From mboxrd@z Thu Jan 1 00:00:00 1970 From: Cong Wang Subject: Re: size overflow in function qdisc_tree_decrease_qlen net/sched/sch_api.c Date: Tue, 1 Dec 2015 14:47:24 -0800 Message-ID: References: <20151201010005.GA23175@Fux-PC> <1448978807.25582.19.camel@edumazet-glaptop2.roam.corp.google.com> <1448979011.25582.21.camel@edumazet-glaptop2.roam.corp.google.com> <565DC716.22673.2DBA261B@pageexec.freemail.hu> <1448987660.2977.6.camel@edumazet-glaptop2.roam.corp.google.com> <1448996964.16994.2.camel@edumazet-glaptop2.roam.corp.google.com> <1449000371.16994.14.camel@edumazet-glaptop2.roam.corp.google.com> <1449009185.32764.5.camel@edumazet-glaptop2.roam.corp.google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Cc: pageexec@freemail.hu, Daniele Fucini , netdev , Jamal Hadi Salim , David Miller , spender@grsecurity.net, re.emese@gmail.com To: Eric Dumazet Return-path: Received: from mail-yk0-f172.google.com ([209.85.160.172]:35972 "EHLO mail-yk0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756405AbbLAWrZ (ORCPT ); Tue, 1 Dec 2015 17:47:25 -0500 Received: by ykdr82 with SMTP id r82so26214699ykd.3 for ; Tue, 01 Dec 2015 14:47:24 -0800 (PST) In-Reply-To: <1449009185.32764.5.camel@edumazet-glaptop2.roam.corp.google.com> Sender: netdev-owner@vger.kernel.org List-ID: On Tue, Dec 1, 2015 at 2:33 PM, Eric Dumazet wrote: > Hmm... it looks like we have a much more serious bug : > > qdisc_lookup() calls qdisc_match_from_root(dev->qdisc, handle) without > proper lock being held, so we might actually crash the host, > if qdisc_tree_decrease_qlen() happens at the time qdiscs are changed. > > qdisc_tree_decrease_qlen() needs serious care :( Convert qdisc list to RCU protected?