[PATCH 5.4 43/60] sch_netem: acquire qdisc lock in netem_change()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, syzbot <syzkaller@googlegroups.com>,
	Eric Dumazet <edumazet@google.com>,
	Stephen Hemminger <stephen@networkplumber.org>,
	Jamal Hadi Salim <jhs@mojatatu.com>,
	Cong Wang <xiyou.wangcong@gmail.com>,
	Jiri Pirko <jiri@resnulli.us>,
	Simon Horman <simon.horman@corigine.com>,
	Paolo Abeni <pabeni@redhat.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 43/60] sch_netem: acquire qdisc lock in netem_change()
Date: Mon, 26 Jun 2023 20:12:22 +0200	[thread overview]
Message-ID: <20230626180741.335312769@linuxfoundation.org> (raw)
In-Reply-To: <20230626180739.558575012@linuxfoundation.org>

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 2174a08db80d1efeea382e25ac41c4e7511eb6d6 ]

syzbot managed to trigger a divide error [1] in netem.

It could happen if q->rate changes while netem_enqueue()
is running, since q->rate is read twice.

It turns out netem_change() always lacked proper synchronization.

[1]
divide error: 0000 [#1] SMP KASAN
CPU: 1 PID: 7867 Comm: syz-executor.1 Not tainted 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
RIP: 0010:div64_u64 include/linux/math64.h:69 [inline]
RIP: 0010:packet_time_ns net/sched/sch_netem.c:357 [inline]
RIP: 0010:netem_enqueue+0x2067/0x36d0 net/sched/sch_netem.c:576
Code: 89 e2 48 69 da 00 ca 9a 3b 42 80 3c 28 00 4c 8b a4 24 88 00 00 00 74 0d 4c 89 e7 e8 c3 4f 3b fd 48 8b 4c 24 18 48 89 d8 31 d2 <49> f7 34 24 49 01 c7 4c 8b 64 24 48 4d 01 f7 4c 89 e3 48 c1 eb 03
RSP: 0018:ffffc9000dccea60 EFLAGS: 00010246
RAX: 000001a442624200 RBX: 000001a442624200 RCX: ffff888108a4f000
RDX: 0000000000000000 RSI: 000000000000070d RDI: 000000000000070d
RBP: ffffc9000dcceb90 R08: ffffffff849c5e26 R09: fffffbfff10e1297
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888108a4f358
R13: dffffc0000000000 R14: 0000001a8cd9a7ec R15: 0000000000000000
FS: 00007fa73fe18700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa73fdf7718 CR3: 000000011d36e000 CR4: 0000000000350ee0
Call Trace:
<TASK>
[<ffffffff84714385>] __dev_xmit_skb net/core/dev.c:3931 [inline]
[<ffffffff84714385>] __dev_queue_xmit+0xcf5/0x3370 net/core/dev.c:4290
[<ffffffff84d22df2>] dev_queue_xmit include/linux/netdevice.h:3030 [inline]
[<ffffffff84d22df2>] neigh_hh_output include/net/neighbour.h:531 [inline]
[<ffffffff84d22df2>] neigh_output include/net/neighbour.h:545 [inline]
[<ffffffff84d22df2>] ip_finish_output2+0xb92/0x10d0 net/ipv4/ip_output.c:235
[<ffffffff84d21e63>] __ip_finish_output+0xc3/0x2b0
[<ffffffff84d10a81>] ip_finish_output+0x31/0x2a0 net/ipv4/ip_output.c:323
[<ffffffff84d10f14>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
[<ffffffff84d10f14>] ip_output+0x224/0x2a0 net/ipv4/ip_output.c:437
[<ffffffff84d123b5>] dst_output include/net/dst.h:444 [inline]
[<ffffffff84d123b5>] ip_local_out net/ipv4/ip_output.c:127 [inline]
[<ffffffff84d123b5>] __ip_queue_xmit+0x1425/0x2000 net/ipv4/ip_output.c:542
[<ffffffff84d12fdc>] ip_queue_xmit+0x4c/0x70 net/ipv4/ip_output.c:556

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/20230620184425.1179809-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sched/sch_netem.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 1802f134aa407..69034c8cc3b86 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -969,6 +969,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
 	if (ret < 0)
 		return ret;
 
+	sch_tree_lock(sch);
 	/* backup q->clg and q->loss_model */
 	old_clg = q->clg;
 	old_loss_model = q->loss_model;
@@ -977,7 +978,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
 		ret = get_loss_clg(q, tb[TCA_NETEM_LOSS]);
 		if (ret) {
 			q->loss_model = old_loss_model;
-			return ret;
+			goto unlock;
 		}
 	} else {
 		q->loss_model = CLG_RANDOM;
@@ -1044,6 +1045,8 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
 	/* capping jitter to the range acceptable by tabledist() */
 	q->jitter = min_t(s64, abs(q->jitter), INT_MAX);
 
+unlock:
+	sch_tree_unlock(sch);
 	return ret;
 
 get_table_failure:
@@ -1053,7 +1056,8 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
 	 */
 	q->clg = old_clg;
 	q->loss_model = old_loss_model;
-	return ret;
+
+	goto unlock;
 }
 
 static int netem_init(struct Qdisc *sch, struct nlattr *opt,
-- 
2.39.2

next prev parent reply	other threads:[~2023-06-26 18:36 UTC|newest]

