[PATCH net] bonding: fix two race conditions in bond_store_updelay/downdelay

[PATCH net] bonding: fix two race conditions in bond_store_updelay/downdelay

[Nikolay Aleksandrov]

This patch fixes two race conditions between bond_store_updelay/downdelay
and bond_store_miimon which could lead to division by zero as miimon can
be set to 0 while either updelay/downdelay are being set and thus miss the
zero check in the beginning, the zero div happens because updelay/downdelay
are stored as new_value / bond->params.miimon. Use rtnl to synchronize with
miimon setting.

CC: Jay Vosburgh <fubar@us.ibm.com>
CC: Andy Gospodarek <andy@greyhouse.net>
CC: Veaceslav Falico <vfalico@redhat.com>
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
---
 drivers/net/bonding/bond_sysfs.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
index bc8fd36..8f8a607 100644
--- a/drivers/net/bonding/bond_sysfs.c
+++ b/drivers/net/bonding/bond_sysfs.c
@@ -701,6 +701,8 @@ static ssize_t bonding_store_downdelay(struct device *d,
 	int new_value, ret = count;
 	struct bonding *bond = to_bond(d);
 
+	if (!rtnl_trylock())
+		return restart_syscall();
 	if (!(bond->params.miimon)) {
 		pr_err("%s: Unable to set down delay as MII monitoring is disabled\n",
 		       bond->dev->name);
@@ -734,6 +736,7 @@ static ssize_t bonding_store_downdelay(struct device *d,
 	}
 
 out:
+	rtnl_unlock();
 	return ret;
 }
 static DEVICE_ATTR(downdelay, S_IRUGO | S_IWUSR,
@@ -756,6 +759,8 @@ static ssize_t bonding_store_updelay(struct device *d,
 	int new_value, ret = count;
 	struct bonding *bond = to_bond(d);
 
+	if (!rtnl_trylock())
+		return restart_syscall();
 	if (!(bond->params.miimon)) {
 		pr_err("%s: Unable to set up delay as MII monitoring is disabled\n",
 		       bond->dev->name);
@@ -789,6 +794,7 @@ static ssize_t bonding_store_updelay(struct device *d,
 	}
 
 out:
+	rtnl_unlock();
 	return ret;
 }
 static DEVICE_ATTR(updelay, S_IRUGO | S_IWUSR,
-- 
1.8.1.4

Re: [PATCH net] bonding: fix two race conditions in bond_store_updelay/downdelay

[Nikolay Aleksandrov]

On 11/13/2013 05:07 PM, Nikolay Aleksandrov wrote:
> This patch fixes two race conditions between bond_store_updelay/downdelay
> and bond_store_miimon which could lead to division by zero as miimon can
> be set to 0 while either updelay/downdelay are being set and thus miss the
> zero check in the beginning, the zero div happens because updelay/downdelay
> are stored as new_value / bond->params.miimon. Use rtnl to synchronize with
> miimon setting.
> 
> CC: Jay Vosburgh <fubar@us.ibm.com>
> CC: Andy Gospodarek <andy@greyhouse.net>
> CC: Veaceslav Falico <vfalico@redhat.com>
> Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
> ---

A little addition: these can also race with anything that sets miimon to 0,
currently beside store_miimon only store_arp_interval does that. But that is
also fixed because store_arp_interval uses rtnl.

Cheers,
 Nik

Re: [PATCH net] bonding: fix two race conditions in bond_store_updelay/downdelay

[Eric Dumazet]

On Wed, 2013-11-13 at 17:07 +0100, Nikolay Aleksandrov wrote:
> This patch fixes two race conditions between bond_store_updelay/downdelay
> and bond_store_miimon which could lead to division by zero as miimon can
> be set to 0 while either updelay/downdelay are being set and thus miss the
> zero check in the beginning, the zero div happens because updelay/downdelay
> are stored as new_value / bond->params.miimon. Use rtnl to synchronize with
> miimon setting.

