From: Davide Caratti <dcaratti@redhat.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Vlad Buslov <vladbu@mellanox.com>,
"David S. Miller" <davem@davemloft.net>,
Linux Kernel Network Developers <netdev@vger.kernel.org>,
Lucas Bates <lucasb@mojatatu.com>
Subject: Re: [PATCH net] net/sched: flower: fix infinite loop in fl_walk()
Date: Thu, 20 Jun 2019 14:52:32 +0200 [thread overview]
Message-ID: <53b8c3118900b31536594e98952640c03a4456e0.camel@redhat.com> (raw)
In-Reply-To: <CAM_iQpUVJ9sG9ETE0zZ_azbDgWp_oi320nWy_g-uh2YJWYDOXw@mail.gmail.com>
hello Cong, thanks for reading.
On Wed, 2019-06-19 at 15:04 -0700, Cong Wang wrote:
> On Wed, Jun 19, 2019 at 2:10 PM Davide Caratti <dcaratti@redhat.com> wrote:
> > on some CPUs (e.g. i686), tcf_walker.cookie has the same size as the IDR.
> > In this situation, the following script:
> >
> > # tc filter add dev eth0 ingress handle 0xffffffff flower action ok
> > # tc filter show dev eth0 ingress
> >
> > results in an infinite loop. It happened also on other CPUs (e.g x86_64),
> > before commit 061775583e35 ("net: sched: flower: introduce reference
> > counting for filters"), because 'handle' + 1 made the u32 overflow before
> > it was assigned to 'cookie'; but that commit replaced the assignment with
> > a self-increment of 'cookie', so the problem was indirectly fixed.
>
> Interesting... Is this really specific to cls_flower? To me it looks like
> a bug of idr_*_ul() API's, especially for idr_for_each_entry_ul().
good question, I have to investigate this better (idr_for_each_entry_ul()
expands in a iteration of idr_get_next_ul()). It surely got in cls_flower
when it was converted to use IDRs, but it's true that there might be other
points in TC where IDR are used and the same pattern is present (see
below).
> Can you test if the following command has the same problem on i386?
>
> tc actions add action ok index 4294967295
the action is added, but then reading it back results in an infinite loop.
And again, the infinite loop happens on i686 and not on x86_64. I will try
to see where's the problem also here.
--
davide
next prev parent reply other threads:[~2019-06-20 12:52 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-19 21:09 [PATCH net] net/sched: flower: fix infinite loop in fl_walk() Davide Caratti
2019-06-19 22:04 ` Cong Wang
2019-06-20 12:52 ` Davide Caratti [this message]
2019-06-20 17:33 ` Cong Wang
2019-06-25 15:47 ` Davide Caratti
2019-06-25 16:23 ` Davide Caratti
2019-06-25 18:07 ` Cong Wang
2019-06-25 19:29 ` Cong Wang
2019-06-26 0:05 ` Cong Wang
2019-06-26 21:15 ` Cong Wang
2019-06-27 22:10 ` Davide Caratti
2019-06-28 1:24 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53b8c3118900b31536594e98952640c03a4456e0.camel@redhat.com \
--to=dcaratti@redhat.com \
--cc=davem@davemloft.net \
--cc=lucasb@mojatatu.com \
--cc=netdev@vger.kernel.org \
--cc=vladbu@mellanox.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).