From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <edumazet@google.com>
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com
 [IPv6:2607:f8b0:4864:20::b35])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id EF3BD3B2A4
 for <cake@lists.bufferbloat.net>; Wed, 31 Aug 2022 13:08:54 -0400 (EDT)
Received: by mail-yb1-xb35.google.com with SMTP id 130so5086130ybw.8
 for <cake@lists.bufferbloat.net>; Wed, 31 Aug 2022 10:08:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:from:to:cc;
 bh=zftIQ411D/F+q8QhoQwsILwL9NsdWWrYVbDr2LyC+Ag=;
 b=OQ7sKCmxPyWKCDN5gUarxjhFYd1O4pOph4TbiOP/usrlDrDxDZ/Lkqk4RvcIg1yqb2
 87Y598LALYgpF3y5oor4fgJv6Z9xgMYkaodCZbSQY9fD0FrPd8FbIs7uvzDQLnlzrkjX
 c01YOnh8XQbuuZa5detMGe6+1oJGccmePC9jwWaCKjQHP+Y6aGPK+QzBtgWlRsO4LUh7
 oa415oD6dIyw8872X+zSQiwBvCloZS4btS1yk1pmrMva8uIY7LAHOc0U1hYvpgyZbXWA
 A/fQ0qpLvy2jqNlznSadD4JgCkYxA5wLwB3ufQeOLKHQTyy9iC15CP1bw3EXIVumgoA3
 ALBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc;
 bh=zftIQ411D/F+q8QhoQwsILwL9NsdWWrYVbDr2LyC+Ag=;
 b=mMPYz4gayNmtOsrj0OEAopPiiA7UHOnH6geRrtN9aeiqCDwTM9HUinvSw1j9zC/boN
 veItRNFor8+hqm2R5G/YVkRY4xQU+poFd3YJLJQ/pxj2TOky9S22nOMtK8aJugZu0zfQ
 thk1xg20B3fnO80oRxenc0Z7+ISLFsJovUSxPqcnTYtWUpXPU49ZWiz1fJ8171MOZi3J
 CXVEU4EIFkBR5az5KzwN2GjsHnrUSb69qyRjukrfiDZyznKIvBW3eWLPoL8KO1aLWUcL
 DxBVmYyLMSsp3Ij0aq9PXHXb9zJGajXL0QVv/52VUFYLnrspOFLKi1h1P2XEIyAwa6p5
 zAgw==
X-Gm-Message-State: ACgBeo2lB11sefVTx9t8DrY2U8l5aciSqcnHd+s97j3cKGPlufF/uXW5
 bxX4cVF4iQhZ41NaT2XjFW1uCbcjfdzG9gP6Jx+k4Q==
X-Google-Smtp-Source: AA6agR4bpTI9OyQMRsa/Sv5Ts/rONTlAjKcYdn/SaPSeJ8HtCSTWSqVEIb5kQseLtBokc7e3e9iApAvkakWAKjEc28o=
X-Received: by 2002:a25:4291:0:b0:696:56f3:5934 with SMTP id
 p139-20020a254291000000b0069656f35934mr16104965yba.55.1661965733674; Wed, 31
 Aug 2022 10:08:53 -0700 (PDT)
MIME-Version: 1.0
References: <20220831092103.442868-1-toke@toke.dk>
In-Reply-To: <20220831092103.442868-1-toke@toke.dk>
From: Eric Dumazet <edumazet@google.com>
Date: Wed, 31 Aug 2022 10:08:42 -0700
Message-ID: <CANn89iKiJ91D7fELw9iKB4yCLaDj-WEv27wRS4PtLqM7oK8m=w@mail.gmail.com>
To: =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= <toke@toke.dk>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>, Cong Wang <xiyou.wangcong@gmail.com>, 
 Jiri Pirko <jiri@resnulli.us>, "David S. Miller" <davem@davemloft.net>,
 Jakub Kicinski <kuba@kernel.org>, 
 Paolo Abeni <pabeni@redhat.com>, cake@lists.bufferbloat.net, 
 netdev <netdev@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Cake] [PATCH net] sch_cake: Return __NET_XMIT_STOLEN when
 consuming enqueued skb
X-BeenThere: cake@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Cake - FQ_codel the next generation <cake.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cake>
List-Post: <mailto:cake@lists.bufferbloat.net>
List-Help: <mailto:cake-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2022 17:08:55 -0000

On Wed, Aug 31, 2022 at 2:25 AM Toke H=C3=B8iland-J=C3=B8rgensen <toke@toke=
.dk> wrote:
>
> When the GSO splitting feature of sch_cake is enabled, GSO superpackets
> will be broken up and the resulting segments enqueued in place of the
> original skb. In this case, CAKE calls consume_skb() on the original skb,
> but still returns NET_XMIT_SUCCESS. This can confuse parent qdiscs into
> assuming the original skb still exists, when it really has been freed. Fi=
x
> this by adding the __NET_XMIT_STOLEN flag to the return value in this cas=
e.
>

I think you forgot to give credits to the team who discovered this issue.

Something like this

Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231



> Fixes: 0c850344d388 ("sch_cake: Conditionally split GSO segments")
> Signed-off-by: Toke H=C3=B8iland-J=C3=B8rgensen <toke@toke.dk>
> ---
>  net/sched/sch_cake.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
> index a43a58a73d09..a04928082e4a 100644
> --- a/net/sched/sch_cake.c
> +++ b/net/sched/sch_cake.c
> @@ -1713,6 +1713,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct=
 Qdisc *sch,
>         }
>         idx--;
>         flow =3D &b->flows[idx];
> +       ret =3D NET_XMIT_SUCCESS;
>
>         /* ensure shaper state isn't stale */
>         if (!b->tin_backlog) {
> @@ -1771,6 +1772,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct=
 Qdisc *sch,
>
>                 qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen);
>                 consume_skb(skb);
> +               ret |=3D __NET_XMIT_STOLEN;
>         } else {
>                 /* not splitting */
>                 cobalt_set_enqueue_time(skb, now);
> @@ -1904,7 +1906,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct=
 Qdisc *sch,
>                 }
>                 b->drop_overlimit +=3D dropped;
>         }
> -       return NET_XMIT_SUCCESS;
> +       return ret;
>  }
>
>  static struct sk_buff *cake_dequeue_one(struct Qdisc *sch)
> --
> 2.37.2
>