On Tue, 22 Apr 2025 13:42:19 -0700 Cong Wang xiyou.wangcong@gmail.com wrote:
On Tue, Apr 22, 2025 at 07:20:24PM +0200, Holger Hoffstätte wrote:
(cc: Greg KH)
On 2025-04-22 18:51, Alan J. Wylie wrote:
On Mon, 21 Apr 2025 21:09:27 +0100 "Alan J. Wylie" alan@wylie.me.uk wrote:
On Mon, 21 Apr 2025 21:47:44 +0200 Holger Hoffstätte holger@applied-asynchrony.com wrote:
I'm afraid that didn't help. Same panic.
Bummer :-(
Might be something else missing then - so for now the only other thing I'd suggest is to revert the removal of the qlen check in fq_codel.
Like this?
$ git diff sch_fq_codel.c diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c index 6c9029f71e88..4fdf317b82ec 100644 --- a/net/sched/sch_fq_codel.c +++ b/net/sched/sch_fq_codel.c @@ -316,7 +316,7 @@ static struct sk_buff *fq_codel_dequeue(struct Qdisc *sch) qdisc_bstats_update(sch, skb); flow->deficit -= qdisc_pkt_len(skb);
if (q->cstats.drop_count) {
if (q->cstats.drop_count && sch->q.qlen) { qdisc_tree_reduce_backlog(sch,q->cstats.drop_count, q->cstats.drop_len); q->cstats.drop_count = 0; $
It's been about 21 hours and no crash yet. I had an excellent day down a cave, so there's not been as much Internet traffic as usual, but there's a good chance the above patch as at least worked around, if not fixed the issue.
Thought so .. \o/
I guess now the question is what to do about it. IIUC the fix series [1] addressed some kind of UAF problem, but obviously was not applied correctly or is missing follow-ups. It's also a bit mysterious why adding the HTB patch didn't work.
Maybe Cong Wang can advise what to do here?
I guess my patch caused some regression, I am still decoding the crashes reported here.
Meanwhile, if you could provide a reliable (and ideally minimum) reproducer, it would help me a lot to debug.
Thanks!
Sorry. No reproducer. The crashes seemed to be totally random.
I posted the script I use to set up tc in my initial report.
FYI, here's the resulting config.
# tc qdisc show qdisc noqueue 0: dev lo root refcnt 2 qdisc fq_codel 0: dev enp3s0 root refcnt 2 limit 10240p flows 1024 quantum 6014 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc fq_codel 0: dev enp4s0 root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc fq_codel 0: dev enp5s6f0 root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc noqueue 0: dev wlp5s7 root refcnt 2 qdisc noqueue 0: dev brdmz root refcnt 2 qdisc noqueue 0: dev heipv6 root refcnt 2 qdisc fq_codel 0: dev tun0 root refcnt 2 limit 10240p flows 1024 quantum 1464 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc htb 1: dev ppp0 root refcnt 2 r2q 10 default 0x11 direct_packets_stat 0 direct_qlen 3 qdisc fq_codel 824c: dev ppp0 parent 1:11 limit 10240p flows 1024 quantum 300 target 5ms interval 100ms memory_limit 32Mb drop_batch 64 qdisc ingress ffff: dev ppp0 parent ffff:fff1 ---------------- qdisc fq_codel 0: dev tun1 root refcnt 2 limit 10240p flows 1024 quantum 1500 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 qdisc htb 1: dev ppp0ifb0 root refcnt 2 r2q 20 default 0x11 direct_packets_stat 0 direct_qlen 32 qdisc fq_codel 824b: dev ppp0ifb0 parent 1:11 limit 10240p flows 1024 quantum 300 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64 #