It seems a bit heavy duty to take rtnl for this.

Using ACCESS_ONCE() in bonding_store_updelay()/bonding_store_downdelay()
should be enough ?

int miimon = ACCESS_ONCE(bond->params.miimon);

Re: [PATCH net] bonding: fix two race conditions in bond_store_updelay/downdelay

[Nikolay Aleksandrov]

On 11/13/2013 06:03 PM, Eric Dumazet wrote:
> On Wed, 2013-11-13 at 17:07 +0100, Nikolay Aleksandrov wrote:
>> This patch fixes two race conditions between bond_store_updelay/downdelay
>> and bond_store_miimon which could lead to division by zero as miimon can
>> be set to 0 while either updelay/downdelay are being set and thus miss the
>> zero check in the beginning, the zero div happens because updelay/downdelay
>> are stored as new_value / bond->params.miimon. Use rtnl to synchronize with
>> miimon setting.
> 
> It seems a bit heavy duty to take rtnl for this.
> 
> Using ACCESS_ONCE() in bonding_store_updelay()/bonding_store_downdelay()
> should be enough ?
> 
> int miimon = ACCESS_ONCE(bond->params.miimon);
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
Hi Eric,
I thought about this version too, but downdelay/updelay can be changed in other
places (e.g., store_miimon) and the resulting downdelay/updelay value might not
be the right one.
Correct me if I'm wrong, but this is what I have in mind (miimon = 100, updelay
= 200):
set miimon to 300 and concurrently set updelay to 400, we might endup leaving
updelay to 400 because the old value of miimon is used in the calculation in
store_updelay even though when changing miimon updelay/downdelay get adjusted,
they might get adjusted by store_updelay/downdelay to a wrong value afterwards.

 Nik

Re: [PATCH net] bonding: fix two race conditions in bond_store_updelay/downdelay

[Eric Dumazet]

On Wed, 2013-11-13 at 18:06 +0100, Nikolay Aleksandrov wrote:

> I thought about this version too, but downdelay/updelay can be changed in other
> places (e.g., store_miimon) and the resulting downdelay/updelay value might not
> be the right one.
> Correct me if I'm wrong, but this is what I have in mind (miimon = 100, updelay
> = 200):
> set miimon to 300 and concurrently set updelay to 400, we might endup leaving
> updelay to 400 because the old value of miimon is used in the calculation in
> store_updelay even though when changing miimon updelay/downdelay get adjusted,
> they might get adjusted by store_updelay/downdelay to a wrong value afterwards.

OK then ;)

Re: [PATCH net] bonding: fix two race conditions in bond_store_updelay/downdelay

[Ding Tianhong]

On 2013/11/14 1:06, Nikolay Aleksandrov wrote:
> On 11/13/2013 06:03 PM, Eric Dumazet wrote:
>> On Wed, 2013-11-13 at 17:07 +0100, Nikolay Aleksandrov wrote:
>>> This patch fixes two race conditions between bond_store_updelay/downdelay
>>> and bond_store_miimon which could lead to division by zero as miimon can
>>> be set to 0 while either updelay/downdelay are being set and thus miss the
>>> zero check in the beginning, the zero div happens because updelay/downdelay
>>> are stored as new_value / bond->params.miimon. Use rtnl to synchronize with
>>> miimon setting.
>>
>> It seems a bit heavy duty to take rtnl for this.
>>
>> Using ACCESS_ONCE() in bonding_store_updelay()/bonding_store_downdelay()
>> should be enough ?
>>
>> int miimon = ACCESS_ONCE(bond->params.miimon);
>>
>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
> Hi Eric,
> I thought about this version too, but downdelay/updelay can be changed in other
> places (e.g., store_miimon) and the resulting downdelay/updelay value might not
> be the right one.
> Correct me if I'm wrong, but this is what I have in mind (miimon = 100, updelay
> = 200):
> set miimon to 300 and concurrently set updelay to 400, we might endup leaving
> updelay to 400 because the old value of miimon is used in the calculation in
> store_updelay even though when changing miimon updelay/downdelay get adjusted,
> they might get adjusted by store_updelay/downdelay to a wrong value afterwards.
> 
>  Nik
> 
> 
agree, set miimon and set updelay may conflict.

> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

Re: [PATCH net] bonding: fix two race conditions in bond_store_updelay/downdelay

[Veaceslav Falico]

On Wed, Nov 13, 2013 at 05:07:46PM +0100, Nikolay Aleksandrov wrote:
>This patch fixes two race conditions between bond_store_updelay/downdelay
>and bond_store_miimon which could lead to division by zero as miimon can
>be set to 0 while either updelay/downdelay are being set and thus miss the
>zero check in the beginning, the zero div happens because updelay/downdelay
>are stored as new_value / bond->params.miimon. Use rtnl to synchronize with
>miimon setting.
>
>CC: Jay Vosburgh <fubar@us.ibm.com>
>CC: Andy Gospodarek <andy@greyhouse.net>
>CC: Veaceslav Falico <vfalico@redhat.com>
>Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>

Nice, thanks! :)

Acked-by: Veaceslav Falico <vfalico@redhat.com>

>---
> drivers/net/bonding/bond_sysfs.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
>diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
>index bc8fd36..8f8a607 100644
>--- a/drivers/net/bonding/bond_sysfs.c
>+++ b/drivers/net/bonding/bond_sysfs.c
>@@ -701,6 +701,8 @@ static ssize_t bonding_store_downdelay(struct device *d,
> 	int new_value, ret = count;
> 	struct bonding *bond = to_bond(d);
>
>+	if (!rtnl_trylock())
>+		return restart_syscall();
> 	if (!(bond->params.miimon)) {
> 		pr_err("%s: Unable to set down delay as MII monitoring is disabled\n",
> 		       bond->dev->name);
>@@ -734,6 +736,7 @@ static ssize_t bonding_store_downdelay(struct device *d,
> 	}
>
> out:
>+	rtnl_unlock();
> 	return ret;
> }
> static DEVICE_ATTR(downdelay, S_IRUGO | S_IWUSR,
>@@ -756,6 +759,8 @@ static ssize_t bonding_store_updelay(struct device *d,
> 	int new_value, ret = count;
> 	struct bonding *bond = to_bond(d);
>
>+	if (!rtnl_trylock())
>+		return restart_syscall();
> 	if (!(bond->params.miimon)) {
> 		pr_err("%s: Unable to set up delay as MII monitoring is disabled\n",
> 		       bond->dev->name);
>@@ -789,6 +794,7 @@ static ssize_t bonding_store_updelay(struct device *d,
> 	}
>
> out:
>+	rtnl_unlock();
> 	return ret;
> }
> static DEVICE_ATTR(updelay, S_IRUGO | S_IWUSR,
>-- 
>1.8.1.4
>

Re: [PATCH net] bonding: fix two race conditions in bond_store_updelay/downdelay

[David Miller]

From: Nikolay Aleksandrov <nikolay@redhat.com>
Date: Wed, 13 Nov 2013 17:07:46 +0100

> This patch fixes two race conditions between bond_store_updelay/downdelay
> and bond_store_miimon which could lead to division by zero as miimon can
> be set to 0 while either updelay/downdelay are being set and thus miss the
> zero check in the beginning, the zero div happens because updelay/downdelay
> are stored as new_value / bond->params.miimon. Use rtnl to synchronize with
> miimon setting.
> 
> CC: Jay Vosburgh <fubar@us.ibm.com>
> CC: Andy Gospodarek <andy@greyhouse.net>
> CC: Veaceslav Falico <vfalico@redhat.com>
> Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>

Applied and queued up for -stable, thanks.