mirror of
https://github.com/torvalds/linux.git
synced 2026-05-13 00:28:54 +02:00
0e1d5d9b5c
htb_lookup_leaf has a BUG_ON that can trigger with the following:
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 htb rate 64bit
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2:1 handle 3: blackhole
ping -I lo -c1 -W0.001 127.0.0.1
The root cause is the following:
1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on
the selected leaf qdisc
2. netem_dequeue calls enqueue on the child qdisc
3. blackhole_enqueue drops the packet and returns a value that is not
just NET_XMIT_SUCCESS
4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and
since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate ->
htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase
5. As this is the only class in the selected hprio rbtree,
__rb_change_child in __rb_erase_augmented sets the rb_root pointer to
NULL
6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,
which causes htb_dequeue_tree to call htb_lookup_leaf with the same
hprio rbtree, and fail the BUG_ON
The function graph for this scenario is shown here:
0) | htb_enqueue() {
0) + 13.635 us | netem_enqueue();
0) 4.719 us | htb_activate_prios();
0) # 2249.199 us | }
0) | htb_dequeue() {
0) 2.355 us | htb_lookup_leaf();
0) | netem_dequeue() {
0) + 11.061 us | blackhole_enqueue();
0) | qdisc_tree_reduce_backlog() {
0) | qdisc_lookup_rcu() {
0) 1.873 us | qdisc_match_from_root();
0) 6.292 us | }
0) 1.894 us | htb_search();
0) | htb_qlen_notify() {
0) 2.655 us | htb_deactivate_prios();
0) 6.933 us | }
0) + 25.227 us | }
0) 1.983 us | blackhole_dequeue();
0) + 86.553 us | }
0) # 2932.761 us | qdisc_warn_nonwc();
0) | htb_lookup_leaf() {
0) | BUG_ON();
------------------------------------------
The full original bug report can be seen here [1].
We can fix this just by returning NULL instead of the BUG_ON,
as htb_dequeue_tree returns NULL when htb_lookup_leaf returns
NULL.
[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/
Fixes:
|
||
|---|---|---|
| .. | ||
| act_api.c | ||
| act_bpf.c | ||
| act_connmark.c | ||
| act_csum.c | ||
| act_ct.c | ||
| act_ctinfo.c | ||
| act_gact.c | ||
| act_gate.c | ||
| act_ife.c | ||
| act_meta_mark.c | ||
| act_meta_skbprio.c | ||
| act_meta_skbtcindex.c | ||
| act_mirred.c | ||
| act_mpls.c | ||
| act_nat.c | ||
| act_pedit.c | ||
| act_police.c | ||
| act_sample.c | ||
| act_simple.c | ||
| act_skbedit.c | ||
| act_skbmod.c | ||
| act_tunnel_key.c | ||
| act_vlan.c | ||
| bpf_qdisc.c | ||
| cls_api.c | ||
| cls_basic.c | ||
| cls_bpf.c | ||
| cls_cgroup.c | ||
| cls_flow.c | ||
| cls_flower.c | ||
| cls_fw.c | ||
| cls_matchall.c | ||
| cls_route.c | ||
| cls_u32.c | ||
| em_canid.c | ||
| em_cmp.c | ||
| em_ipset.c | ||
| em_ipt.c | ||
| em_meta.c | ||
| em_nbyte.c | ||
| em_text.c | ||
| em_u32.c | ||
| ematch.c | ||
| Kconfig | ||
| Makefile | ||
| sch_api.c | ||
| sch_blackhole.c | ||
| sch_cake.c | ||
| sch_cbs.c | ||
| sch_choke.c | ||
| sch_codel.c | ||
| sch_drr.c | ||
| sch_etf.c | ||
| sch_ets.c | ||
| sch_fifo.c | ||
| sch_fq_codel.c | ||
| sch_fq_pie.c | ||
| sch_fq.c | ||
| sch_frag.c | ||
| sch_generic.c | ||
| sch_gred.c | ||
| sch_hfsc.c | ||
| sch_hhf.c | ||
| sch_htb.c | ||
| sch_ingress.c | ||
| sch_mq.c | ||
| sch_mqprio_lib.c | ||
| sch_mqprio_lib.h | ||
| sch_mqprio.c | ||
| sch_multiq.c | ||
| sch_netem.c | ||
| sch_pie.c | ||
| sch_plug.c | ||
| sch_prio.c | ||
| sch_qfq.c | ||
| sch_red.c | ||
| sch_sfb.c | ||
| sch_sfq.c | ||
| sch_skbprio.c | ||
| sch_taprio.c | ||
| sch_tbf.c | ||
| sch_teql.c | ||