Re: [PATCH net] sch_netem: acquire qdisc lock in netem_change()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Horman <simon.horman@corigine.com>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, eric.dumazet@gmail.com,
	syzbot <syzkaller@googlegroups.com>,
	Stephen Hemminger <stephen@networkplumber.org>,
	Jamal Hadi Salim <jhs@mojatatu.com>,
	Cong Wang <xiyou.wangcong@gmail.com>,
	Jiri Pirko <jiri@resnulli.us>
Subject: Re: [PATCH net] sch_netem: acquire qdisc lock in netem_change()
Date: Wed, 21 Jun 2023 16:51:29 +0200	[thread overview]
Message-ID: <ZJMOcaNLa8uGUWsL@corigine.com> (raw)
In-Reply-To: <20230620184425.1179809-1-edumazet@google.com>

On Tue, Jun 20, 2023 at 06:44:25PM +0000, Eric Dumazet wrote:
> syzbot managed to trigger a divide error [1] in netem.
> 
> It could happen if q->rate changes while netem_enqueue()
> is running, since q->rate is read twice.
> 
> It turns out netem_change() always lacked proper synchronization.
> 
> [1]
> divide error: 0000 [#1] SMP KASAN
> CPU: 1 PID: 7867 Comm: syz-executor.1 Not tainted 6.1.30-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
> RIP: 0010:div64_u64 include/linux/math64.h:69 [inline]
> RIP: 0010:packet_time_ns net/sched/sch_netem.c:357 [inline]
> RIP: 0010:netem_enqueue+0x2067/0x36d0 net/sched/sch_netem.c:576
> Code: 89 e2 48 69 da 00 ca 9a 3b 42 80 3c 28 00 4c 8b a4 24 88 00 00 00 74 0d 4c 89 e7 e8 c3 4f 3b fd 48 8b 4c 24 18 48 89 d8 31 d2 <49> f7 34 24 49 01 c7 4c 8b 64 24 48 4d 01 f7 4c 89 e3 48 c1 eb 03
> RSP: 0018:ffffc9000dccea60 EFLAGS: 00010246
> RAX: 000001a442624200 RBX: 000001a442624200 RCX: ffff888108a4f000
> RDX: 0000000000000000 RSI: 000000000000070d RDI: 000000000000070d
> RBP: ffffc9000dcceb90 R08: ffffffff849c5e26 R09: fffffbfff10e1297
> R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888108a4f358
> R13: dffffc0000000000 R14: 0000001a8cd9a7ec R15: 0000000000000000
> FS: 00007fa73fe18700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa73fdf7718 CR3: 000000011d36e000 CR4: 0000000000350ee0
> Call Trace:
> <TASK>
> [<ffffffff84714385>] __dev_xmit_skb net/core/dev.c:3931 [inline]
> [<ffffffff84714385>] __dev_queue_xmit+0xcf5/0x3370 net/core/dev.c:4290
> [<ffffffff84d22df2>] dev_queue_xmit include/linux/netdevice.h:3030 [inline]
> [<ffffffff84d22df2>] neigh_hh_output include/net/neighbour.h:531 [inline]
> [<ffffffff84d22df2>] neigh_output include/net/neighbour.h:545 [inline]
> [<ffffffff84d22df2>] ip_finish_output2+0xb92/0x10d0 net/ipv4/ip_output.c:235
> [<ffffffff84d21e63>] __ip_finish_output+0xc3/0x2b0
> [<ffffffff84d10a81>] ip_finish_output+0x31/0x2a0 net/ipv4/ip_output.c:323
> [<ffffffff84d10f14>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
> [<ffffffff84d10f14>] ip_output+0x224/0x2a0 net/ipv4/ip_output.c:437
> [<ffffffff84d123b5>] dst_output include/net/dst.h:444 [inline]
> [<ffffffff84d123b5>] ip_local_out net/ipv4/ip_output.c:127 [inline]
> [<ffffffff84d123b5>] __ip_queue_xmit+0x1425/0x2000 net/ipv4/ip_output.c:542
> [<ffffffff84d12fdc>] ip_queue_xmit+0x4c/0x70 net/ipv4/ip_output.c:556
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Stephen Hemminger <stephen@networkplumber.org>
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Cc: Cong Wang <xiyou.wangcong@gmail.com>
> Cc: Jiri Pirko <jiri@resnulli.us>
> ---
>  net/sched/sch_netem.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

Reviewed-by: Simon Horman <simon.horman@corigine.com>

next prev parent reply	other threads:[~2023-06-21 14:58 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-20 18:44 [PATCH net] sch_netem: acquire qdisc lock in netem_change() Eric Dumazet
2023-06-21 11:21 ` Jamal Hadi Salim
2023-06-21 14:51 ` Simon Horman [this message]
2023-06-22  9:20 ` patchwork-bot+netdevbpf
2023-06-22 16:31   ` Eric Dumazet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZJMOcaNLa8uGUWsL@corigine.com \
    --to=simon.horman@corigine.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=stephen@networkplumber.org \
    --cc=syzkaller@googlegroups.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.