Thread overview: 66+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-26 18:11 [PATCH 5.4 00/60] 5.4.249-rc1 review Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 01/60] nilfs2: reject devices with insufficient block count Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 02/60] mm: rewrite wait_on_page_bit_common() logic Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 03/60] list: add "list_del_init_careful()" to go with "list_empty_careful()" Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 04/60] epoll: ep_autoremove_wake_function should use list_del_init_careful Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 05/60] tracing: Add tracing_reset_all_online_cpus_unlocked() function Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 06/60] x86/purgatory: remove PGO flags Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 07/60] tick/common: Align tick period during sched_timer setup Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 08/60] media: dvbdev: Fix memleak in dvb_register_device Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 09/60] media: dvbdev: fix error logic at dvb_register_device() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 10/60] media: dvb-core: Fix use-after-free due to race " Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 11/60] nilfs2: fix buffer corruption due to concurrent device reads Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 12/60] Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 13/60] PCI: hv: Fix a race condition bug in hv_pci_query_relations() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 14/60] cgroup: Do not corrupt task iteration when rebinding subsystem Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 15/60] mmc: meson-gx: remove redundant mmc_request_done() call from irq context Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 16/60] ip_tunnels: allow VXLAN/GENEVE to inherit TOS/TTL from VLAN Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 17/60] writeback: fix dereferencing NULL mapping->host on writeback_page_template Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 18/60] nilfs2: prevent general protection fault in nilfs_clear_dirty_page() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 19/60] cifs: Clean up DFS referral cache Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.4 20/60] cifs: Get rid of kstrdup_const()d paths Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 21/60] cifs: Introduce helpers for finding TCP connection Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 22/60] cifs: Merge is_path_valid() into get_normalized_path() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 23/60] cifs: Fix potential deadlock when updating vol in cifs_reconnect() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 24/60] x86/mm: Avoid using set_pgd() outside of real PGD pages Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 25/60] rcu: Upgrade rcu_swap_protected() to rcu_replace_pointer() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 26/60] ieee802154: hwsim: Fix possible memory leaks Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 27/60] xfrm: Linearize the skb after offloading if needed Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 28/60] net: qca_spi: Avoid high load if QCA7000 is not available Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 29/60] mmc: mtk-sd: fix deferred probing Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 30/60] mmc: mvsdio: convert to devm_platform_ioremap_resource Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 31/60] mmc: mvsdio: fix deferred probing Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 32/60] mmc: omap: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 33/60] mmc: omap_hsmmc: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 34/60] mmc: sdhci-acpi: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 35/60] mmc: sh_mmcif: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 36/60] mmc: usdhi60rol0: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 37/60] ipvs: align inner_mac_header for encapsulation Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 38/60] net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 39/60] be2net: Extend xmit workaround to BE3 chip Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 40/60] netfilter: nf_tables: disallow element updates of bound anonymous sets Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 41/60] netfilter: nfnetlink_osf: fix module autoload Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 42/60] Revert "net: phy: dp83867: perform soft reset and retain established link" Greg Kroah-Hartman
2023-06-26 18:12 ` Greg Kroah-Hartman [this message]
2023-06-26 18:12 ` [PATCH 5.4 44/60] scsi: target: iscsi: Prevent login threads from racing between each other Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 45/60] HID: wacom: Add error check to wacom_parse_and_register() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 46/60] arm64: Add missing Set/Way CMO encodings Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 47/60] media: cec: core: dont set last_initiator if tx in progress Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 48/60] nfcsim.c: Fix error checking for debugfs_create_dir Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 49/60] usb: gadget: udc: fix NULL dereference in remove() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 50/60] s390/cio: unregister device when the only path is gone Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 51/60] ASoC: nau8824: Add quirk to active-high jack-detect Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 52/60] ARM: dts: Fix erroneous ADS touchscreen polarities Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 53/60] drm/exynos: vidi: fix a wrong error return Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 54/60] drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 55/60] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 56/60] x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 57/60] i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 58/60] mm: fix VM_BUG_ON(PageTail) and BUG_ON(PageWriteback) Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 59/60] mm: make wait_on_page_writeback() wait for multiple pending writebacks Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.4 60/60] xfs: verify buffer contents when we skip log replay Greg Kroah-Hartman
2023-06-27  9:04 ` [PATCH 5.4 00/60] 5.4.249-rc1 review Jon Hunter
2023-06-27 14:15 ` Harshit Mogalapalli
2023-06-27 20:10 ` Chris Paterson
2023-06-27 21:35 ` Guenter Roeck
2023-06-28  7:03 ` Naresh Kamboju

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1802f134aa40 dfblob:69034c8cc3b8 )
 OR (
bs:"[PATCH 5.4 43/60] sch_netem: acquire qdisc lock in netem_change()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230626180741.335312769@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=edumazet@google.com \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=pabeni@redhat.com \
    --cc=patches@lists.linux.dev \
    --cc=sashal@kernel.org \
    --cc=simon.horman@corigine.com \
    --cc=stable@vger.kernel.org \
    --cc=stephen@networkplumber.org \
    --cc=syzkaller@googlegroups.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.