x15e/0x4f0
[    2.180348]  ? dst_output+0x30/0x30
[    2.180525]  ip_push_pending_frames+0x9d/0xb0
[    2.180739]  raw_sendmsg+0x601/0xcb0
[    2.180916]  ? _raw_spin_trylock+0xe/0x50
[    2.181112]  ? _raw_spin_unlock_irqrestore+0x16/0x30
[    2.181354]  ? get_page_from_freelist+0xcd6/0xdf0
[    2.181594]  ? sock_sendmsg+0x56/0x60
[    2.181781]  sock_sendmsg+0x56/0x60
[    2.181958]  __sys_sendto+0xf7/0x160
[    2.182139]  ? handle_mm_fault+0x6e/0x1d0
[    2.182366]  ? do_user_addr_fault+0x1e1/0x660
[    2.182627]  __x64_sys_sendto+0x1b/0x30
[    2.182881]  do_syscall_64+0x38/0x90
[    2.183085]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
...
[    2.187402]  </TASK>

Previously in commit d66d6c3152 ("net: sched: register noqueue
qdisc"), NULL was set for the noqueue discipline on noqueue init
so that __dev_queue_xmit() falls through for the noqueue case. This
also sets a bypass of the enqueue NULL check in the
register_qdisc() function for the struct noqueue_disc_ops.

Classful queue disciplines make it past the NULL check in
__dev_queue_xmit() because the discipline is set to htb (in this case),
and then in the call to __dev_xmit_skb(), it calls into htb_enqueue()
which grabs a leaf node for a class and then calls qdisc_enqueue() by
passing in a queue discipline which assumes ->enqueue() is not set to NULL.

Fix this by not allowing classes to be assigned to the noqueue
discipline. Linux TC Notes states that classes cannot be set to
the noqueue discipline. [1] Let's enforce that here.

Links:
1. https://linux-tc-notes.sourceforge.net/tc/doc/sch_noqueue.txt

Fixes: d66d6c3152 ("net: sched: register noqueue qdisc")
Cc: stable@vger.kernel.org
Signed-off-by: Frederick Lawler <fred@cloudflare.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/r/20230109163906.706000-1-fred@cloudflare.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-01-10 18:19:32 -08:00
..
act_api.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_bpf.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_connmark.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_csum.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_ct.c net: move the nat function to nf_nat_ovs for ovs and tc 2022-12-12 10:14:03 +00:00
act_ctinfo.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_gact.c Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
act_gate.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_ife.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_ipt.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_mpls.c net/sched: act_mpls: Fix warning during failed attribute validation 2023-01-09 19:38:35 -08:00
act_nat.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_pedit.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_police.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_sample.c Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
act_simple.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_skbedit.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_skbmod.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_tunnel_key.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_vlan.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_api.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_basic.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_bpf.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_cgroup.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_flow.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
cls_flower.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_fw.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_matchall.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_route.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_rsvp6.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_rsvp.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_rsvp.h net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_tcindex.c net: sched: fix memory leak in tcindex_set_parms 2022-12-26 08:58:33 +00:00
cls_u32.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
em_canid.c
em_cmp.c
em_ipset.c
em_ipt.c
em_meta.c net_sched: em_meta: add READ_ONCE() in var_sk_bound_if() 2022-05-16 10:31:06 +01:00
em_nbyte.c
em_text.c
em_u32.c
ematch.c net_sched: reject TCF_EM_SIMPLE case for complex ematch module 2022-12-19 09:43:18 +00:00
Kconfig net: move the nat function to nf_nat_ovs for ovs and tc 2022-12-12 10:14:03 +00:00
Makefile
sch_api.c net: sched: disallow noqueue for qdisc classes 2023-01-10 18:19:32 -08:00
sch_atm.c net: sched: atm: dont intepret cls results when asked to drop 2023-01-02 13:32:43 +00:00
sch_blackhole.c
sch_cake.c Networking fixes for 6.1-rc2, including fixes from netfilter 2022-10-20 17:24:59 -07:00
sch_cbq.c net: sched: cbq: dont intepret cls results when asked to drop 2023-01-02 13:32:43 +00:00
sch_cbs.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_choke.c treewide: use get_random_u32_below() instead of deprecated function 2022-11-18 02:15:15 +01:00
sch_codel.c net: sched: remove redundant NULL check in change hook function 2022-09-01 08:06:45 +02:00
sch_drr.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_dsmark.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_etf.c net: sched: etf: remove true check in etf_enable_offload() 2022-09-01 20:08:32 -07:00
sch_ets.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_fifo.c net_sched: fix NULL deref in fifo_set_limit() 2021-10-01 14:59:10 -07:00
sch_fq_codel.c Revert "net: sched: fq_codel: remove redundant resource cleanup in fq_codel_init()" 2022-10-19 13:47:09 +01:00
sch_fq_pie.c net: sched: remove redundant NULL check in change hook function 2022-09-01 08:06:45 +02:00
sch_fq.c net: sched: remove redundant NULL check in change hook function 2022-09-01 08:06:45 +02:00
sch_frag.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2021-12-31 14:35:40 +00:00
sch_generic.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-09-01 12:58:02 -07:00
sch_gred.c net: sched: gred: remove NULL check before free table->tab in gred_destroy() 2022-09-01 13:32:26 +02:00
sch_hfsc.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_hhf.c net: sched: remove redundant NULL check in change hook function 2022-09-01 08:06:45 +02:00
sch_htb.c net: sched: htb: fix htb_classify() kernel-doc 2023-01-02 13:34:48 +00:00
sch_ingress.c
sch_mq.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_mqprio.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_multiq.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_netem.c treewide: use get_random_u32_below() instead of deprecated function 2022-11-18 02:15:15 +01:00
sch_pie.c treewide: use get_random_bytes() when possible 2022-10-11 17:42:58 -06:00
sch_plug.c net: sched: remove redundant NULL check in change hook function 2022-09-01 08:06:45 +02:00
sch_prio.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_qfq.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_red.c net: sched: Fix use after free in red_enqueue() 2022-10-31 11:55:39 +00:00
sch_sfb.c Networking fixes for 6.1-rc2, including fixes from netfilter 2022-10-20 17:24:59 -07:00
sch_sfq.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_skbprio.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_taprio.c Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs" 2022-10-05 20:32:15 -07:00
sch_tbf.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_teql.c net: sched: delete duplicate cleanup of backlog and qlen 2022-08-25 15:10:17 +02:00